Reporting: Manage Lists, Rules or Reports

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 9Show Document
  • View in full screen mode

You can set access control, delete, edit, import, or export a list, rule or report.

Manage a List

  

Access Control for a List and List Group

You can set up the access permissions for the user roles to manage lists or list groups. The Reporting provides access control at the list and list group level. Only a user who has the right set of permissions can perform the tasks in the Reporting. The access control is managed by the administrator from the ADMIN > Security > Roles tab.

As an administrator you must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

Lists or list groups can be assigned to a specific set of user roles. When users log into NetWitness Suite, they can access only those lists to which they belong. Users who belong to a user role with the Read & Write access permission have full access rights on the lists. Further, the access can be strengthened so that lists are accessed only by those who have the Read Only access.

Note: You must have Read Only permission for a list group to view the lists within that group.

For example, if you want Security Analysts to have access to all the lists in a list group, you can set the permission Read & Write at the list group level. And, if you do not want the Operator role to have access to a specific set of lists in a list group, you can set the permission No Access at the list group level.

At the list or list group level, you can set the following access permissions for the user roles in NetWitness Suite. For more information, see List View:

  • Read & Write
  • Read Only
  • No Access

List Permission Dialog 

The following table lists the columns in the Lists Permissions panel:

                         
ColumnDescription
RolesDescribes roles of the users logged into the NetWitness Suite user interface.
Read & WriteAllows users to access, view, edit, delete, import, and export lists on the Lists view. Users can also change the permission on the rule.
Read OnlyAllows users to only access and view the list on the lists view.
No AccessDoesn't allow users to access or view the lists.

Access Control for a List

To change the list permissions, you must select a list and set access permissions using the List Permissions panel.

If you want to change the access permission for a specific user role, you must set it at the list level. Except for administrators, the default permission set for all the other user roles is No Access before applying job permissions.

Access Control Multiple Lists

You can select multiple lists at once and set access permissions using the Lists Permissions Panel. The access permission that you choose is applied to all the selected lists.

Note: The * beside the role name indicates that other permissions are available for the user role. If you want to change the access permission for the required user role, select the user role and change the access permission.

Multiple List Permission 

Note: If a user (other than ADMIN) creates a list, ADMIN cannot access that list.

Access Control for a List Group

To change the list group permissions, you must select a list group and set access permissions using the Lists Permissions panel.

If you want to change the access permission for a specific user role, you must set it at the list group level. Except for administrators, the default permission set for all the other user roles is No Access before applying job permissions.

You can also apply permissions to subgroups and lists in the group by selecting the checkbox.

List Group Permission 

The following scenarios describe defining permissions for list groups or subgroups and lists in the groups:

  • Scenario 1: Permissions applied to list group or subgroup based on the user role.

    Each of the levels will have a permission set depending on the user role. For example, if a list group is assigned the role of Security Analyst, permissions are set to Read & Write for the list group.

  • Scenario 2: Permissions applied to subgroups and lists in the group.

    The access permissions that you set can be applied to subgroups and child objects of this group. Permission at the list group level will be inherited by the subgroups and lists in the group.

                               
Role (Analysts)Permissions applied to list group or subgroup based on the user rolePermissions applied to subgroup and lists in the group
Group Read & WriteRead & Write
SubgroupReadRead & Write - Inherited
ListsReadRead & Write - Inherited
  

Access permission for a list or list group

Ensure that you have at least Read & Write access permission so that you can set access permissions for lists or list groups.

To set access permission for a list, perform the following:

  1. Select MONITOR > Reports.

    The Manage tab is displayed.

  2. Click Lists.
    The List view is displayed.

    List View

  3. In the List View panel, select a list.
  4. Click Actions drop-down menu  > Permissions in the List toolbar.
    The List Permissions dialog is displayed.

    List Permissions dialog

  5. Select the appropriate access permission for each of the user roles and click Save.

    A confirmation message that the permission is successfully set for the selected list is displayed.

To set access control for a list group, perform the following:

  1. Select MONITOR > Reports.

    The Manage tab is displayed.

  2. Click Lists.
    The List view is displayed.
    List View

  3. In the List Groups panel, select a list group.
  4. Click  Actions drop-down menuPermissions.
    The List Permissions dialog is displayed.

     List Permissions dialog

  5. (Optional) Select the appropriate checkbox to apply these permissions to subgroups and child objects of this group. 
  6. Click Save.

    A confirmation message that the permission is successfully set for the selected list group is displayed.

Edit a List

To edit a list, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Lists.
    The List view is displayed.
     List View
  3. In the List View panel, select a list that you want to edit and do one of the following.
    • Click Edit button  in the List toolbar.
    • In the List View panel, click Actions drop-down menu > Edit.

    Note: You can only edit one list at a time.

  4. Modify the required fields and add new values to the list.
  5. Click Save.
    A confirmation message that the list is saved successfully is displayed.

Delete a List or List Group

To delete a list, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Lists.
    The List view is displayed.
    List View
  3. In the List View panel, do one of the following:
    • Select a list or multiple lists that you want to delete and click Delete button in the Lists toolbar.
    • In the Actions column, click Actions drop-down menu > Delete.
      A confirmation dialog is displayed.
      Delete List confirmation dialog

Note: Before you delete a list, make sure that the list is not associated with any rule.

  1. Click Yes to delete the list.
    A confirmation message that the list is deleted is displayed and the selected list is deleted from the List View panel.

To delete a list group, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Lists.
    The List view is displayed.
    List View
  3. In the List Groups panel, select the group and click Delete button.
    A confirmation dialog is displayed.
    Delete Selected group confirmation dialog

Caution: If you delete a group, all subgroups and lists in that group are deleted.

  1. Click Yes to delete the selected group.

Note: If you try to delete a list group that has lists referenced in a rule or an alert, a warning message that Lists are referenced in a rule is displayed.

Duplicate a List

To duplicate a list, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Lists.
    The List view is displayed.
    List View
  3. In the List View panel, select a list that you want to duplicate.

Note: You can only duplicate one list at a time.

  1. In the List toolbar, click Duplicate button.

Export a List or List Group

To export a list, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Lists.
    The List view is displayed.
    List View
  3. In the List View panel, do one of the following:
    • Select a list and click Actions drop-down menu > Export in the List toolbar.
    • In Actions column, click Actions drop-down menuExport
    You can export multiple lists at a time. To select multiple lists, select the checkbox of the lists to be exported. A browser-specific export dialog may be displayed allowing you to open or save the file.

Note: You can export only one list at a time.

To export a list group, perform the following:

You can export selected list groups to an external file that can be later imported to NetWitness Suite. If nothing is selected in the List Library panel, the entire list tree is exported. When you export, the result is a single export file in binary format.

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Lists.
    The List view is displayed.
    List View
  3. In the List Groups panel, select the list group containing the lists which you want to export.
  4. Click  Actions drop-down menu > Export.
    You can export multiple list groups at a time. To select multiple list groups, press and hold the CTRL button and select the list groups to be exported. The exported file is saved to the local drive.

Import a List or List Group

To import a list, perform the following:

You can import lists from instances of NetWitness Suite into the list tree in the List View panel. Lists must be in a valid binary file exported from a NetWitness Suite instance.

  1. Select MONITORReports.
    The Manage tab is displayed.
  2. Click Lists.
    The List view is displayed.
    List View
  3. In the List toolbar, click Actions drop-down menuImport.
    The Import List dialog box is displayed. You can import multiple lists at a time. To select multiple lists, press and hold the CTRL button and select the lists to be imported.
  4. Click Browse and select archived file containing the lists.
    Import List dialog
  5. Click Import.

Note: During the import process, if a duplicate list exists and you do not select the overwrite option, the list is imported and no message about duplicate lists is displayed.

To import a list group, perform the following:

You can import list groups from instances of NetWitness Suite into the list tree in the List Groups panel. Lists must be in a valid binary file exported from a NetWitness Suite instance.

  1. Select MONITOR> Reports.
    The Manage tab is displayed.
  2. Click Lists.
    The List view is displayed.
    List View
  3. In the List Groups panel, click  Actions drop-down menu > Import.
    The Import List dialog box is displayed.
  4. Click Browse and select archived file containing the list groups.
    Import List Dialog
    You can import multiple list groups at a time. To select multiple list groups, press and hold the CTRL button and select the list groups to be imported.
  5. Click Import.

Note: During the import process, if a duplicate list group exists and you do not select the overwrite option, the list group is imported and no message about duplicate list group is displayed.

Manage a Rule

  

Access Control for a Rule and Rule Group

To set access permissions the user will have depending on the user role to manage a rule or rule group. The Reporting provides access control at the rule and rule group level. Only a user who has the right set of permissions can perform the tasks in the Reporting. The access control is managed by the administrator from the ADMIN > Security > Roles tab.

When creating users and user roles, the administrator must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

Rules or Rule Groups can be tied to a specific set of user roles so that when a user logs into NetWitness Suite, the only rules they can access are rules accessible to the group to which the user belongs. Users that belong to a user role with the ‘Read & Write’ access permission have full access rights on the rule. Further, the access can be tightened so that rules are accessed only by those who have the ‘Read Only’ access.

Note: You must at least have ‘Read Only’ permission on a group to view the rules within that group.

At the rule level, you can set the following access permissions for the user roles:

  • Read & Write
  • Read Only
  • No Access

Suppose, you want the Security Analysts to have access to all the rules in a Rule Group, you can set the permission 'Read & Write' at the Rule Group level. And, if you do not want the Operator role to have access to a specific set of rules in a rule group, you can set the permission 'No Access' at the Rule Group level. The permission is set only for the rule group but not the rules or subgroups in the Rule Group.

Access Control for a Rule Group

When you want to change the rule group permissions, you must select a rule group and set access permissions using the Rule Permissions panel.

Before applying rule group permissions, the default permission set for all the user roles is 'No Access' permission, and the checkboxes are deselected. 

Rule Permission Dialog 

If you want to change the access permission for a specific user role, you must set these at the rule group level, as shown in the figure. Suppose, you want the Administrators to have access to all the rules in a Rule Group, you can set the permission 'Read & Write' in the Rule Group Permissions panel.

set permission in the rule permission 

You can also apply permissions to subgroups and rules in the group by selecting the checkbox.

The two scenarios are explained in brief:

  • Scenario 1: Permissions applied to Rule Group/ Sub Group/ Rules based on the user role.
  • Scenario 2: Permissions applied to Sub Group and Rules in the Group.
                       
Role (Analysts) Permissions applied to Rule Group/ Sub Group/ Rules based on the user role Permissions applied to Sub group and Rules in the Group
Group  Read & Write Read & Write
Sub Group Read Read & Write - Inherited
Rules Read Read & Write - Inherited

The access permissions that you set can be applied to subgroups and child objects of this group. 

The Rule Group will be assigned the role of a Security Analyst and permissions are set to Read & Write rule group.

For scenario 1, each of the levels will have a permission set depending on the user role. For scenario 2, the permission at the Rule Group level will be inherited by the Sub Group and Rules in the Group.

Access Control for a Rule

When you want to change the rule permissions, you must select a rule and set their access permissions using the Rule Permissions panel.

Before applying the Rule permissions, the default permission set for all the user roles is 'No Access' permission and the checkbox is deselected.

Set default rule permission 

If you want to change the access permission for a specific user role, you must set these at the rule level, as shown in the figure. Suppose, you want the Administrators to have access to a specific rule, you can set the permission 'Read & Write' in the Rule Permissions panel.

Change the access permission for a specific user role 

Access Control for a Rule When Multiple Rules are Selected

When you want to change permissions of multiple rules, you can select multiple rules at a time and set their access permissions using the Rules Permissions Panel. The access permission that you choose will be applied to all the selected rules.

Note: The '*' besides the role name indicates the other permissions available on the user role. If you want to change the access permission for the required user role, select the user role and change the access permission.

Rule Permissions when multiple rules are seclectes 

Login as a specific user and view the access details

When you login to the NetWitness Suite UI as a user having 'Read access' permission, all the rules will be denoted with the symbol () and when you click on the symbol the 'Read Only' callout is displayed on the Rules List panel.

When you login to the NetWitness Suite

UI as a user not having 'Read & Write' access permission on a Rule, all the rules will be denoted with the symbol () and the rules appear grayed out on the Rules List panel.

The following figure shows the Rules List panel when logged in with minimal 'Read & Write' access permission.

Rules List panel 

Note: If a user (other than administrator) creates a rule, ADMIN cannot access that rule.

Tabular Listing

The following table lists the columns in the Rules Permissions panel:

                         
ColumnDescription
RolesThe role of the user logged into the NetWitness Suite user interface.
Read & WriteThe user can access, view, edit, delete, import, and export rules on the Rules view. The user can also change the permission on the rule.
Read OnlyThe user can only access and view the rule on the Rules view
No AccessThe user cannot access or view the rule for which this permission is set.
  

Set Access Control for a Rule

You can set access control for a rule. The Reporting Engine provides access control at the rule level. Only a user who has the right set of permissions can perform tasks on the rule. The administrator when creating users and roles must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

At the rule level, you can set the following access permissions for the user roles in NetWitness Suite:

  • Read & Write – View or edit the rules in the rule group.
  • Read Only – View the rules in the rule group.
  • No Access – Cannot view or edit the rules in the rule group.

Prerequisites

Make sure that you have a minimal 'Read & Write' access permission to set access permissions for a rule. 

To set access control for a rule, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. In the Rules list panel, select the rule.
  3. Click Actions drop-down menu > Permissions in the Rule toolbar.

    The Rules Permissions dialog is displayed.

    The Rules Permissions dialog is displayed.

  4. Select the following appropriate access permission for the user role and click Save.
    • Read & Write
    • Read Only
    • No Access

Set Access Control for a Rule Group

You can set access control at the rule group level. Only a user who has the right set of permissions can perform the tasks on the rule. The administrator when creating users and roles must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

At the rule group level, you can set the following access permissions for the user roles in NetWitness Suite:

  • Read & Write – View or edit the rules in the rule group.
  • Read Only – View the rules in the rule group.
  • No Access – Cannot view or edit the rule in the rule groups.

Prerequisites

Make sure that you have a minimal 'Read & Write' access permission to set access permissions for a rule group. 

To set access control for a rule group, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. In the Rule Groups panel, select the rule group and do one of the following:
    • Click   Actions drop-down menu and select Permissions.
    • Right-click the selected rule group and select Permissions.
    The Rules Permissions dialog is displayed.
    The Rules Permissions dialog is displayed.
  3. (Optional) Select the appropriate checkbox to apply these permissions to subgroups and child objects of this group.
  4. Click Save.
    A confirmation message that permission is successfully set for the selected rule group is displayed.

Delete a Rule or Rule Group

To delete a rule, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. In the Rules panel, do one of the following.
    • Select a rule and click Delete button in the Rule toolbar.
    • Click Actions drop-down menu  > Delete.

      A confirmation dialog is displayed.

      A confirmation dialog is displayed.

      Note: If a rule is being used in a report, a warning that the rule is in use and cannot be deleted is displayed.

  3. Click Yesto delete the rule.

    A confirmation message that the rule is deleted successfully is displayed and the selected rule is deleted from the Rule List panel.

To delete a rule group, perform the following:

  1. Select MONITOR > Reports.

    The Manage tab is displayed.

  2. In the Rule Groups panel, select the rule group that you want to delete.
  3. Click Delete button.

    A confirmation dialog is displayed.

    A confirmation dialog is displayed

    Note: If any one of the rules in the group is being used in reports, a warning that the rule is in use and cannot be deleted is displayed.

  4. Click Yesto delete the group.

    A confirmation message that the group is deleted successfully is displayed and the selected group is deleted from the Rule Groups panel.

Duplicate a Rule

To duplicate a rule, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. In the Rules list panel, select a rule that you want to duplicate.
  3. In the Rule toolbar, click Duplicate button.

Edit a Rule

Prerequisites

To edit a rule, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. In the Rules list panel, do one of the following:
    • Select a rule and click Edit button in the Rule toolbar.
    • Click Actions drop-down menu > Edit.
      The Build Rule view tab is displayed.
      The Build Rule view tab is displayed

Note: If a rule is edited, the updated rule definition is applied to the Reports, Charts, and Alerts where the rule is included.

  1. Modify the required fields.
  2. Click Save.
    A confirmation message that the rule is saved successfully is displayed.

When you edit a rule, ensure to re-select the Rule for which you want the Chart to be generated, so that the edited rule is applied. If you do not re-select the Rule and attempt to save or test the rule, the rule is saved and a warning message is displayed.

View Dependents of a Rule

You can view dependents of a rule. You must traverse a rule list, select a rule for which you want to identify the dependency over a report, chart, or alert.

The following figure shows the Rule View where you select the rule 'Access to Compliance Data Details'. 

Rule View where you select the rule 'Access to Compliance Data Details'

The following figure shows the dependency of the rule over alerts and reports.

Dependency of the rule over alerts and reports

The following table lists the various columns in the Rule Dependencies dialog and their description.

                 
ColumnDescription
Entity NameThe name of the entity referencing the rule.
PathThe path where the entity is located in the user interface.

To view dependents of a rule, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Rules.
    The Rule view is displayed.
  3. In the Rule List panel, click Actions drop-down menu > Dependents.
    The Rule Dependencies dialog is displayed.
    The Rule Dependencies dialog is displayed

Export a Rule or Rule Group

Prerequisites

Make sure that you have rules in the rule group.

To export a rule, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. In the Rules list panel, do one of the following:
    • Select a rule and click Actions drop-down menuExport in the Rule toolbar.
    • Click  Actions drop-down menu > Export.
    A browser-specific export dialog may be displayed, allowing you to open or save the file. You can export multiple rules at a time. To select multiple rule, press and hold the CTRL button and select the rules to be exported.

Note: If you want to export multiple rules, you can do that only by exporting rule groups.

To export a rule group, perform the following :

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. In the Rule Groups panel, select the rule group containing the rules which you want to export.
    You can export multiple rules groups at a time. To select multiple rule groups, press and hold the CTRL button and select the rules groups to be exported.
  3. Click Actions drop-down menu > Export.
    A browser-specific export dialog may be displayed allowing you to open or save the file.

Manage a Report

  

Access Control for a Report or Report Group

This section covers the access permissions the user has depending on the user role to manage a report and report group. The Reporting provides access control at the report and report group level. The user who has the right set of permissions can only perform the tasks in reporting module. The access control is managed by the administrator from the ADMIN > Security > Roles tab.

When creating users and user roles, the administrator must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

Reports and Report Groups can be tied to a specific set of user roles so that when a user logs into NetWitness Suite, the reports with the access rights for the specific user role can be viewed. Users that belong to a user role with the ‘Read & Write’ access permission can define reports. Further, the access can be tightened so that reports are accessed only by those who have the ‘Read Only’ access.

Note: You must have ‘Read Only’ permission for a group to view the reports within that group.

At the report level, you can set the following access permissions for the user roles in NetWitness Suite:

  • Read & Write
  • Read Only
  • No Access

Suppose, you want the NetWitness Suite to have access to all the reports in a Report Group, you can set the permission 'Read & Write' at the Report Group level. And, if you do not want the Operator role to have access to a specific set of reports in a report group, you can set the permission 'No Access' at the Report Group level.

The permission is set only for the report group but not the reports, rules, or subgroups in the Report Group.

Access Control for a Report Group

When you want to change the report group permissions, you must select a report group and set access permissions using the Reports Permissions panel.

Before applying report group permissions, the default permission set for all the user roles is 'No Access', except for Administrators, as shown in the figure. 

Set the default permission for reports permission 

If you want to change the access permission for a specific user role, you must set these at the report group level, as shown in the figure. <suppose,>Administrators to have access to all the reports in a Report Group, you can set the permission 'Read & Write' in the Report Group Permissions panel.

You can also apply permissions to subgroups and reports in the group, as well as apply read-only permission to rules in the reports by selecting the appropriate checkboxes, as shown in the figure.

 Apply permissions to subgroups and reports in the group 

The three scenarios are explained in brief:

  • Scenario 1: Permissions applied to Report Group/ Sub Group/ Report based on the user role.
  • Scenario 2: Permissions applied to Sub Group and Report in the Group.
  • Scenario 3: Read-only permission applied to Rules in the Report.
                                      
 Role (Analyst) Permissions applied to Report Group/ Sub Group/ Report based on the user role Permissions applied to Sub group and Report in the Group  Permission (Read-only) applied to Rules in the Report
Group  Read & WriteRead & Write Read & Write Read & Write
Sub Group ReadRead Read & Write - Inherited Read & Write
Report ReadRead Read & Write - Inherited Read & Write
Rules ReadRead ReadRead

The Report Group will be assigned the role of a Security Analyst and permissions are set to Read & Write report group.

For scenario 1, each of the levels has a permission set depending on the user role. For scenario 2, the permission at the Report Group level (Read & Write) is inherited by the Sub Group and Reports in the Group. For scenario 3, the Read permission is set for the Rules except that the permission set for the rules cannot be higher than the permissions set for the Report Group.

Access Control for a Report

When you want to change the report permissions, you must select a report and set their access permissions using the Report Permissions panel.

Before applying the Report permissions, the default permission set for all the user roles is 'No Access' permission and the checkbox is unchecked, as shown in the figure.

Set the default permission for all the user roles to 'No Access' permission 

If you want to change the access permission for a specific user role, you must set these at the report level, as shown in the figure. Suppose, you want the Administrators to have access to a specific report, you can set the permission 'Read & Write' in the Report Permissions panel.

You can apply read-only permission to rules in the reports by selecting the checkbox, as shown in the figure.

Apply read-only permission to rules in the reports 

The two scenarios are explained in brief:

  • Scenario 1: Permissions applied to Report Group/ Sub Group/ Report/ Rules.
  • Scenario 2: Read-only permission applied to Rules in the Report.
                                 
 Role (Analysts) Permissions applied to Report Group/ Sub Group/ Report/ Rules based on the user role Permission (Read-only) applied to Rules in the Report
Group  Read & WriteRead & Write Read & Write
Sub Group ReadRead Read & Write
Report ReadRead Read & Write
Rules ReadReadRead

The Report will be assigned the role of a Security Analyst and permissions are set to Read & Write reports.

For scenario 1, each of the levels has a permission set based on the user role. For scenario 2, the Read permission is set for the Rules except that the permission for the rules cannot be higher than the permission for the Reports.

Note: If the permission for the rules is higher than the permission for the Reports then the permission is be applied. For example, if you set the permissions for the Report Group as No Access and then specify the option Apply Read-only permission to Rules in the Reports, then the read-only permission is not set for the rules. 

Access Control for a Report When Multiple Reports are Selected

When you want to change permissions of multiple reports, you must select several reports and set their access permissions using the Report Permissions panel. The access permission that you choose is applied to all the selected reports.

Report permission for multiple Reports  

Access Control for a Report When Multiple Reports with several rules are Selected

When you want to change permissions when multiple reports with several rules are selected, you must select the checkbox in the Report Permissions panel, as shown in the figure. The read-only access permission is applied to all the rules of the selected reports, provided that the permission of the rules are lower than the permission of the reports.

Report permission When Multiple Reports with several rules are Selected 

Login as a specific user and view the access details

When you login to the NetWitness Suite UI as a user having 'Read access' permission, all the reports is denoted with the symbol () and when you click on the symbol the 'Read Only' callout is displayed on the Report List panel.

When you login to the NetWitness Suite UI as a user not having 'Read & Write' access permission on a Report, all the reports are denoted with the symbol () and the reports appear grayed out on the Report List panel.

The following figure shows the Report List panel when logged in with minimal 'Read & Write' access permission.

Report List panel when logged in with minimal 'Read and Write' access permission. 

Note:  If a User (other than the super user) creates a report there will be no access to that report for the super user. 

Tabular Listing

The following table lists the various columns in the Reports Permissions Panel:

                                 
ColumnDescription
Roles    The role of the user logged into the NetWitness Suite UI.
Read & WriteThe user can access, view, edit, import, export, and delete the report on the Reports view. The user can also change the permission on the report.
Read Only The user can only access and view the report on the Reports view.
No AccessThe user cannot access or view the report for which this permission is set. 
  Apply these permissions to subgroups and Reports in this groupSelect the checkbox to apply the selected permissions to the report group, subgroups in the group and reports in the group.

Note: This checkbox is populated only when you set access permissions for a Report Group.

  Apply Read-only permission to Rules in the ReportsSelect the checkbox to automatically apply permissions to the rules in the reports.
  

Set Access Control for a Report

Prerequisites

Make sure that you have a minimal 'Read & Write' access permission to set access permissions for a report. 

To set access permissions for a report, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report List panel, select a report.
  4. Click Actions drop-down menu > Permissions.
    The Reports Permissions dialog is displayed.
     The Reports Permissions dialog is displayed
  5. Based on the user role, select the appropriate buttons.
  6. (Optional) Select the checkbox, if you want to provide read access permission to rules in the reports.

Note: On selecting the check box, all dependent rules are given READ access permission, provided the permissions for the report is higher compared to the permissions of the rules.

  1. Click Save.
    A confirmation message that the permission is set for the selected report is displayed.

Set Access Control for a Report Group

Prerequisites

Make sure that you have a minimal 'Read & Write' access permission to set access permissions for a report group. 

To set access permissions for a Report Group, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report Groups panel, select or right-click on a report group.
  4. Click Actions drop-down menu > Permissions.
    The Reports Permissions dialog box is displayed.
     The Reports Permissions dialog is displayed
  1. Based on the user role, select the appropriate buttons.
  2. (Optional) Select the appropriate checkbox to apply the selected permissions to subgroups and reports in the group.
  3. (Optional) Select the appropriate checkbox to provide read access permission to rules in the reports.

Note: On selecting the check box, all dependent rules is given READ access permission, provided the permissions for the report is higher compared to the permissions of the rules.

  1. Click Save.
    A confirmation message that the permission is successfully set for the selected report group is displayed.

Delete a Report or Report Group

To delete reports in a group or subgroup from the Report List panel:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report List panel, do one of the following:
    • Select the reports and click Delete button.
    • Click  Actions drop-down menu > Delete.
      A confirmation dialog is displayed.
      A confirmation dialog is displayed
  4. Click Yes to delete the report.
    A confirmation message that the report is deleted successfully is displayed and the selected report is deleted from the Report List panel.

Delete a Report Group

Prerequisites

Make sure that you have no reports associated with the report group.

To delete report groups in the default folder or subgroups under a report group, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report Groups panel, select the report group and click Delete button.
    A confirmation dialog is displayed.
    A confirmation dialog is displayed
  4. Click Yes to delete the group.
    A confirmation message that the group is deleted successfully is displayed and the selected group is deleted from the Report Groups panel.

Duplicate a Report

You can duplicate a report to schedule multiple report for the same report. The duplicated report is displayed in the Reports List panel with suffixes. For example, Report (1). 

Generally, the duplicate option is used in two scenarios:

  • You want to make a copy of the report, to move the same report to another group.
  • You want to retain most of the configuration settings for an object but modify few of these settings.
    For example, when you have a complex query in a rule or several rules in a report, it is very much appropriate to use the duplicate option.

To duplicate an existing report, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.s
    The Report view is displayed. 
  3. In the Report List panel, select a report that you want to duplicate and click Duplicate button.
    The report is saved successfully and added to the Report list.

You can move the duplicated report to another group.

Edit a Report

To edit reports in a group or subgroup from the Report List panel, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed.  
  3. In the Report List panel, do one of the following:
    • Select a report and click Edit button.
    • Click Actions drop-down menu > Edit.
    The Build Report view tab is displayed.Build report view
  4. Modify the text and add more rules to the report (if required).
  5. Click Save.
    A confirmation message that the report is saved successfully is displayed.

Refresh a Report Group or Report List

You can refresh a report group or reports to view the re-arrangement of groups or reports. 

To refresh a report group or reports, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. Do the following to move the group or reports to a new location:
  • In the Report Groups panel, drag and drop the group.
  • In the Reports List panel, drag and drop the reports to the desired group in the Report Groups panel.
    The report group or reports are moved to the new location.
  1. Do the following to refresh a group or report list:
  • In the Report Groups panel, click Refresh button.
    The report group gets refreshed.
  • In the Report List panel, click Refresh button  .
    The Report list gets refreshed.

Edit a Scheduled Report

To edit a scheduled report from the Scheduled Reports List panel, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report List panel, select a report and click  Actions drop-down menu > View Scheduled Reports.
    The View Scheduled Reports tab is displayed.
  4. In the Scheduled Reports List panel, do one of the following:

    • Select a report and click Edit button.
    • Select a report and click Actions drop-down menuEdit Schedule.
      The Schedule Report tab is displayed.

      The Schedule Report tab is displayed

  5. In the Schedule Report tab, do the following:

    1. In the Schedule Name field, modify the name for the schedule report configuration.
    2. To execute the reports as per the schedule, select the Enable checkbox.
    3. From the Data Source field, select the datasource.

      Note: If the data source is not listed, ensure you have Read permissions set for the data source. This is applicable for NWDB and Warehouse data source. For more information, see "Configure Data Source Permissions" topic in the Reporting Engine Configuration Guide.

  6. (Optional) From the Warehouse Resource Pool drop-down, select the pool or queue for the report.

    Note: The Warehouse Resource Pool drop- down is displayed only if the Warehouse Rule is selected. If no pools or queues are entered for the Reporting Engine, this field is disabled. 

  7. From the Run field, select the type of run schedule. (For example, Now or Hourly).
  8. Select the date range to run the query based on absolute duration or select the Use relative time duration checkbox to run the query based on relative duration. 
  9. (Optional) In the Output Actions panel, do the following:
    1. Type the email address and subject.
    2. Edit the body of the message for the report.
    3. Select the format of the attachment.
    4. Type a value for the CSV and Multivalue delimiters.
  10. (Optional) In the Other Options field, do the following:

    1. Click   Add drop-down menu > SFTP or URL or Network Share. Based on the selected option, a row gets added in the Other options field.
    2. Select the appropriate options to send the report in PDF or CSV format to the configured SFTP, URL or Network Share.
  11. (Optional) To add a list in the Dynamic List panel, see Generate a List from the Scheduled Report section in Create and Schedule a Report.
  12. (Optional) To choose another logo in the Logo panel, see Manage and Select a Report Logo section.

    Note: If you do not specify a logo, the default RSA logo is used.

  13. Click Schedule.
    The scheduled report executes as scheduled and provides the configured outputs.

Delete a Scheduled Report

To delete a scheduled report from the Scheduled Reports List panel, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report toolbar, click View All Schedules.
    View Scheduled Reports is displayed.
  4. In the Scheduled Reports List panel, select the report.
  5. Click Actions drop-down menu  >Delete Schedule.
    A confirmation dialog is displayed.
     A confirmation dialog is displayed
  6. Click Yes to delete the scheduled report.
    A confirmation message that the scheduled report is deleted successfully is displayed and the selected schedule is deleted from the Scheduled Reports List panel.

Export a Report

You can export the selected reports to an external file that can be later imported to another NetWitness Suite environment. 

Prerequisites

Make sure that you have reports in the report group.

To export selected reports in the Report Groups panel to an external file, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report List panel, do one of the following:
    • Select a report and click Actions drop-down menu > Export.
    • Click Actions drop-down menu > Export.
    You can export multiple reports at a time. To select multiple reports, check the checkbox of the report to be exported. The exported file is saved to the local drive in an archived format.

Open CSV files with Unicode characters in MS Excel

To open downloaded CSV files containing Unicode characters in MS Excel, follow these steps:

  1. Download and save the CSV file.
  2. Open Microsoft Excel and navigate to the Data tab.
  3. Click on From Text menu item; find the CSV file that you downloaded and click Import.
    The Text Import Wizard is displayed.
  4. Select Delimitedor Fixed Width data type from the Original data type radio button.
  5. Click File origindrop down list and select 65001: Unicode (UTF-8) and click Next.
  6. Select the delimiter that was used in the file that you imported and click Next.
  7. Select the data format for each column of data that you want to import and click Finish.
    The correct output is displayed in an MS Excel sheet.

Export a Report Group

You can export a selected report groups to an external file that can be later imported to another NetWitness Suite environment. 

Prerequisites

Make sure that you have reports in the Report Group.

To export selected report groups in the Report Groups panel to an external file, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed.
  3. In the Report Groups panel, select a report group and click  and select one of the following:

      •  Export - This selection exports a report in a .zip file.
      • Export as Text - This selection exports all the content from the Reporting Engine in a .zip file which contains the data in text format.

      You can export multiple report groups at a time. To select multiple report groups, press and hold the CTRL button and select the report groups to be exported. The exported file is saved to the local drive.

Import a Report or Report Group

You can import a group containing subgroups and reports from other instances of NetWitness Suite into Report Groups panel. Reports must be in a valid binary file that was exported from another NetWitness Suite instance.
During the import process, you select the binary file and specify whether existing reports with the same name must be overwritten or not by the reports contained in the binary import file.

  • If you choose to overwrite, all duplicate rules, lists and reports are overwritten by the contents of the binary import file.
  • If you choose not to overwrite, and a duplicate rule, list or report exists in the target folder, the import fails and display a message about duplicate reports.

You cannot import reports to a specific report group. The imported files are stored in the Allroot folder.

Prerequisites

Make sure that you have the reports or report groups exported from other instances of NetWitness Suite.

To import groups containing subgroups and reports from other instances of NetWitness Suite into Report Groups panel, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report Groups panel, select a folder to import the file.
  4. Do one of the following:
    • In the Report Groups panel, click  Actions drop-down menu > Import to import a group.
    • In the Report toolbar, click Actions drop-down menuImport to import a report.
      The Import Report dialog is displayed. You can import multiple reports and report groups at a time. To select multiple reports or report groups, press and hold the CTRL button and select the reports or report groups to be imported.
  5. Click Browse to select the binary file.
    NetWitness Suite provides a file system view of the files.
  6. Locate the binary file and click Open.
    The file gets added to the Import Report list.
  7. (Optional) To overwrite any existing rule in the library with an identically named rule in the binary file when importing, check the Rule checkbox. If you do not select the Overwrite option, and an identical rule is encountered in the binary file, the binary file is imported and no error message is displayed.
  8. (Optional) To overwrite any existing list in the library with an identically named list in the binary file, check the List checkbox. If you do not select the Overwrite option, and an identical list is encountered in the binary file, the binary file is imported and no error message is displayed.
  9. (Optional) To overwrite any existing report in the library with an identically named report in the binary file when importing, check the Report checkbox. If you do not select the Overwrite option, and an identical report is encountered in the binary file, the binary file is imported and no error message is displayed.
  10. Click Import to import the binary file.

Enable or Disable a Scheduled Report

To enable or disable a scheduled report from the Scheduled Reports List panel, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report List panel, select a report and click Actions drop-down menu > View Scheduled Reports.
    View Scheduled Reports is displayed.
  4. Select a report from the Scheduled Reports List panel.
  5. Click Actions drop-down menu > Enable.
    The state of the report is changed to ‘Running’, if the report is scheduled to run immediately.
  1. Click Actions drop-down menu > Disable.
    The state of the report is changed to ‘Inactive’.

Start or Stop a Scheduled Report

To start or stop a scheduled report, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report List panel, select a report and click Actions drop-down menu > View Scheduled Reports.
    The View Scheduled Reports view is displayed.
  4. Select a report from the Scheduled Reports List panel.
  5. Click Actions drop-down menu > Start.
    The state of the report is changed to ‘Running’, if the report is scheduled to run immediately.
  1. Click Actions drop-down menu > Stop.
    The state of the report is changed to ‘Completed’.

View an Execution History of a Scheduled Report

You can view the execution history of a scheduled report. You can view the history of a scheduled report that is run. You can view the history based on the following criteria: 

  • Number of past schedules executed
  • Start date and end date for the date range

You can view the details such as how many times the scheduled report was executed, the time of execution (seconds), execution state. You can also view the report generated on a full screen. 

To view the execution history of a scheduled report, perform the following:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. Click Reports.
    The Report view is displayed. 
  3. In the Report List panel, do one of the following:
    • Click Actions drop-down menu > View Scheduled Reports.
    • Click the #Schedules column.
      The Schedule Reports view tab is displayed with the status of each of the scheduled report.
  4. Do one of the following:
    • Select a scheduled report and click Actions drop-down menu > Execution History.
    • Select a scheduled report and click Execution history icon .
      The Execution History view is displayed.

    Note: By default, you can view 10 number of execution history of a scheduled report. The execution history shown depends on the Retain Report History Configuration set on the Generaltab of the ADMIN > Services > Reporting Engine Configview.
    For example, if you set the Retain Report History Configuration to 100 days, the data displayed on the Execution History view. is the past 100 days execution history details considering the current date information.

  5. From the Get history by: field, select the type of history to be fetched. (For example, Past or Range (Specific))
  6. In the Count field, enter the number of executions to be displayed.
  7. Click Show History.
    The execution history of the scheduled report is displayed.

Manage and Select a Report Logo

Prerequisites

Make sure that you have the Reporting Engine service defined prior to managing a logo.

Manage Report Logos

To manage logos, perform the following:

  1. Select ADMIN > Services.

    The Services view is displayed.

  2. In the Services List panel, select an Reporting Engine service and click View > Config.

    The services config view is displayed.

  3. Select the Manage Logos tab.

    All the available logos are displayed.

Add a Logo

To add a logo, perform the following:

  1. In the Manage Logos tab, click Add button.

    A file browser opens where you can choose the file from the local drive.

  2. Select the logo and click Select.

    The selected logo gets added to the Manage Logos section.

Delete a Logo

To delete a logo, perform the following:

  1. In the Manage Logos tab, do one of the following:

    • Select the logo and click Delete Icon .
    • Perform (Ctrl+click) to select multiple logos and click Delete Icon.

    A confirmation dialog is displayed.

    A confirmation dialog is displayed

  2. If you want to delete the logo, click Yes.

    The selected logo is deleted from the Manage Logos section.

Set Default Logo

To set a default logo, perform the following:

In the Manage Logos tab, select a logo and click Set default button.

The chosen logo is set as the default logo for the RE service.

Select a Logo

To select a logo, perform the following:

  1. Select ADMIN > Reports.

    The Manage tab is displayed.

  2. Click Reports.

    The Report view is displayed.

  3. In the Report List panel, select a report.
  4. Click Actions drop-down menu > View Scheduled Reports.
    The View scheduled reports view tab is displayed.
  5. Select a scheduled report and click Actions drop-down menu > Edit Schedule.

    The Schedule a Report view tab is displayed.

  6. In the Logo panel, click Change Logo.

    The Change a Logo dialog box is displayed.

  7. Do one of the following:

    • Click Upload new logo to upload another logo.
    • Select a logo from the list.
  8. Click Select.
    The selected logo is available on the Logo panel.

Search Reporting Details

This section provides instructions on how to perform a keyword search on name and content for each of the Reporting components. You can perform a keyword search on name and content for each of the Reporting components (Rule/Report/Chart/Alert/List) on the Reporting UI. 

Note: You cannot search based on date and numeric values. 

The following figure shows the search parameters available in the Reporting Module:

The search parameters available in the Reporting Module

The following are the search parameters available on the Reporting UI:

  1. Search for entities (rule, report, chart, alert, list).
  2. Search for the entities based on either the name or content.

Note: Searches are case insensitive. For example, Completed is equivalent to completed.

Prerequisites

In the Reporting Module, you can perform a keyword search based on the name and content (definition). In this context, content implies definition of each of the reporting components. For instance, the value defined in the rule, report, report schedule, chart, and alert panel. You can also prioritize your search by selecting either or all of the components: Rule, Report, Chart, Alert, or List.

Note: You cannot search based on the List values and list path stored in schedule definition panel.

For example, to search for the rule name (ExpertRule), you must select Rule, Name, and Content in the filtering options drop-down to view all the rule names that matched the search. You can similarly search for a report, chart, alert, or list definition. 

To search for reporting details from the Manage tab, perform the following:

  1. Select MONITOR > Reports.

    The Manage tab is displayed.

  2. Click Show button and select the appropriate criteria to search.
  3. In the Search field, enter the text to be searched.
    The search drop-down list is displayed: The search drop-down list is displayed

Search Syntax and Different Types of Search 

The following table explains the search syntax and the possible searches that can be performed on the Reporting UI.

                         
Search TypesDescription
Word or phrase based search

Word Based Search:

To search for a word such as "action" or "meta", you must enter the word in the search box.

The following figure shows the search results for the text action.

The search results for the text action.

Phrase based search:

A Phrase is a group of words surrounded by double quotes such as "action meta". To search for a phrase, you must enclose phrases in double-quotes in the search box.

The following figure shows the search results for the phrase "action meta".

The search results for the phrase action meta

Wildcard Search (Single/ Multiple/ Special Character Search)

The question mark "?" symbol is used to perform a single character wild card search and asterisk "*" symbol is used to perform multiple character wildcard search.
Single character search:

The single character wildcard search looks for terms that match with the single character replaced. For example, to search for "Expert" or "Export" you can use the search syntax: 
Exp?rt

The following figure shows the search results for the wildcard character Exp?rt.
the search results for the wildcard character Exp?rt.

Multiple character search:

Multiple character wildcard search looks for 0 or more characters. For example, to search for Expert, or Experts, you can use the search syntax: 

Expert*

The following figure shows the search results for the wildcard multiple character Expert*.
the search results for the wildcard multiple character Expert*.

Special character search:

Certain punctuation and special characters are ignored during search (@#$%^&*(){}"~=+-[]\?|!:,.). For example, a search for action-login will be interpreted during search as "action" "login", that is, if rules exist with name "action-login" and "action@login" and search string is "action-login", the search result will return both the rules.

Special character search:

Search based on name or content

Search based on name:
  When you want to search based on the name of a report, select Reportand Namebox from the filtering options drop-down. For example, to search for the report name "Report With Multiple Rules", you can use the search syntax:

"Access to Compliance Data"

Note: When you search for a report, it implies you can search for the report schedules as well.

The search result will return the report containing the specific name.

Search based on name

Search based on content:

When you want to search for the content within an alert, say alert description, select Alert and Content box from the filtering options drop-down. For example, to search for the alert description "Device IP Got Detected", you can use the search syntax:

"Device IP Got Detected"
Search based on content

The search will return the result having the specific content.

The search will return the result having the specific content

Previous Topic:Investigate a Report
Next Topic:Troubleshooting
You are here
Table of Contents > Manage a List or Rule or Report

Attachments

    Outcomes