RSA NetWitness^® Platform Online Documentation

You can create a simple or complex report and configure its execution properties by scheduling a report. A report can include multiple rules and you can schedule different time range to execute the same report. For example, depending on your requirement, you can schedule a report to run daily, weekly or monthly.

When you run a report, the results are stored in Reporting Engine.

After you generate a report, you can perform the following:

• Send the reports by email to other users by configuring the output actions. You can also configure the output actions before generating a report.
•  Download the reports as PDF or Comma-Separated Values (CSV) format files.

Note: The cancel operation is not supported for Respond Reports.

Create a Report or Report Group

To create a report to a group or sub-group, perform the following:

1. Go to Monitor > Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports toolbar, click .

   The Build Report tab is displayed.

   

4. Enter the name of the report.

5. Drag and drop the text and rules to the report.

   Note: The text entered is optional and you may need this option only when you want to display user-defined headers or content.

6. Click Save.

   A confirmation message that the report is saved successfully is displayed.

To create a group to the default folder or add sub-groups under a report group, perform the following:

1. Go to Monitor > Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports Groups panel, click .

   A default group is added in the Report Groups panel.

4. Enter the name of the new group.

5. Press Enter.

   The group is added to the Report Groups panel.

Schedule a Report

Note: When you schedule a Warehouse report, you can use a supported task scheduler to allocate specific resources in a cluster for the scheduled job. For more information on "supported task schedulers", see Task Scheduler for Warehouse Reporting.

To schedule a report, perform the following:

1. Go to Monitor > Reports.

   The Manage tab is displayed.

2. In the Rules panel, click to create a rule. ​
3. Click Save.

4. Click Use.

   

5. Go to Monitor > Reports.

   The Manage tab is displayed.

6. Click Reports.

   The Report view is displayed.

7. On the Reports panel, click to create a report.
8. Enter the Report Name in the field.
9. Add the rule by drag and drop which has the user defined variable from the Rules tab.

10. Click Schedule.

    The Schedule Report view is displayed.

    If you provide another user with access permissions to a report, you must also provide permissions for the report group, the rules used in the report, and the rule groups otherwise an error message is displayed.
    

11. To execute the reports as per the schedule, select the Enable checkbox.
12. In the Schedule Name field, enter a name for the schedule report configuration.

13. From the Data Source field, select the data source.

    Note: If the data source is not listed, then ensure you have Readpermissions set for the data source. This is applicable for NWDB, Respond and Warehouse data source. For more information, see "Configure Data Source Permissions" topic in Reporting Engine Configuration Guide.

14. (Optional) From the Warehouse Resource Pool drop-down, select the pools or queues available in the cluster to schedule the report to run on either the pool or queue. This drop-down list is available only if you select a Warehouse DB report.

    Note: All the queues or pools you specified in the Explore page for the Reporting Engine are listed. If no pools or queues are configured in the Explorer page, this drop-down is disabled and the jobs are submitted to the clusters without any a queue or pool name. 

    Note: If the pool or queue configured in the report schedule is removed from the Cluster, then in the Capacity Scheduler, the queue name remains undefined. However, in the Fair Scheduler, the specified pool name will be created using the property mapred.fairscheduler.allow.undeclared.pool.

15. From the Time Zone drop-down, select a time zone to display all the time-related data in a report output in the specified format. This setting is configurable from the Reporting Engine Explore view (/com.rsa.soc.re/configuration/reportoutputformatterconfig/reportoutputformatterconfig).

16. From the Run field, select the type of run schedule. (For example, Now or Hourly).

    Depending on the type of run schedule, choose one of the following:

    • If you select a Later or Monthly run schedule, you must provide a value for the day and time in the respective field provided.
    • If you select an Hourly run schedule, you must specify the minutes in the At Minute field.
    • If you select a Daily run schedule, you must enter a value in the At field.
    • If you select a Weekly run schedule, you must enter a value in the At field and also select the week days.

    Note: While scheduling a report, if you select Past option or Range (specific/generic) option or an end time range very close to the current time, you must ensure that the aggregate data in the data source is returned. If there is an aggregation delay in the data source, the end time you choose must account for the delay, otherwise reports lose non-aggregate data for that time range.

    For information on how to generate a report with variables, see Create a Parameterized Report Using Variable.

17. (Optional) In the Output Actions panel, do the following:

    1. Enter the email address and subject.
    2. Edit the body of the message for the report.
    3. Select the format of the attachment.
    4. Enter a value for the CSV and Multi-value delimiters.

    5. (Optional) In the Other Options field, do the following:

       1. Click ​ and select SFTP, URL, or Network Share output action.

          A row gets added with the selected output action.

       2. Select the appropriate options to send the report in PDF or CSV format, or both to the RE configured SFTP, or URL, or Network Share output action.
18. (Optional) To add a list in the Dynamic List panel, see Generate a List from the Scheduled Report.

19. (Optional) To choose a logo in the Logo panel, see "Manage and Select a Report Logo" section in Manage Lists, Rules or Reports.

    Note: If you do not specify a logo, the default RSA logo will be used. 

20. Click Schedule.

    The scheduled report executes as scheduled and provides the configured outputs.

    
    

After you create and Schedule a report, you can perform any of the following tasks:

• You can notify the email recipient when the report execution completes and send reports in PDF and CSV formats as attachments in the email.
• You can generate a list based on the scheduled report and view them in the Lists module.
• You can send a scheduled report in PDF or CSV format, or both to the RE configured SFTP  location, or URL, or Network Share.
• You can change the default logo and view them in the scheduled report.
• You can modify the NetWitness Platform Reporting Engine config details, by navigating to the Reporting Engine General Tab. See the "Reporting Engine General Tab" topic in the Reporting Engine Guide.

Examples

When you schedule reports in the Schedule Report view, by default, the results for the Past option are presented based on the user specified time zone. The following examples provide a clear picture on what results to expect when you select Hours, Days, Weeks, Months, or Years for the Past option based on the absolute or relative duration.

Note: By default, the relative duration checkbox is de-selected. This implies that the results for the Past option are presented based on the absolute duration.

• Based on Absolute duration - Absolute Duration allows a report to be scheduled at an absolute time with respect to the current time, excluding the seconds and considering the time interval as a whole. For example, 12.00pm is the absolute time with respect to the current time (12.45 pm).

  • Hours - Suppose that you select Hours and specify one hour. If the current user specified time is 4.20PM, the report is generated for the time range, 3.00PM to 4.00PM.
  • Days - Suppose that you select Days and specify one day. If the current date is August 27, 2014 and the current user specified time is 10.15AM, the report is generated for the range: August 26, 2014, 12.00AM to August 27, 2014, 12.00AM.
  • Weeks - Suppose that you select Weeks and specify one week. If the current date is August 27, 2014 2.30PM and the day is Wednesday, the report is generated for the range: Saturday, August 16, 2014, 12.00AM to Saturday, August 23, 2014, 12.00AM.
  • Months - Suppose that you select Months and specify one month. If the current date is August 27, 2014 2.30PM, the report is generated for the range:
    ​July 01, 2014, 12.00AM to July 31, 2014, 12.00AM.
  • Years - Suppose that you select Years and specify one year.If the current date is August 27, 2014 2.30PM, the report is generated for the range:
    January 01, 2013, 12.00AM to December 31, 2013, 12.00AM.

• Based on Relative duration - Relative Duration allows a report to be scheduled at a time relative to the current time which might vary based on the current time. For example, 12.45 pm is the relative time with respect to the current time (12.45 pm).

  • Hours - Suppose that you select Hours and specify one hour. If the current  user specified time is 4.20PM, the report is generated for the time range, 3.20PM to 4.20PM.
  • Days - Suppose that you select Days and specify one day. If the current date is August 27, 2014 and the current user specified time is 10.15AM, the report is generated for the range: August 26, 2014, 10.15AM to August 27, 2014, 10.15AM.
  • Weeks - Suppose that you select Weeks and specify one week. If the current date is August 27, 2014 12.30PM and the day is Wednesday, the report is generated for the range: Thursday, August 21, 2014 12.30PM to Wednesday, August 27, 2014 12.30PM.
  • Months - Suppose that you select Months and specify one month. If the current date is August 27, 2014, 2.30PM the report is generated for the range:
    July 27, 2014 2.30PM to August 27, 2014 2.30PM.
  • Years - Suppose that you select Years and specify one year.If the current date is August 27, 2014 2.30PM, the report is generated for the range: August 27, 2013 2.30PM to August 27, 2014 2.30PM.

​Generate a List from the Scheduled Report

You can generate a list from the output of the scheduled report. Make sure that your lists are created in NetWitness Platform prior to generating a list to schedule a report. 

To generate a list from the Build Report view, perform the following:

1. Go to Monitor > Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed. 

3. In the Reports panel, select a report and in Actions column, click  > Schedule Report.

   The Schedule Report view tab is displayed.

4. In the Output Actions section, in Dynamic List panel, click .

   The Generate List dialog box opens.

5. Click Browse.

   The List Selection panel is displayed.

6. Choose a list item and click Select.

   The list name gets populated in the List Name field.

7. Select a valid rule to filter the report results further based on the rule definition.

8. Select a value for the Column field.

   The column forms the values for the list that gets created.

9. If you want to overwrite the existing list, select the Overwrite Existing List? checkbox.

10. Click Save.

    The list name gets populated in the Generate List panel.

    

11. (Optional) Select a list from the Generate List panel and click  to delete the selected list.
12. (Optional) Select a list from the Generate List panel and click to edit the list details.

​Create a Parameterized Report Using Variable

You use variables for reporting in the RSA NetWitness Platform Reporting module. Parameterized reporting allows you to specify values dynamically at runtime without changing the rule definition so you can view the results based on a particular value. You can achieve parameterize reporting by using variables in the query or rule. For information on adding a rule, see Configure a Rule. At runtime, you can enter the value for the variable or select the value from the list based on which the result set is displayed.

The syntax to specify the variable is as follows:

The syntax to define the variable is the same for NetWitness DB and Warehouse DB data sources. When you assign the value of the variable in a Run Configuration, you must enclose the value within single quotes: '<value>'.

Note: If you have multiple rules in a parameterized report, you must specify the value individually for every rule in the scheduler. For example, if you want a report that use five rules that pulls information related to user.dst and you have specified ${InvestigationUser} variable in every rule, then you must specify the user name five times.

Some examples where a variable can be used are provided in this section.

View Source IP Addresses for a Specific Destination Country

The following is an example of a NetWitness DB rule to view the source and destination ip addresses for a specific destination country. Here the value for source country is defined as a variable ${local_country}.

At runtime, you are prompted to enter the value for the variable. The figure below shows the local_Country variable where you can enter the value. If you enter the value as United states, all the source and destination ip addresses with destination country as United states are listed.

You can use the above rule to schedule a report. You can schedule two types of reports:

• Report with Dynamic Variables
• Iterative Report

Report with Dynamic Variables

Dynamic variables allows the user to specify the values for a variable defined in a rule while scheduling a report.

To schedule a report with Dynamic Variable, perform the following:

1. Go to Monitor > Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. On the Reports panel, click to create a report.
4. Enter the Report Name in the field.
5. Add the rule by drag and drop which has the user defined variable from the Rules tab.

6. Click Schedule.

   The Schedule Report view tab is displayed.

   

7. To execute the reports as per the schedule, select the Enable checkbox.
8. In the Schedule Name field, enter a name for the schedule report configuration.
9. In the NetWitness DB drop-down, select the database.
10. From the Time Zone drop-down, select a time zone to display all the time-related data in a report output in the specified format.This setting is configurable from the Reporting Engine Explore view (/com.rsa.soc.re/configuration/reportoutputformatterconfig/reportoutputformatterconfig).

11. From the Run field, select the type of run schedule. (For example, Now or Hourly). Depending on the type of run schedule, do either of the following:

    • If you select a Later or Monthly run schedule, you must provide a value for the day and time in the respective field provided.

    • If you select an Hourly run schedule, you must specify the minutes in the At Minute field.

    • If you select a Daily run schedule, you must enter a time value in the At field.

    • If you select a Weekly run schedule, you must enter a value in the At field and also select the week days.

    Note: While scheduling a report, if you select Paste option or Range (specific/generic) option or an end time range very close to the current time, you must ensure that the aggregate data in the data source is returned. If there is an aggregation delay in the data source, the end time you choose must account for the delay, otherwise reports lose non-aggregate data for that time range.

12. In the variables field, click .

13. Do one of the following:

    • Enter the value for the variable, or

    • Choose the list value for the variable.

      
      

14. Click Select.

15. Click Schedule.

    The scheduled report executes as scheduled and provides the configured outputs.

View All Destination IP Addresses for a Source IP Address

The following is an example of a Warehouse rule to view all the destination IP addresses for a specific source IP. The source IP address ip_src is defined as a variable ${IP_Address}.

At runtime, you are prompted to enter the source IP address. The figure below shows the IP_Address variable, and you can enter a valid source IP address. All the destination IP addresses with the specified source IP are listed.

Associate a Variable to a List of Values

You can associate the variable to a list. For example, you can create a list called Local_Country and enter all the country names as values. You can select the list Local_Country as the value for the variable Local_Country. At Run Configuration, the Local_Country list is populated and you can select the country based on which results are displayed.

Iterative Report

An iterative report generates a report for every value in the list.

To schedule an iterative report, perform the following:

1. Go to Monitor > Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. On the Reports panel, click to create a report.
4. Enter a Report name in the field.
5. Add the rule which has the user defined variable from the Rules tab.

6. Click Schedule.
   ​The Schedule Report view tab is displayed.

   

7. To execute the reports as per the schedule, select the Enable checkbox.
8. In the Schedule Name field, enter a name for the schedule report configuration.

9. From the Data Source field, select the data source.

   Note: If the data source is not listed, then ensure you have Read permissions set for the data source. This is applicable for NWDB and Warehouse data source. For more information, see "Configure Data Source Permissions" topic in the Reporting Engine Configuration Guide.

10. (Optional) From the Warehouse Resource Pool drop-down, select the pools or queues available in the cluster to schedule the report to run on either the pool or queue. This drop-down list is available only if you select a Warehouse DB report.

    Note: All the queues or pools you specified in the Explore page for the Reporting Engine are listed. If no pools or queues are configured in the Explorer page, this drop-down is disabled and the jobs are submitted to the clusters without any a queue or pool name.

    Note: If the pool or queue configured in the report schedule is removed from the Cluster, then in the Capacity Scheduler, the queue name remains undefined. However, in the Fair Scheduler, the specified pool name will be created using the property mapred.fairscheduler.allow.undeclared.pool.

11. From the Time Zone drop-down, select a time zone to display all the time-related data in a report output in the specified format. This setting is configurable from the Reporting Engine Explore view (/com.rsa.soc.re/configuration/reportoutputformatterconfig/reportoutputformatterconfig).

12. From the Run field, select the type of run schedule. (For example, Now or Hourly). Depending on the type of run schedule, do either of the following:

    • If you select a Later or Monthly run schedule, you must provide a value for the day and time in the respective field provided.

    • If you select an Hourly run schedule, you must specify the minutes in the At Minute field.

    • If you select a Daily run schedule, you must enter a time value in the At field.

    • If you select a Weekly run schedule, you must enter a value in the At field and also select the week days.

    Note: While scheduling a report, if you select Paste option or Range (specific/generic) option or an end time range very close to the current time, you must ensure that the aggregate data in the data source is returned. If there is an aggregation delay in the data source, the end time you choose must account for the delay, otherwise reports lose non-aggregate data for that time range.

13. In the variables field, do the following:

    1. To run iterative reports, select the Iterative Report checkbox.

    2. To Iterate on List value, click .

       The List Selection Window opens.

    3. Choose a list and click Select.

       The list item selected gets added to the Iterate on List field.

    4. Select the variable on which the selected list value has to be applied.
       

14. Click Schedule.
    The scheduled report executes as scheduled and provides the configured outputs.

The following figure shows the Iterative Report view.​

Create a Report Using a Rule

You can create a report using a rule. When you create a report using a rule, a default report is created with this single rule. You can further edit the report to add more rules.

To create a report using a rule, perform the following:

1. Go to Monitor > Reports.

   The Manage tab is displayed.

2. Choose any of the following:

   • Create a report using a rule when you create or edit the rule:

     1. In the Rules view, select a rule and click > Use> Report.

        The Use Rule dialog is displayed.

   • Select a rule in the Rules panel and click  in the Rule toolbar. From the drop-down menu, select Use > Report.
   • In the Rules panel click  > Create Report.

Note: Custom rules can be used to create a Report and If you select the view for the rule as "Area" or "Pie", a window pops up for X-Axis and Y-Axis inputs. By default, you can select only the first meta in X-Axis.

3. Select New Report or Existing Report based on your requirement.

4. Click Select.