You can run ad-hoc reports or create reports that are to be distributed as scheduled.
You can generate reports using pre-designed dashboard templates, or create custom reports from scratch with widgets from the Widget Library. You can also schedule your reports to run regularly or just once. All reports are saved under → .
To take actions on existing report templates, go to
→ → . On this page you can also import and export report templates in a JSON format, which enables you to transfer your configurations between environments for onboarding, migration, backup, and sharing. You can bulk export and import multiple report templates at a time.Note
Report templates that are based on custom infrastructure cannot be exported.
If you import a report template that already exists in the system, the imported template will overwrite the existing template. If you do not want to overwrite the existing template, duplicate and rename the existing template before importing the new template.
Run a Report Based on a Dashboard
You can generate a report based on an existing dashboard.
Select
→ → .Right-click the dashboard from which you want to generate a report, and select Save as report template.
Enter a unique Report Name and an optional Description of the report, then Save the template.
Select
→ .Run the report.
You can either Generate Report to run the report on-demand, or you can Edit the report template to define a schedule.
After your report completes, you can download it from the
→ page.
Create a Report from Scratch
You can create a new report, using an existing or new template.
Select
→ → → .Enter a unique Report Name and an optional Description of the report.
Select the Data Timeframe for your report.
You can choose Last 24H (day), Last 7D (week), Last 1M (month), or you can choose a custom time frame.
Note
The custom time frame is limited to one month.
Choose the Report Type.
You can use an existing template, or you can build a new report from scratch.
Click Next.
Customize your report.
To get a feel for how the data will look, Cortex XDR provides mock data. To see how the report would look with real data in your environment, you can use the toggle above the report to use Real Data. Select Preview A4 to view how the report is displayed in an A4 format.
Drag and drop widgets from the widget library to their desired position.
If necessary, remove unwanted widgets from the template. To remove a widget, select the menu in the top right corner, and select Remove widget.
For incident-related widgets, you can also select the star to include only incidents that match an incident starring configuration in your report. A purple star indicates that the widget is displaying only starred incidents.
When you have finished customizing your report template, click Next.
If you are ready to run the report, select Generate now.
To run the report on a regular Schedule, you can specify the time and frequency that Cortex XDR will run the report.
(Optional) Enter an Email Distribution list or Slack workspace to send a PDF version of your report.
Select Add password used to access report sent by email and Slack to set password encryption.
Note
Password encryption is only available in PDF format.
(Optional) Attach CSV file of your Cortex Query Language (XQL) query widget to a report.
From the drop-down menu, search and select one or more of your custom widgets to attach to the report. The XQL query widget is attached to the report as a CSV file along with the customized PDF. Depending on how you selected to send the report, the CSV file is attached as follows:
Email—Sent as separate attachments for each widget. The total size of the attachment in the email cannot exceed 20MB.
Slack—Sent within a ZIP file that includes the PDF file.
Save Template.
After your report completes, you can download it from the
→ page.In the Name field, reports with multiple files, PDF and CSV files, are marked with a icon, while reports with a single PDF are marked with a icon.
Note
You can receive an email alert if a report fails to run due to timeout or fails to upload to the GCP bucket.
Configure the notification rule for a failed report.
Under + Add Forwarding Configuration.
→ → → ,Select a Name and a Description for your rule, and under Log Type, select Management Audit Logs.
Use a filter to select the Type as
Reporting
, Subtype asRun Report
, and Result as Fail.Under Distribution List, select the email address to send the notification to.
Click Done.