Run or Schedule Reports - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

You can run ad-hoc reports or create reports that are to be distributed as scheduled.

There are two ways to create a report template:

Run a Report Based on a Dashboard

You can generate a report based on an existing dashboard.

  1. Select Dashboards & ReportsCustomizeDashboards Manager.

  2. Right-click the dashboard from which you want to generate a report, and select Save as report template.

  3. Enter a unique Report Name and an optional Description of the report, then Save the template.

  4. Select ReportingReport Templates.

  5. Update FILTERS & INPUTS.

    If the report includes Custom Cortex Query Language (XQL) widgets with predefined parameter filters, each parameter requires a Default Value. For more information about configuring FILTERS & INPUTS, see Create a Report from Scratch.

  6. Run the report.

    You can either Generate Report to run the report on-demand, or you can Edit the report template to define a schedule.

  7. After your report completes, you can download it from the ReportingReports page.

Create a Report from Scratch

You can create a new report, using an existing or new template.

  1. Select Dashboards & ReportsCustomizeReports Templates+ New Template.

  2. Enter a unique Report Name and an optional Description of the report.

  3. Select the Data Timeframe for your report.

    You can choose Last 24H (day), Last 7D (week), Last 1M (month), or you can choose a custom time frame.

    Note

    The custom time frame is limited to one month.

  4. Choose the Report Type and click Next

    You can use an existing template, or you can build a new report from scratch.

  5. Customize your report.

    To get a feel for how the data will look, Cortex XSIAM provides mock data. To see how the report would look with real data in your environment, you can use the toggle above the report to use Real Data. Select Preview A4 to view how the report is displayed in an A4 format.

  6. Add widgets to the report. From the widget library, drag and drop widgets on to the report.

    1. For incident-related widgets, select the star to display only incidents that match an incident starring configuration on your dashboard, if desired. A purple star indicates that the widget is displaying only starred incidents.

    2. To remove a widget, select the menu in the top right corner of the widget, and Remove widget.

  7. Configure FILTERS & INPUTS.

    If you added Custom XQL widgets with predefined parameter filters, configure the parameters. For more information about adding parameter filters to a widget, see Manage your Widget Library.

    Note

    You can specify a maximum of four parameter filters.

    1. Select + Add Filters & Inputs.

    2. On the FILTERS & INPUTS panel, +Add an input and select one of the following options:

      • Single Select to specify a single predefined value

      • Multi Select to specify multiple predefined values

      • Free text/number to specify a single free text value

    3. Update the Parameter Title.

    4. Select the Parameter that you want to configure.

      These values are extracted from the XQL queries of the widgets on the dashboard.

    5. Specify a Default Value for the selected parameters.

      This value overwrites any predefined default values in the XQL query.

      Note

      The values must support the parameter type. For example, for $name specify characters and for $num specify numbers.

    6. Save Filters & Inputs.

  8. When you have finished customizing your report template, click Next.

  9. If you are ready to run the report, select Generate now.

  10. To run the report on a regular Schedule, you can specify the time and frequency that Cortex XSIAM will run the report.

  11. (Optional) Enter an Email Distribution list or Slack workspace to send a PDF version of your report.

    Select Add password used to access report sent by email and Slack to set password encryption.

    Note

    Password encryption is only available in PDF format.

  12. (Optional) Attach CSV file of your XQL query widget to a report.

    From the drop-down menu, search and select one or more of your custom widgets to attach to the report. The XQL query widget is attached to the report as a CSV file along with the customized PDF. Depending on how you selected to send the report, the CSV file is attached as follows:

    • Email—Sent as separate attachments for each widget. The total size of the attachment in the email cannot exceed 20MB.

    • Slack—Sent within a ZIP file that includes the PDF file.

  13. Save Template.

  14. After your report completes, you can download it from the ReportingReports page.

    In the Name field, reports with multiple files, PDF and CSV files, are marked with a report-zip.png icon, while reports with a single PDF are marked with a report-pdf.png icon.

Note

You can receive an email alert if a report fails to run due to timeout or fails to upload to the GCP bucket.

Configure the notification rule for a failed report.

  1. Under SettingsConfigurationsGeneralNotifications , + Add Forwarding Configuration.

  2. Select a Name and a Description for your rule, and under Log Type, select Management Audit Logs.

  3. Use a filter to select the Type as Reporting, Subtype as Run Report, and Result as Fail.

  4. Under Distribution List, select the email address to send the notification to.

  5. Click Done.