Manage reports - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Abstract

Create a new report or customize an existing report in Cortex XSOAR, including adding widgets and changing the timezone and time format in a report. Schedule and generate a report.

You can create and edit reports in the Reports tab, including adding widgets, scheduling times, setting incident time range, adding recipients, and changing the format and size. Reports support PDF and CSV.

Report actions

You can do the following with reports.

Report action

Description

Create or edit a report

When creating a report, what you see is what you get. How you configure the report is how it generates. You can add widgets to a report, change the format and paper size, and insert page breaks by adding the Page Break widget. If you have a table widget that contains many rows, you can select the number of rows on each page or print the whole table (in the table widget, right click and select Force Print full Chart).

You can add your own logo by going to Settings & InfoSettingsSystemServer SettingsLogo Configuration and uploading your logo in the Full-size logo field. Reports are generated in PDF or CSV formats.

Create a report from a dashboard

You can create a report from the dashboard as is, or add new widgets as required. You have the same functionality as custom reports, such as format, when to run, and orientation. To create a report from the dashboard, on the Dashboards page click cog-wheel-8.png and select Create report.

Schedule a report

You can schedule a report to run specific times, or run the report immediately. You can also send the report to specific recipients, and restrict the report according to roles.

Generate an out-of-the-box report

Cortex XSOAR comes with out-of-the-box reports, such as critical and high incidents, daily incidents, and last 7 days incidents. You can change the time range for the incidents, the scheduled time and who can receive the report. If you want to make more comprehensive changes to out-of-the-box reports, copy or download (and then upload) the report.

Schedule a report from an incident

Captures investigation-specific data and shares it with team members. You can customize how the information is displayed for existing incidents.

  1. In the Dashboards & Reports page Reports tab, select New Report.

  2. Enter a name for the report.

  3. Add a widget to the report.

    1. Click plus.jpg to add a custom widget or select an existing widget from the Widgets Library.

    2. To edit the widget in the report, select three-dots.jpg then Edit widget.

      The edits to the widget in the report apply only for the report. If you want to make changes that are available for other users, dashboards, or reports, edit the widget directly in the Widgets Library by clicking the pencil edit icon.

    3. To add a new widget from the Widgets Library, follow the procedure in Create a widget using the widget builder.

    4. Click Save.

  4. Define the report settings.

    Report setting

    Description

    Date Range

    The Date Range for the report. Default is Last 7 days.

    By default, a widget in a report inherits the date range that you specify when creating the report. If the date range for the report does not include the widget date range, the data is blank. To change the widget’s date range, click three-dots.jpg and select Use widget’s date range or Use dashboard’s date range. By default, the dashboard’s date range is used and the option in the dropdown shows as Use widget’s date range. If you change this to use the widget’s date range, the dropdown then shows the option to Use dashboard’s date range.

    Note

    Each widget can have its own date range, which can be different from the report’s date range.

    Schedule

    You can schedule a report to run at specific times with start and end dates. You can also add restrictions on the report content and the number of recipients.

    If you want to send the report to users by email, you need to add an email integration instance, such as EWS, Gmail, or Mail Sender. Default is Disabled.

    To schedule a report:

    1. Under the Schedule field, click Disabled or the date it was last run.

    2. In the dialog box, add the following information:

      • A comma-separated email list of report recipients.

      • Select the Scheduled checkbox.

    3. If you want to restrict the content of the report according to roles, in the Run as Roles field, from the dropdown list, select one of the roles.

    4. Schedule a report according to one of the following methods:

      • Human view: Schedules a report according to the set number of hours. You can add days of the week with start and end times.

        When scheduling a report in the Human view the Next Run date may be incorrect. You may need to change the number of hours field when scheduling the report.

      • Cron view: Schedules a report according to a Cron time string format, which consists of five fields that Cron converts into a time interval. Use this view to schedule a report on certain hours, days, months, years, and so on. For examples of Cron strings, see Report scheduling examples.

        Note

        When using the Cron view, the Start at and Ends fields may conflict with Cron string expressions. For example, when using frequencies (i.e. ‘/’) if you type the expression 0 */6 * * * (runs every 6 hours), with a start time of 15.00, the next run time is not 21:00. The run time depends on Cron run times, which are 00.00, 06:00, 12:00, and 18:00 per day. In this example, the report runs at 15.00, 18.00, and then 00.00, etc. For examples using Cron generally, see Cron examples.

    5. Select the Start at date and time.

    6. Select the Ends condition. Options are:

      • Never (default)

      • by (specify the date)

      • after (specify the date)

    7. Select Run Now to run the report immediately. If you click Save, the report appears in the main Reports tab with the scheduled run date in the Next Run field.

    Recipients

    A comma-separated email list of report recipients. Default is None.

    If you want to send the report to users by email, you need to add an email integration instance, such as EWS, Gmail, or Mail Sender.

    Format

    The report file format. Options are PDF (default) or CSV.

    Note

    Only tables and text based widgets are exported in CSV. Other widgets are ignored.

    Orientation

    Sets the report display orientation. Options are Portrait (default) or Landscape.

    Tip

    We recommend using landscape orientation to ensure that all information displays in the report.

    Paper Size

    Sets the report paper size. Options are:

    • A4 (default)

    • A3

    • Letter

  5. Save the report. If you select Save Version, you can view a history of the changes made to your report and you can revert to previous versions.

  1. On the Dashboards & Reports page Reports tab, select the Duplicate Report icon for the report you want to edit.

  2. Enter a name for the report.

  3. Add a widget to the report.

    1. Click plus.jpg to add a custom widget or select an existing widget from the Widgets Library.

    2. To edit the widget in the report, select three-dots.jpg then Edit widget.

      The edits to the widget in the report apply only for the report. If you want to make changes that are available for other users, dashboards, or reports, edit the widget directly in the Widgets Library by clicking the pencil edit icon.

    3. To add a new widget from the Widgets Library, follow the procedure in Create a widget using the widget builder.

    4. Click Save.

  4. Define the report settings.

    Report setting

    Description

    Date Range

    The Date Range for the report. Default is Last 7 days.

    By default, a widget in a report inherits the date range that you specify when creating the report. If the date range for the report does not include the widget date range, the data is blank. To change the widget’s date range, click three-dots.jpg and select Use widget’s date range or Use dashboard’s date range. By default, the dashboard’s date range is used and the option in the dropdown shows as Use widget’s date range. If you change this to use the widget’s date range, the dropdown then shows the option to Use dashboard’s date range.

    Note

    Each widget can have its own date range, which can be different from the report’s date range.

    Schedule

    You can schedule a report to run at specific times with start and end dates. You can also add restrictions on the report content and the number of recipients.

    If you want to send the report to users by email, you need to add an email integration instance, such as EWS, Gmail, or Mail Sender. Default is Disabled.

    To schedule a report:

    1. Under the Schedule field, click Disabled or the date it was last run.

    2. In the dialog box, add the following information:

      • A comma-separated email list of report recipients.

      • Select the Scheduled checkbox.

    3. If you want to restrict the content of the report according to roles, in the Run as Roles field, from the dropdown list, select one of the roles.

    4. Schedule a report according to one of the following methods:

      • Human view: Schedules a report according to the set number of hours. You can add days of the week with start and end times.

        When scheduling a report in the Human view the Next Run date may be incorrect. You may need to change the number of hours field when scheduling the report.

      • Cron view: Schedules a report according to a Cron time string format, which consists of five fields that Cron converts into a time interval. Use this view to schedule a report on certain hours, days, months, years, and so on. For examples of Cron strings, see Report scheduling examples.

        Note

        When using the Cron view, the Start at and Ends fields may conflict with Cron string expressions. For example, when using frequencies (i.e. ‘/’) if you type the expression 0 */6 * * * (runs every 6 hours), with a start time of 15.00, the next run time is not 21:00. The run time depends on Cron run times, which are 00.00, 06:00, 12:00, and 18:00 per day. In this example, the report runs at 15.00, 18.00, and then 00.00, etc. For examples using Cron generally, see Cron examples.

    5. Select the Start at date and time.

    6. Select the Ends condition. Options are:

      • Never (default)

      • by (specify the date)

      • after (specify the date)

    7. Select Run Now to run the report immediately. If you click Save, the report appears in the main Reports tab with the scheduled run date in the Next Run field.

    Recipients

    A comma-separated email list of report recipients. Default is None.

    If you want to send the report to users by email, you need to add an email integration instance, such as EWS, Gmail, or Mail Sender.

    Format

    The report file format. Options are PDF (default) or CSV.

    Note

    Only tables and text based widgets are exported in CSV. Other widgets are ignored.

    Orientation

    Sets the report display orientation. Options are Portrait (default) or Landscape.

    Tip

    We recommend using landscape orientation to ensure that all information displays in the report.

    Paper Size

    Sets the report paper size. Options are:

    • A4 (default)

    • A3

    • Letter

  5. Save the report. If you select Save Version, you can view a history of the changes made to your report and you can revert to previous versions.

To generate a report immediately:

  1. In the Reports tab, edit the report settings as relevant, including:

    • Date Range

    • Recipients

    • Next Run

  2. Click Run.

  3. Click report-download.png to download the report.

Tip

Ensure that you enable pop-ups in your browser. If reports do not download after you click Run, add the Cortex XSOAR URL to your browser's pop up blocker exceptions. For more information, see Troubleshoot script timeout for reports.