Reports
Content Security Reporter includes highly customizable, flexible, and easy-to-use reporting capabilities.
Reports are customizable documents that display data from one or more Content Security Reporter elements in a single PDF document for focused and offline analysis.
Use the Report Builder to create and run reports that display charts and tables with user-configured data. The most recently run report is stored within Content Security Reporter and readily available for viewing.
Default reports
Content Security Reporter installs several default reports made of Content Security Reporter queries and filters. Default reports are available from Content Security Reporter Shared Groups.
Default reports produce data from Content Security Reporter summary and detailed queries, for example:
- Your users' Internet activity
- The most blocked websites, malware, and applications
- The most used websites and applications
- Potential security threats to your organization
Custom reports
Create a custom report, or duplicate and customize a default report to suit your needs.
The following display and setting options are available to customize your reports:
- Report data — Information found within a report is based on the data generated within queries.
- Format options — Using these options, you can modify and customize various elements in the report format.
- Runtime information — Using these options, you can add specific runtime information to your report.
Delegated Reports
Delegated Reports is an access control feature to restrict which report data a user account can access.
In default reporting, users can view report for all users or groups. Using Delegated Reports under Permission Sets in Trellix ePO, administrators can configure which report data is available based on user names, user groups, IP address, or log sources. For more information about Trellix ePO permission set, see the product guide of your version of Trellix ePO.
When you select All report data in one permission set and Selected report data in other permission set, All report data takes precedence.
NOTE: After creating permission sets, if the Content Security Reporter is removed and reinstalled, the user must enable those permissions again. To do this, the user must edit and save each permission set.
If you change the Permission Sets settings for a Trellix ePO user, the changes are effective from the next session when the Trellix ePO user logs in again.
Types of filters
Delegated Reports provides three types of filters:
- Users/Groups
- IP Addresses
- Log Sources
Users can view data from all users and groups or only selected users and groups. The filters are case insensitive except User Groups. The user names are listed in lowercase. The user group name is displayed in bold. You can also include data from the log sources that do not have user names by enabling the Include Anonymous option. These users are displayed as dash.
When you select Only selected users & groups in Select Report Data, you can configure these options as required:
- Search Database — Displays users and group data from the logs that are processed previously.
- Search Directory — Allows you to search users and groups from the directory.
- Add Manually — Allows you to add users and groups manually.
NOTE: By default, the maximum record fetching limit for Active Directory is 1000 and OpenLDAP is 500. If the number of records mentioned in the Find Now field exceeds the limit, only records within the limit are displayed. You can change the maximum limit by configuring the MaxPageSize for AD. For more information, see Increase the MaxPageSize in Active Directory manually.
You can add multiple permission sets to one user. When you include the user in one permission set and exclude from another permission set, exclusion takes precedence.
Users can view data from all IP addresses or from only selected IP addresses. It supports both IPv4 and IPv6 format. You can also define one IP address or a range of IP address using the Add Manually option.
When you select Only selected IP addresses in the Select Report Data, you can configure these two options as required:
- Search Database — Displays all IP addresses from the logs that are processed earlier.
- Add Manually — Allows administrators to add IP address or IP addresses range manually.
Log Sources displays the configured log sources that you can use for reporting.
Users can view data from all log sources or from only selected log sources. If the logs in the Report server are deleted but already parsed, those logs are also included in the list.
Using multiple Permission Sets for one user
Administrators can assign more than one Permission Sets to users.
The following table explains how Permission Sets work for different scenarios when administrators assign more than one Permission Sets.
| Permission Set 1 configuration | Permission Set 2 configuration | Expected result |
|---|---|---|
| All report data | Selected report data | User can view all report data. |
| Selected report data > All users & groups > All IP addresses > All log sources | Selected report data, specific user in Only selected users & groups , Single IP address in Only selected IP address, and specific log source in Only selected log source. | User can view report data from all IP addresses, all log sources for all users. |
Selected report data withuser_1 included. |
Selected report data with user_1 excluded. |
User can't view report data from user_1. |
Selected report data with user_1 included, Include anonymous is selected for All IP addresses, and All log sources. |
User can view report data only from user_1 and anonymous users. |
|
Selected report data with user_1 that is part of group_1 included, Include Anonymous is selected, exclude group_1 for All IP addresses, and All log sources. |
User can view report data only from anonymous users. | |
Selected report data with user_1 that is part of group_1 excluded, and group_1 included for All IP addresses, and All log sources. |
User can view report data only from group_1 user data except user_1 data. |
|
Selected report data with user_1 included, deselect Include Anonymous, All IP addresses and All log sources. |
User can view report data only from user_1 data. |
|
Selected report data with group_1 included for All IP addresses, and All log sources. |
User can view report data only from group_1 data |
|
Selected report data with group_1 excluded, for All IP addresses and All log sources. |
User can view report data for all users and groups except group_1 users. |
|
Selected report data with user_1 and group_3 excluded, for All IP addresses, and All log sources. |
User can view report data for all users and groups except user_1 and group_3 users. |
|
| Selected report data with no users or groups selected, Include Anonymous deselected for All IP addresses, and All log sources. | User can view report data for all users and groups except Anonymous data | |
Selected report data with user_1 selected, user_3 excluded, Include Anonymous deselected, Add IP range defined, and log source mwg_1 is selected. |
User can view report data for user_1 for the IP address range from the mwg_1 log source. Data from user_3 and other IP addresses are excluded. |
|
Selected report data with user_1 (a source user of NSM log) selected, user_3 (destination user of NSM log) excluded, Add IP range defined, and log source nsm_1 selected. |
User can view NSM report data with user_1 as source and destination within the IP range, includes data from nsm_1 log, and excludes user_3 and other users with other IP address and also from other NSM log source if any. |
|
| Selected report data with Include Anonymous selected. | Selected report data with Include Anonymous deselected. | User can view reports for data except anonymous data. |
Increase the MaxPageSize in Active Directory manually
Increase the MaxPageSize manually.
- Type LDAP policies at the Ntdsutil.exe command prompt in the Active Directory, then press Enter.
- Type set maxpagesize to <number> , then press Enter.
For example, to set the maximum record size to 7000, type set maxpagesize to 7000. - Type Show Values, then press Enter to verify the changes.
- Type Q, then press Enter to quit.