Query-Trend Relationships in Reporting

A base trend is made of one query. Trends can be used as the primary data source for a report. Or, a trend based on one query can be used as the data source to another query that further refines the initial query result. A collection of trend queries (queries that use trends as their data source) can provide focused views of a data set, which can then be fed into a single report or multiple reports.

For example, you could create a trend called “VPN Logins Outcome - Hourly” that references a query that returns all VPN login attempts, successful logins, and failed attempts. You could schedule the trend to run hourly. You can use this base trend directly in a report.

A more powerful approach would be to refine further the data results by creating three new trend queries, each of which takes the base trend as its data source, but then sets further conditions on the query data to return one specialized slice of the results. One query could return only login attempts, another only successful attempts, and another only failed attempts. You could then draw on four queries in a single or multiple reports to show different views of the data. (The base query would show all types of login events, and the other three would show the focused views.)

A single query or trend can feed data into multiple reports, and a single report can capture data from multiple queries and trends.

The ability to automate and refine queries by feeding them into trends and vice versa, along with the flexibility in populating reports, solves many typical enterprise security reporting challenges. You can build a trend that gets a daily event count, feed the trend into a query that sums up the daily counts to get a monthly event count, and even feed that monthly count query into another trend and so forth. Managed Security Service Providers (MSSP) can tier query-trend approaches to create focused reports for multiple customers built from what are initially broad range queries.