14.3 Working with Reports

The data that you view in reports depends on the security filter applied to your role. For example, if the security filter for your role is set to view events of severity 1 to 3, your report results will include only those events, although the report parameters allow severity 4 and 5 events also.

As you work with reports, you can perform several tasks including the following:

  • Finding Reports: Sentinel provides a large number of reports. You can use one of the following ways to easily find the reports you are interested in:

    • Using a particular keyword in the report name or description.

    • Using Tags.

    • Viewing reports belonging to a specific category: Scheduled or Unread.

  • Grouping: To simplify report management as the number of reports grows over time, by default, Sentinel groups the reports by Category.

    You can change the grouping to None if you want to list all your reports and searches under one heading. To change the grouping, click More options, select Group by, and then select the necessary option.

  • Tagging: You can associate reports with existing tags. When a tag is set on a report, the report results associated with the report inherit the tag by default.

  • Marking reports and searches as Favorites: You can mark the most frequently used reports and searches as Favorites to make them easier to find. You can also store them in folders to locate and manage them easily.

  • Drilling down into the reports to further analyze the data: You can view events directly for a report without scheduling the report. The search results provide a preview of what to expect when you generate a report and the ability to investigate further. To view events for a report, click Search Events.

  • Sharing reports with other roles: The Share functionality allows you to share reports with other roles and also control who can access your reports.

    For example, the out-of-the-box report templates are accessible to all Sentinel users. Consider a scenario where you have several groups in your organization such as system administrators, database administrators. Because of the sensitivity of the audit data available in the report results when you run the out-of-the-box report templates, you may want to ensure that these administrators do not gain access to any unauthorized data. In such a scenario, you can restrict the report templates visibility only to you, to users in your role, or to users in selected roles.

    NOTE:Only users in the Administrator role can restrict the visibility of the out-of-the-box reports.

    By default, the reports that you create or import from Solution Packs are visible only to you and to users in the Administrator role. You can share your reports with other roles as necessary without transferring the complete ownership of the reports.

    For example, consider a scenario where there is a dedicated audit team in your organization whose primary job is to analyze and validate the accuracy of reports. You may want them to only view your reports but not modify or delete reports. In such a scenario, you can share your reports with the audit team. The audit team will only be able to view or run the reports depending on the permission they have. However, they will not be able to modify or delete reports.

    To share reports, you must have the Share reports permission. To share reports with users in other roles, you must have the Manage roles and users permission in addition to the Share reports permission. You can share only the reports that you create or import from Solution Packs. You cannot share reports that other users have shared with you. To share a report, select the report you want to share, click the Share icon, and select the relevant sharing option.

    The events in the report results that users, with whom you have shared reports, can view depend on the permission their role has. For example, if their role has permission to view only events of severity 4 and 5, the report results include only those events.

    If the user account of a report owner is deleted, reports that are set as Private are deleted. The ownership of all the shared reports is transferred to the admin user. If that report owner had shared any reports with you, you can no longer view those shared reports unless the admin user shares those reports with you.

NOTE:When you generate Sentinel Core Event Source Audit report in solution pack version 2011.1r9, any event source under a specific Tenant to be listed, the particular event source must be tagged to the tag name which is same as the Tenant name.