Reports are defined from the Reports menu. There are three types of reports:
- Overview reports - reports general system statistics, including top sources, alerts, actors and activity charts
- Saved search reports - reports based on saved searches are flexible regularly executed reports based on search queries
- Group by reports - reports defined through the "Reports" tab based on one or two aggregation fields
Apart from overview reports, the others contain the raw data as well a set of configured charts.
Reports can be generated in multiple formats: JSON, CSV, XLS, PDF, HTML.
Raw data is not included in PDF reports; charts are not available in JSON and CSV reports.
Custom charts can be included in PDF reports and the included fields can be customized for all tabular reports.
Each report can be executed regularly at specified times. "Daily", "weekly", "monthly" and "yearly" reports are supported.
On the dashboard "Reports" tab ad-hoc reports can be excuted and downloaded in the supported formats over any period of time and any criteria. A chart is generated for each report. Each item is searchable with a click on the search icon.
Group by reports can be created using:
- one or two aggregation fields - the fields to group by
- filter query - an optional filter to filter the results before aggregating (e.g. get the top IP addresses only for deny firewall events)
- display fields - specify a comma-separated list of parameters taken from each event to display for each row
- source type - whether to perform the aggregation on the event data or on alert data
Each report can be sent to multiple destinations:
- Email (useful for overview reports as well as PDF reports)
- File push - SCP, FTP, SFTP or S3 bucket - report data is pushed to external storage
- Local - reports are saved locally on the SIEM server
There are built-in report templates, about various standards and regulations. Built-in reports are updated automatically for SaaS setups and automatically downloaded for on-premise setups.