From NetWitness Platform 12.3 or later, administrators and analysts can directly create or schedule the reports from the Investigate > Events view. Administrators and analysts can create a simple or complex report and configure its execution properties by scheduling a report. Administrators and analysts can generate a report to capture details related to past, current, or predicted resource needs and schedule different time ranges to execute the same report. For example, depending on your requirement, you can schedule a report to run hourly, daily, weekly, or monthly. Additionally, administrators and analysts can configure charts for reports. Using this feature, administrators and analysts can create various types of charts based on Event Count, Session Size, Packet Count, and Meta Key options.

For example, if you want to identify the Top Source Countries and Destination Countries, or top Threat and Risk trends that help monitor any changes to the normal categories or monitor the users and services that may potentially have malicious activities, etc.

The reports can be used for multiple purposes, such as:

  • Checking and assessing network security status.

  • Identifying network security issues, threats, and vulnerabilities.

  • Monitoring security incidents and malware activity.

Note:
• If the administrator has not configured the time zone, the reports follow the UTC time zone by default.
• If the administrator configures the time zone under the User Preferences panel, the report follows the administrator’s configured time zone. For more information, see Setting User Preferences in the NetWitness Getting Started Guide.
• By default, only administrators can create or schedule reports. Administrator must enable the appropriate permission for analysts to generate reports during the data source configuration.
For more information, see Configure Data Source Permissions in the NetWitness Reporting Configuration Guide.
• A generated output report can contain up to 100 results in tabular format.
• Create and Schedule reports are available only for the users who have created them. Administrators can also give appropriate permissions to other roles to view the report under Reports > Manage > Reports > select the folder > actionDD.png> Permissions > select the role > Save.
For more information, see Reports Permissions Dialog in the NetWitness Reporting User Guide.

reporting_view_1231.png

 

For more information, see the following topics:

If you encounter any problems while generating the reports, see Investigate Events Reporting Issues section under Troubleshooting NetWitness Investigate.

Create a Report

The Create Report dialog enables you to create a report instantly. Administrators and analysts must select a data source, time range, and a query on the filter to create a report. Additionally, administrators and analysts can configure charts for reports. Using this feature, administrators and analysts can create various types of charts based on Event Count, Session Size, Packet Count, and Meta Key.

Note: For Instant report generation, you can select the time range required from the Time Range drop-down list next to Service selection. For example, Last 30 Minutes.

To create a Report

  1. Log in to the NetWitness Platform.

  2. Go to Investigate > Events.

  3. Create a query that consists of one or more filters that contain a meta key, operator, and optional value.

    Note: Once the events are displayed, you can sort the events by ascending or descending order, and the report will be generated based on the limit configured.

  4. Click 3Dots.png > Create Report.

    The Create Report dialog is displayed.

    Adhoc_chart_reports.png

  5. The default report name with a time stamp will be displayed initially. For example, Report on Investigate Query - 2023-02-25 10-16-09.

    Note:
    • You can customize the report name as per the requirement, and the name must be unique to create a report.
    • The report name must not have special characters such as / \ : * ? ” < > |.

  6. In the Limit field, by default, the number of records is 20. Specify the number of records to be generated that range from 1 to 100.

  1. In the Chart Type section, do the following:

    1. Select the type of chart to be rendered and visualize your data. The options are listed below:

      • Tabular(Default)

      • Pie

      • Area

      • Bar

      • Bubble

      • Column

      • Line

      • Step line

      • Step Area

      • Spline Area

      • Spine

      Note:
      - Based on the chart type selection, Summarize and Meta Key options are enabled.
      - For the Tabular option, Summarize and Meta Key options will not be enabled.

    2. Summarize : Select one of these in-built aggregate meta options (Events, Sessions, or Packets) to obtain the desired summarized meta values.

      • Event Count: The total number of events that have occurred at a specific time.

      • Session Size: The total size of the events recorded by services at a certain time.

      • Packet Count: The total number of packets that have been transmitted or received.

    3. Meta Key: Select the meta value from the drop-down menu.

      Note: You can select only one meta value at a time.

IMPORTANT: Ensure that the SMTP mail server is configured in order to send reports to users.

  1. (Optional) Click Email Output Action and enter the email address to which the generated report needs to be sent.

    You can enter multiple comma-separated valid email IDs. For example, email1@example.com,email2@example.com,email3@example.com.

  1. Click Create.

    The success message is displayed on the screen.

Note: The time required for reports to be generated may vary based on the amount of data. Please wait for the requested report to be created.

  1. To view the report, do one of the following:

    • On the success message banner, click the hyperlink click here to directly open the report in the reports tab.

    • Go to Reports > Manage > Reports > View All Reports.

Note:
• You can download the report in a PDF or CSV file format for future and offline needs.
• When the report is generated, it is attached as a PDF to the email and sent to all users configured during the report creation process.

Schedule a Report

The Schedule Report dialog enables you to create a schedule for the report. Reports can be scheduled hourly, daily, weekly, or monthly. In order to schedule a report at a specific time or on a daily, weekly, or monthly basis, administrators and analysts must configure the scheduling options on the Schedule Report Dialog. Additionally, administrators and analysts can configure charts for reports. Using this feature, administrators and analysts can create various types of charts based on Event Count, Session Size, Packet Count, and Meta Key.

Note: The report will only include data from the selected time interval. You can change the interval starting with the next recurrence.

To create a Schedule Report

  1. Log in to the NetWitness Platform.

  2. Go to Investigate > Events.

  3. Create a query that consists of one or more filters that contain a meta key, operator, and optional value.

    Note: Once the events are displayed, you can sort the events by ascending or descending order, and the report will be generated based on the limit configured.

  4. Click 3Dots.png > Schedule Report.

    The Schedule Report dialog is displayed.

    Schedule_chart_reports.png

  5. The default report name with a time stamp will be displayed initially. For example, Report on Investigate Query - 2023-04-25 10-18-26.

    Note:
    • You can customize the report name as per the requirement, and the name must be unique to schedule a report.
    • The scheduling time will be displayed based on the user’s time zone selected from admin User Preferences.
    For more information, see Setting User Preferences in the NetWitness Getting Started Guide.
    • The name must not have special characters such as / \ : * ? ” < > |.
    • If you schedule a report for a query filter, and the generated report contains a rule that did not return any values. In that case, it indicates that no data for that particular query is available.

  6. In the Limit field, by default, the number of records is 20. Specify the number of records to be generated that range from 1 to 100.

  7. Specify the following parameters to configure the Schedule.

    Depending on the type of run schedule, select one of the following:

    Field Description
    Run

    Time interval to use for running the scheduled job:

    • Later: If you select a Later run schedule, you must provide a value for the day and time in the respective field provided.

    • Hourly: If you select an Hourly run schedule, you must specify the minutes in the At Minute field. For example, if you schedule the report for 50 minutes, for every 50th minute, the report will be prepared.

      Note: A maximum of only 59 minutes can be selected.

    • Daily: If you select a Daily run schedule, you must enter a value in the At field. For example, if you schedule the report at 04:25, the report will be prepared at 04:25 AM every day.

    • Weekly: If you select a Weekly run schedule, you must enter a value in the At field and select the weekdays.

      Note: The report runs on the day of the week that the schedule begins. For example, if you schedule the report to first run on Monday, the report runs on Monday every week.

    • Monthly: If you select a Monthly run schedule, you must provide a value for the day and At field. For example, select 25 for the 25th day of the month. The report will be prepared on the 25th month of every month.

    Note: During the monthly report generation process, a message will appear if the day is greater than 28. This will notify the user that the report will be scheduled for the month containing that day.
    ON

    • Past: If you select the Past option, you can schedule the report based on Hours, Days, Weeks, Months, and Years. For example, if you want to schedule the report to start three days before the current date, do the following actions:

      • Select Past in the ON field.

      • Enter 3 in the field and select Days from the drop-down list.

        This field appears only if you select Later in the Run field.

        Note:
        • This field appears if you select Later, Hourly, Daily, Weekly, and Monthly in the Run field.
        • For Hourly, the maximum value allowed is 168 (24 hours x 7 days) which is counted as total hours.

     

    • Range(specific): If you select Range(specific) option, you must provide the From and To values.

      For example, if you want to schedule the report for a specific date and time range from 02/01/2023 12:00:00 AM to 02/15/2023 12:00:00 AM. The report runs for the data on the specified period.

      Note: This field appears only if you select Later in the Run field.

     

    • Range(generic): If you select Range(generic) option, you must provide the From and To values.

      For example, if you want to schedule the report daily for a time range, from 04:00 to 10:00. The report runs for the data on the specified period.

      Note: This field appears only if you select Later, Daily, Weekly, and Monthly in the Run field.

       

    Note: While scheduling a report, if you select the Past option or Range(specific)/Range(generic) option or an end time range very close to the current time, you must ensure that the aggregate data in the data source is returned. If there is an aggregation delay in the data source, the end time you choose must account for the delay, otherwise reports lose non-aggregate data for that time range.
    Use relative time calculation

    • By default, the Use relative time calculation option is enabled, and it uses the relative time duration to schedule a report.

      For example, if you schedule a report to run over the past 1 hour –1h for the relative time, the time is exactly 1 hour from when the report is run. If the current time is 3 P.M., the events that occurred in the past 60 minutes or between 2 P.M. and 3 P.M. today.

     

    • You can deselect the option and schedule a report.

      For example, if you schedule a report to run over the past 3 hours, it will take the past 3 hours, excluding the current time. If the current time is 6:30 P.M., the events occurred from when the report was scheduled or between 3 P.M. and 6 P.M. today.

  8. In the Chart Type section, do the following:

    1. Select the type of chart to be rendered and visualize your data. The options are listed below:

      • Tabular(Default)

      • Pie

      • Area

      • Bar

      • Bubble

      • Column

      • Line

      • Step line

      • Step Area

      • Spline Area

      • Spine

      Note:
      - Based on the chart type selection, Summarize and Meta Key options are enabled.
      - For the Tabular option, Summarize and Meta Key options will not be enabled.

    2. Summarize : Select one of these in-built aggregate meta options (Events, Sessions, or Packets) to obtain the desired summarized meta values.

      • Event Count: The total number of events that have occurred at a specific time.

      • Session Size: The total size of the events recorded by services at a certain time.

      • Packet Count: The total number of packets that have been transmitted or received.

    3. Meta Key: Select the meta value from the drop-down menu.

      Note: You can select only one meta value at a time.

    IMPORTANT: Ensure that the SMTP mail server is configured in order to send reports to users.

  9. (Optional) Click Email Output Action and enter the email address to which the generated report needs to be sent.

    You can enter multiple comma-separated valid email IDs. For example, email1@example.com,email2@example.com,email3@example.com.

  10. Click Create.

    The success message is displayed on the screen.

    Note: The time required for reports to be generated may vary based on the amount of data. Please wait for the requested report to be created.

  11. To view the report, do one of the following:

    • On the success message banner, click the hyperlink click here to navigate to the reports tab and open the generated report.

    • Go to Reports > Manage > Reports > View All Reports.

    Note:
    • You can download the report in a PDF or CSV file format for future and offline needs.
    • When the report is generated, it is attached as a PDF to the email and sent to all users configured during the report creation process.

 

Create a Chart

From NetWitness Platform 12.3.1 or later, Administrators and analysts can create charts based on the real-time data from the Investigate > Events page. This enhancement enables them to create various types of charts based on Event Count, Session Size, Packet Count, and Meta Key. It provides an all-in-one solution for tracking trends for analysts. Additionally, analysts can add these real-time charts to their Default dashboard, allowing them to track critical data seamlessly within the organization.

Prerequisites

By default, only administrators can create charts. Administrator must enable the appropriate permission for analysts to generate charts during the data source configuration. For more information, see Configure Data Source Permissions in the NetWitness Reporting Configuration Guide.

Note: If any error found while creating the chart. There could be a server offline issue. In that case, check the respond-server.log, investigate-server.log, and sa.log for more information and resolve the issue.

IMPORTANT: Whenever an administrator shares a copy of the default dashboard with an analyst, the administrator must also provide the following permissions (rules and charts) for the analyst to view the real-time chart. For more information, see the topics Rules Permissions Dialog and Chart Permissions Dialog.

To Create a Chart from Events View

  1. Log in to the NetWitness Platform.

  2. Go to Investigate > Events.

  3. Click Search.

  4. Click 3Dots.png > Create Chart.

    The Create Chart dialog is displayed.

    Inv_charts1231.png

  5. The default chart name with a time stamp will be displayed initially. For example, Investigate Query - 2023-09-04 03-20-22.

    Note:
    • You can customize the report name as per the requirement, and the name must be unique to create a report.
    • The report name must not have special characters such as / \ : * ? ” < > |.

  1. Select one of these in-built aggregate meta options (Events, Sessions, or Packets) from the Summarize drop-down menu to obtain the desired summarized meta values.

    • Event Count: The total number of events that have occurred at a specific time.

    • Session Size: The total size of the events recorded by services at a certain time.

    • Packet Count: The total number of packets that have been transmitted or received.

  1. Select the meta value from the Meta Key drop-down menu.

    Note: You can select only one meta value at a time.

  1. Select the Series option for the chart to be displayed from the drop-down menu:

    • Total: The chart displays a total for each aggregate value for the selected time.

    • Value: The chart displays the change in values for the selected time.

    Note: The option will only be available if you select the Add to Default Dashboard checkbox.

IMPORTANT:
- In the reporting chart view, the rendered chart is displayed using the default settings for the chart. This means that the chart will use the default time range (3 hours), Series with default option (chart values over time), items to plot (5), and chart type (line).
- In the default dashboard view, the chart is displayed using the configured values. This means that the chart will use the default time range (Past 24 hours), Series, and Interval options that have been specified for the chart.

  1. Select the type of chart to be rendered and visualize your data from the Chart Type drop-down menu:

    Note:
    - The option will only be available if you select the Add to Default Dashboard checkbox.
    - By default, column type chart is selected.
    - Based on the Series options selected, charts will be displayed accordingly.
    - For Total option: only Pie and Column charts are enabled.
    - For Value option: Area, Column, Line, Step Line, Step Area, Spline Area, and Spline charts are enabled.

  1. Select the time range from the Interval drop-down menu:

    The available interval ranges from 10 minutes to 180 minutes, with a 10-minute gap between each interval.

    Note: By default, the number of records (Top) displayed on each chart is 15.

  1. (Optional) Select the Add to Default Dashboard checkbox to add a chart under the Dashboard > Default Dashboard view.

    Note: After creating the chart, you can perform additional settings in the default dashboard view.

  2. Click Create.

    The success message is displayed on the screen.

  3. To view the report, do one of the following:

    • For reporting chart view: Click the hyperlink View Chart on the success message displayed. This will navigate to the Manage > Rules page. Click Charts > Investigate Chart folder and view the generated chart.

    • For default dashboard view: Click the hyperlink View Chart on the success message displayed to directly open the chart in the Dashboard > Default Dashboard page.