Generate Reports from Respond View

Note:
• If the administrator has not configured the time zone, the reports follow the UTC time zone by default.
• If the administrator configures the time zone under the User Preferences panel, the report follows the administrator’s configured time zone. For more information, see Setting User Preferences in the NetWitness Getting Started Guide.
• A generated output report can contain up to 100 results in tabular format.

IMPORTANT: The minimum permissions for the users required to create/schedule reports in Respond View:
• Must enable Define rule, Access configure, and Define report in the report permission section.
• Must enable alert.manage, incident.manage, alert.read, incident.read in the respond-server permission section.

respond_report_12.3_1435x792.png

• Create a Report.

• Schedule a Report.

Create a Report

The Create Report dialog enables you to create a report instantly. To create a report, you must select the incidents or alerts via their checkboxes.

Note: The report will only include data from the selected records on the screen.

To create a Report:

Log in to the NetWitness Platform XDR.
Go to Respond > Incidents.

IMPORTANT: You can create reports from the Incidents and Alerts pages separately as per your requirements. For generating reports from the Alerts page, Go to Respond > Alerts
Apply the required filters on the incident or alert page, select the desired records, and create a report for selected Incidents or Alerts.

Note:
- Once - Once the Incident or Alerts are displayed, you can sort them by ascending or descending order, and the report will be generated for the selected records.
- To generate the reports, users must select one or more incidents or alerts.
Click More Actions > Create Report.

The Create Report dialog is displayed.
The default report name with a time stamp will be displayed initially. For example, Report on Incident - 2023-02-25 10-16-09.

Note:
• You can customize the report name as per the requirement, and the name must be unique to create a report.
• The report name must not have special characters such as / \ : * ? ” < > |.

IMPORTANT: Ensure that the SMTP mail server is configured in order to send reports to users.

(Optional) Click Email Output Action and enter the email address to which the generated report needs to be sent.

You can enter multiple comma-separated valid email IDs. For example, email1@example.com,email2@example.com,email3@example.com.

Click Create.

The success message is displayed on the screen.

Note: The time required for reports to be generated may vary based on the amount of data. Please wait for the requested report to be created.

To view the report, do one of the following:
- On the success message banner, click the hyperlink click here to directly open the report in the reports tab.
- Go to Reports > Manage > Reports > View All Reports.

Note:
• You can download the report in a PDF or CSV file format for future and offline needs.
• When the report is generated, it is attached as a PDF to the email and sent to all users configured during the report creation process.

Schedule a Report

The Schedule Report dialog enables you to create a schedule for the report. Reports can be scheduled later (required time-line), hourly, daily, weekly, or monthly. In order to schedule a report at a specific time or on a daily, weekly, or monthly basis, you must configure the scheduling options on the Schedule tab.

Note: The report will only include data from the selected time interval. You can change the interval starting with the next recurrence.

To create a Schedule Report:

Log in to the NetWitness Platform XDR.
Go to Respond > Incidents.

IMPORTANT: You can create reports from the Incidents and Alerts pages separately as per your requirements. For generating reports from the Alerts page, Go to Respond > Alerts
Apply the required filters on the incident or alert page, select the desired records, and create a report for selected Incidents or Alerts.

All filters applied on the filters panel will be included in the reporting rule to create your report.

Note: Once the events are displayed, you can sort the events by ascending or descending order, and the report will be generated based on the limit configured.
Click More Actions > Schedule Report.

The Schedule Report dialog is displayed.
The default report name with a time stamp will be displayed initially. For example, Report on Incident - 2023-04-25 10-18-26.

Field	Description
Run	Time interval to use for running the scheduled job: • Now: If you select a Now. The system will instantly generate reports with the filters applied from the filters panel. Later: If you select a Later run schedule, you must provide a value for the day and time in the respective field provided. Hourly: If you select an Hourly run schedule, you must specify the minutes in the At Minute field. For example, if you schedule the report for 50 minutes, for every 50th minute, the report will be prepared. Note: A maximum of only 59 minutes can be selected. Daily: If you select a Daily run schedule, you must enter a value in the At field. For example, if you schedule the report at 04:25, the report will be prepared at 04:25 AM every day. Weekly: If you select a Weekly run schedule, you must enter a value in the At field and select the weekdays. Note: The report runs on the day of the week that the schedule begins. For example, if you schedule the report to first run on Monday, the report runs on Monday every week. Monthly: If you select a Monthly run schedule, you must provide a value for the day and At field. For example, select 25 for the 25th day of the month. The report will be prepared on the 25th month of every month. Note: During the monthly report generation process, a message will appear if the day is greater than 28. This will notify the user that the report will be scheduled for the month containing that day.
ON	Past: If you select the Past option, you can schedule the report based on Hours, Days, Weeks, Months, and Years. For example, if you want to schedule the report to start three days before the current date, do the following actions: Select Past in the ON field. Enter 3 in the field and select Days from the drop-down list. This field appears only if you select Later in the Run field. Note: • This field appears if you select Later, Hourly, Daily, Weekly, and Monthly in the Run field. • For Hourly, the maximum value allowed is 168 (24 hours x 7 days) which is counted as total hours. Range(specific): If you select Range(specific) option, you must provide the From and To values. For example, if you want to schedule the report for a specific date and time range from 02/01/2023 12:00:00 AM to 02/15/2023 12:00:00 AM. The report runs for the data on the specified period. Note: This field appears only if you select Later in the Run field. Range(generic): If you select Range(generic) option, you must provide the From and To values. For example, if you want to schedule the report daily for a time range, from 04:00 to 10:00. The report runs for the data on the specified period. Note: This field appears only if you select Later, Daily, Weekly, and Monthly in the Run field. Note: While scheduling a report, if you select the Past option or Range(specific)/Range(generic) option or an end time range very close to the current time, you must ensure that the aggregate data in the data source is returned. If there is an aggregation delay in the data source, the end time you choose must account for the delay, otherwise reports lose non-aggregate data for that time range.
Use relative time calculation	By default, the Use relative time calculation option is enabled, and it uses the relative time duration to schedule a report. For example, if you schedule a report to run over the past 3 hours for the relative time, the time is exactly 3 hours from when the report is run. If the current time is 6:30 P.M., the events that occurred in the past 60 minutes or between 3:30 P.M. and 6:30 P.M. today. You can deselect the option and schedule a report. For example, if you schedule a report to run over the past 3 hours, it will take the past 3 hours, excluding the minutes. If the current time is 6:30 P.M., the events occurred between 3 P.M. and 6 P.M. today. Specify the following parameters to configure the Schedule. Depending on the type of run schedule, select one of the following:

Field

Description

Run

Time interval to use for running the scheduled job:

• Now: If you select a Now. The system will instantly generate reports with the filters applied from the filters panel.

Later: If you select a Later run schedule, you must provide a value for the day and time in the respective field provided.

Hourly: If you select an Hourly run schedule, you must specify the minutes in the At Minute field. For example, if you schedule the report for 50 minutes, for every 50th minute, the report will be prepared.

Note: A maximum of only 59 minutes can be selected.

Daily: If you select a Daily run schedule, you must enter a value in the At field. For example, if you schedule the report at 04:25, the report will be prepared at 04:25 AM every day.

Weekly: If you select a Weekly run schedule, you must enter a value in the At field and select the weekdays.

Note: The report runs on the day of the week that the schedule begins. For example, if you schedule the report to first run on Monday, the report runs on Monday every week.

Monthly: If you select a Monthly run schedule, you must provide a value for the day and At field. For example, select 25 for the 25th day of the month. The report will be prepared on the 25th month of every month.

Note: During the monthly report generation process, a message will appear if the day is greater than 28. This will notify the user that the report will be scheduled for the month containing that day.

Past: If you select the Past option, you can schedule the report based on Hours, Days, Weeks, Months, and Years. For example, if you want to schedule the report to start three days before the current date, do the following actions:
- Select Past in the ON field.
- Enter 3 in the field and select Days from the drop-down list.
  
  This field appears only if you select Later in the Run field.
  
  Note:
  • This field appears if you select Later, Hourly, Daily, Weekly, and Monthly in the Run field.
  • For Hourly, the maximum value allowed is 168 (24 hours x 7 days) which is counted as total hours.

Range(specific): If you select Range(specific) option, you must provide the From and To values.

For example, if you want to schedule the report for a specific date and time range from 02/01/2023 12:00:00 AM to 02/15/2023 12:00:00 AM. The report runs for the data on the specified period.

Note: This field appears only if you select Later in the Run field.

Range(generic): If you select Range(generic) option, you must provide the From and To values.

For example, if you want to schedule the report daily for a time range, from 04:00 to 10:00. The report runs for the data on the specified period.

Note: This field appears only if you select Later, Daily, Weekly, and Monthly in the Run field.

Note: While scheduling a report, if you select the Past option or Range(specific)/Range(generic) option or an end time range very close to the current time, you must ensure that the aggregate data in the data source is returned. If there is an aggregation delay in the data source, the end time you choose must account for the delay, otherwise reports lose non-aggregate data for that time range.

Use relative time calculation

By default, the Use relative time calculation option is enabled, and it uses the relative time duration to schedule a report.

For example, if you schedule a report to run over the past 3 hours for the relative time, the time is exactly 3 hours from when the report is run. If the current time is 6:30 P.M., the events that occurred in the past 60 minutes or between 3:30 P.M. and 6:30 P.M. today.

You can deselect the option and schedule a report.

For example, if you schedule a report to run over the past 3 hours, it will take the past 3 hours, excluding the minutes. If the current time is 6:30 P.M., the events occurred between 3 P.M. and 6 P.M. today.

Specify the following parameters to configure the Schedule.

Depending on the type of run schedule, select one of the following:

IMPORTANT: Ensure that the SMTP mail server is configured in order to send reports to users.

(Optional) Click Email Output Action and enter the email address to which the generated report needs to be sent.

You can enter multiple comma-separated valid email IDs. For example, email1@example.com,email2@example.com,email3@example.com.
Click Create.

The success message is displayed on the screen.

Note: The time required for reports to be generated may vary based on the amount of data. Please wait for the requested report to be created.
To view the report, do one of the following:
- On the success message banner, click the hyperlink click here to navigate to the reports tab and open the generated report.
- Go to Reports > Manage > Reports > View All Reports.
Note:
• You can download the report in a PDF or CSV file format for future and offline needs.
• When the report is generated, it is attached as a PDF to the email and sent to all users configured during the report creation process.

NetWitness Community

Table of Contents

Product Resources