Manage Lists, Rules or Reports

You can set access control, delete, edit, import, or export a list, rule or report.

Manage a List

You can perform the following procedures to manage a list.

• Access Control for a List and List Group
• Edit a List
• Delete a List or List Group
• Duplicate a List
• Export a List or List Group
• Import a List or List Group
• Filter Unused Lists

Access Control for a List and List GroupAccess Control for a List and List Group

You can set up the access permissions for the user roles to manage lists or list groups. The Reporting provides access control at the list and list group level. Only a user who has the right set of permissions can perform the tasks in the Reporting. The access control is managed by the administrator from the (Admin) > Security > Roles tab.

As an administrator, you must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

Lists or list groups can be assigned to a specific set of user roles. When users log into NetWitness, they can access only those lists to which they belong. Users who belong to a user role with the Read & Write access permission have full access rights on the lists. Further, the access can be strengthened so that lists are accessed only by those who have the Read Only access.

Note: You must have Read Only permission for a list group to view the lists within that group.

For example, if you want Security Analysts to have access to all the lists in a list group, you can set the permission Read & Write at the list group level. And, if you do not want the Operator role to have access to a specific set of lists in a list group, you can set the permission No Access at the list group level.

At the list or list group level, you can set the following access permissions for the user roles in NetWitness. For more information, see List View:

• Read & Write
• Read Only
• No Access

The following table lists the columns in the Lists Permissions panel:

Column	Description
Roles	Describes roles of the users logged into the NetWitness user interface.
Read & Write	Allows users to access, view, edit, delete, import, and export lists on the Lists view. Users can also change the permission on the rule.
Read Only	Allows users to only access and view the list on the lists view.
No Access	Doesn't allow users to access or view the lists.

Access Control for a List

To change the list permissions, you must select a list and set access permissions using the List Permissions panel.

If you want to change the access permission for a specific user role, you must set it at the list level. Except for administrators (with full access in Reporting Engine service Config page) and reporting engine content administrators, the default permission set for all the user roles is No Access before applying job permissions.

Access Control Multiple Lists

You can select multiple lists at once and set access permissions using the Lists Permissions Panel. The access permission that you choose is applied to all the selected lists.

Note: The "*" beside the role name indicates that other permissions are available for the user role. If you want to change the access permission for the required user role, select the user role and change the access permission.

Note: If a user (other than ADMIN) creates a list, ADMIN cannot access that list.

Access Control for a List Group

To change the list group permissions, you must select a list group and set access permissions using the Lists Permissions panel.

If you want to change the access permission for a specific user role, you must set it at the list group level. The default permission set for all the other user roles is No Access before applying job permissions.

You can also apply permissions to existing subgroups and lists in the group by selecting the appropriate checkbox.

You can also apply permissions to all the new subgroups and lists in the group by selecting the appropriate checkbox.

The following scenarios describe defining permissions for list groups or subgroups and lists in the groups:

• Scenario 1: Permissions applied to list group or subgroup based on the user role.

  Each of the levels will have a permission set depending on the user role. For example, if a list group is assigned the role of Security Analyst, permissions are set to Read & Write for the list group.

• Scenario 2: Permissions applied to subgroups and lists in the group.

  The access permissions that you set can be applied to subgroups and child objects of this group. Permission at the list group level will be inherited by the subgroups and lists in the group.

Role (Analysts)	Permissions applied to list group or subgroup based on the user role	Permissions applied to subgroup and lists in the group
Group	Read & Write	Read & Write
Subgroup	Read	Read & Write - Inherited
Lists	Read	Read & Write - Inherited

Access permission for a list or list group

Ensure that you have at least Read & Write access permission so that you can set access permissions for lists or list groups.

To set access permission for a list, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Lists.
   The List view is displayed.

   

3. In the Lists panel, select a list.

4. Click > Permissions in the List toolbar.
   The List Permissions dialog is displayed.

   

5. Select the appropriate access permission for each of the user roles and click Save.

   A confirmation message that the permission is successfully set for the selected list is displayed.

To set access control for a list group, perform the following:

Note: Starting from NetWitness Platform version 12.5, the Permissions option is enabled by default when you choose All Groups in the Lists tab. This reduces the need for administrators to make individual user changes, saving time and resources.

1. Go to Reports.

   The Manage tab is displayed.

2. Click Lists.

   The List view is displayed.

   

3. In the Lists Groups panel, select a list group.

4. Click > Permissions.

   The List Permissions dialog is displayed.

   

5. (Optional) Select the appropriate checkbox to apply these permissions to existing subgroups and lists in this group.
6. (Optional) select the appropriate checkbox to apply these permissions to all the new subgroups and lists in this group.

7. Click Save.

   A confirmation message that the permission is successfully set for the selected list group is displayed.

Edit a ListEdit a List

To edit a list, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Lists.

   The List view is displayed.

   

3. In the Lists panel, select a list that you want to edit and do one of the following.
   • Click in the Lists toolbar.

   • In the Lists panel, click > Edit.

     Note: You can only edit one list at a time.

4. Modify the required fields and add new values to the list.

5. Click Save.

   A confirmation message that the list is saved successfully is displayed.

Delete a List or List GroupDelete a List or List Group

To delete a list, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Lists.

   The List view is displayed.

   

3. In the Lists panel, do one of the following:

   • Select a list or multiple lists that you want to delete and click in the Lists toolbar.

   • In the Actions column, click > Delete.

     Note: Before you delete a list, make sure that the list is not associated with any rule.

4. Click Yes to delete the list.

   A confirmation message that the list is deleted is displayed and the selected list is deleted from the List View panel.

To delete a list group, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Lists.

   The List view is displayed.

   

3. In the Lists Groups panel, select the group and click .

   A confirmation dialog is displayed.

   

   Caution: If you delete a group, all subgroups and lists in that group are deleted.

4. Click Yes to delete the selected group.

Note: If you try to delete a list group that has lists referenced in a rule or an alert, a warning message that Lists are referenced in a rule is displayed.

Duplicate a ListDuplicate a List

To duplicate a list, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Lists.

   The List view is displayed.

   

3. In the Lists panel, select a list that you want to duplicate.

   Note: You can only duplicate one list at a time.

4. In the Lists toolbar, click .

Export a List or List GroupExport a List or List Group

To export a list, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Lists.

   The List view is displayed.

   

3. In the Lists panel, do one of the following:

   • Select a list and click > Export in the List toolbar.
   • In Actions column, click > Export

   You can export multiple lists at a time. To select multiple lists, select the checkbox of the lists to be exported. A browser-specific export dialog may be displayed allowing you to open or save the file.

To export a list group, perform the following:

You can export selected list groups to an external file that can be later imported to NetWitness. If nothing is selected in the List Library panel, the entire list tree is exported. When you export, the result is a single export file in binary format.

Note: Starting from NetWitness Platform version 12.5, the Export and Export as Text options are enabled by default when you choose All Groups in the Lists tab. This eliminates the need to enable these options for each list within the group manually.

1. Go to Reports.

   The Manage tab is displayed.

2. Click Lists.

   The List view is displayed.

   

3. In the Lists Groups panel, select the list group containing the lists which you want to export.

4. Click > Export.

   You can export multiple list groups at a time. To select multiple list groups, press and hold the CTRL button and select the list groups to be exported. The exported file is saved to the local drive.

Import a List or List GroupImport a List or List Group

To import a list, perform the following:

You can import lists from instances of NetWitness into the list tree in the List View panel. Lists must be in a valid binary file exported from a NetWitness instance.

1. Go to Reports.

   The Manage tab is displayed.

2. Click Lists.

   The List view is displayed.

   

3. In the Lists toolbar, click > Import.

   The Import List dialog is displayed.

   Note: You can import multiple lists at a time. To select multiple lists, press and hold the CTRL button and select the lists to be imported.

4. Click Browse and select archived file containing the lists.

   

5. Click Import.

Note: During the import process, if a duplicate list exists and you do not select the overwrite option, the list is imported and no message about duplicate lists is displayed.

To import a list group, perform the following:

You can import list groups from instances of NetWitness into the list tree in the List Groups panel. Lists must be in a valid binary file exported from a NetWitness instance.

1. Go to Reports.
   The Manage tab is displayed.

2. Click Lists.

   The List view is displayed.

   

3. In the Lists Groups panel, click > Import.

   The Import List dialog box is displayed.

4. Click Browse and select archived file containing the list groups.

   

   You can import multiple list groups at a time. To select multiple list groups, press and hold the CTRL button and select the list groups to be imported.

5. Click Import.

Note: During the import process, if a duplicate list group exists and you do not select the overwrite option, the list group is imported and no message about duplicate list group is displayed.

Filter Unused Lists Filter Unused Lists

You can filter and delete the lists that are not used by any rule. To filter unused lists:

1. Go to Reports.
   The Manage tab is displayed.
2. In the Lists panel, click and select Unused Lists.
   List of unused lists will get displayed.
3. [Optional] Delete the unused lists.
   For more information, see Delete a List or List Group.

Manage a Rule

You can perform the following procedures to manage a rule.

• Access Control for a Rule and Rule Group
• Delete a Rule or Rule Group
• Duplicate a Rule
• Edit a Rule
• View Dependents of a Rule
• Export a Rule or Rule Group
• Filter Unused Rules

Access Control for a Rule and Rule GroupAccess Control for a Rule and Rule Group

To set access permissions the user will have depending on the user role to manage a rule or rule group. The Reporting provides access control at the rule and rule group level. Only a user who has the right set of permissions can perform the tasks in the Reporting. The access control is managed by the administrator from the (Admin) > Security > Roles tab.

When creating users and user roles, the administrator must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

Rules or Rule Groups can be tied to a specific set of user roles so that when a user logs into NetWitness, the only rules they can access are rules accessible to the group to which the user belongs. Users that belong to a user role with the ‘Read & Write’ access permission have full access rights on the rule. Further, the access can be tightened so that rules are accessed only by those who have the ‘Read Only’ access.

Note: You must at least have ‘Read Only’ permission on a group to view the rules within that group.

At the rule level, you can set the following access permissions for the user roles:

• Read & Write
• Read Only
• No Access

Suppose, you want the Security Analysts to have access to all the rules in a Rule Group, you can set the permission 'Read & Write' at the Rule Group level. And, if you do not want the Operator role to have access to a specific set of rules in a rule group, you can set the permission 'No Access' at the Rule Group level. The permission is set only for the rule group but not the rules or subgroups in the Rule Group.

Access Control for a Rule Group

When you want to change the rule group permissions, you must select a rule group and set access permissions using the Rule Permissions panel.

Before applying rule group permissions, the default permission set for all the user roles is 'No Access' permission, and the checkboxes are deselected.

If you want to change the access permission for a specific user role, you must set these at the rule group level, as shown in the figure. Suppose, you want the Administrators to have access to all the rules in a Rule Group, you can set the permission 'Read & Write' in the Rule Group Permissions panel.

You can also apply permissions to existing subgroups and Rules in the group by selecting the appropriate checkbox.

You can also apply permissions to all the new subgroups and Rules in the group by selecting the appropriate checkbox.

You can also apply permissions to subgroups and rules in the group by selecting the checkbox.

The two scenarios are explained in brief:

• Scenario 1: Permissions applied to Rule Group/ Sub Group/ Rules based on the user role.
• Scenario 2: Permissions applied to Sub Group and Rules in the Group.

Role (Analysts)	Permissions applied to Rule Group/ Sub Group/ Rules based on the user role	Permissions applied to Sub group and Rules in the Group
Group	Read & Write	Read & Write
Sub Group	Read	Read & Write - Inherited
Rules	Read	Read & Write - Inherited

The access permissions that you set can be applied to subgroups and child objects of this group.

The Rule Group will be assigned the role of a Security Analyst and permissions are set to Read & Write rule group.

For scenario 1, each of the levels will have a permission set depending on the user role. For scenario 2, the permission at the Rule Group level will be inherited by the Sub Group and Rules in the Group.

Access Control for a Rule

When you want to change the rule permissions, you must select a rule and set their access permissions using the Rule Permissions panel.

Before applying the Rule permissions, the default permission set for all the user roles is 'No Access' permission and the checkbox is deselected.

If you want to change the access permission for a specific user role, you must set these at the rule level, as shown in the figure. Suppose, you want the Administrators to have access to a specific rule, you can set the permission 'Read & Write' in the Rule Permissions panel.

Access Control for a Rule When Multiple Rules are Selected

When you want to change permissions of multiple rules, you can select multiple rules at a time and set their access permissions using the Rules Permissions Panel. The access permission that you choose will be applied to all the selected rules.

Note: The '*' besides the role name indicates the other permissions available on the user role. If you want to change the access permission for the required user role, select the user role and change the access permission.

Log in as a specific user and view the access details

When you log in to the NetWitness UI as a user having 'Read access' permission, all the rules will be denoted with the symbol () and when you click on the symbol the 'Read Only' callout is displayed on the Rules panel.

When you log in to the NetWitness

UI as a user not having 'Read & Write' access permission on a Rule, all the rules will be denoted with the symbol () and the rules appear grayed out on the Rules List panel.

​​The following figure shows the Rules panel when logged in with minimal 'Read & Write' access permission.

Note: If a user (other than administrator) creates a rule, ADMIN cannot access that rule.

 

Tabular Listing

The following table lists the columns in the Rules Permissions panel:

Column	Description
Roles	The role of the user logged into the NetWitness user interface.
Read & Write	The user can access, view, edit, delete, import, and export rules on the Rules view. The user can also change the permission on the rule.
Read Only	The user can only access and view the rule on the Rules view
No Access	The user cannot access or view the rule for which this permission is set.

Set Access Control for a Rule

You can set access control for a rule. The Reporting Engine provides access control at the rule level. Only a user who has the right set of permissions can perform tasks on the rule. The administrator when creating users and roles must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

At the rule level, you can set the following access permissions for the user roles in NetWitness:

• Read & Write – View or edit the rules in the rule group.
• Read Only – View the rules in the rule group.
• No Access – Cannot view or edit the rules in the rule group.

Prerequisites

Make sure that you have a minimal 'Read & Write' access permission to set access permissions for a rule.

To set access control for a rule, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. In the Rules panel, select the rule.

3. Click > Permissions in the Rule toolbar.

   The Rules Permissions dialog is displayed.

   

4. Select the following appropriate access permission for the user role and click Save.

   • Read & Write
   • Read Only
   • No Access

Set Access Control for a Rule Group

You can set access control at the rule group level. Only a user who has the right set of permissions can perform the tasks on the rule. The administrator when creating users and roles must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

At the rule group level, you can set the following access permissions for the user roles in NetWitness:

• Read & Write – View or edit the rules in the rule group.
• Read Only – View the rules in the rule group.
• No Access – Cannot view or edit the rule in the rule groups.

Prerequisites

Make sure that you have a minimal 'Read & Write' access permission to set access permissions for a rule group.

To set access control for a rule group, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. In the Rules Groups panel, select the rule group and Click and select Permissions.

   The Rules Permissions dialog is displayed.
   

3. (Optional) Select the appropriate checkbox to apply these permissions to existing subgroups and Rules in this group.
4. (Optional) Select the appropriate checkbox to apply these permissions to all the new subgroups and Rules created in this group.

5. Click Save.

   A confirmation message that permission is successfully set for the selected rule group is displayed.

Delete a Rule or Rule GroupDelete a Rule or Rule Group

To delete a rule, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. In the Rules panel, do one of the following.

   • Select a rule and click in the Rule toolbar.

   • Click > Delete.

     A confirmation dialog is displayed.

     

     Note: If a rule is being used in a report, a warning that the rule is in use and cannot be deleted is displayed.

3. Click Yes to delete the rule.

   A confirmation message that the rule is deleted successfully is displayed and the selected rule is deleted from the Rules panel.

To delete a rule group, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. In the Rules Groups panel, select the rule group that you want to delete.

3. Click .

   A confirmation dialog is displayed.

   

   Note: If any one of the rules in the group is being used in reports, a warning that the rule is in use and cannot be deleted is displayed.

4. Click Yes to delete the group.

   A confirmation message that the group is deleted successfully is displayed and the selected group is deleted from the Rule Groups panel.

Duplicate a RuleDuplicate a Rule

To duplicate a rule, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. In the Rules panel, select a rule that you want to duplicate.
3. In the Rule toolbar, click .

Edit a RuleEdit a Rule

To edit a rule, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. In the Rules panel, do one of the following:

   • Select a rule and click in the Rule toolbar.

   • Click > Edit.

     The Build Rule view tab is displayed.

     

     Note: If a rule is edited, the updated rule definition is applied to the Reports, Charts, and Alerts where the rule is included.

3. Modify the required fields.

4. ​Click Save.

   A confirmation message that the rule is saved successfully is displayed.

When you edit a rule, ensure to re-select the Rule for which you want the Chart to be generated, so that the edited rule is applied. If you do not re-select the Rule and attempt to save or test the rule, the rule is saved and a warning message is displayed.

Filter Unused RulesFilter Unused Rules

You can filter and delete the rules that are not used by any group in charts, alerts, and reports. To filter unused rules:

1. Go to Reports.
   The Manage tab is displayed.
2. In the Rules panel, click and select Unused Rules.
   List of unused rules is displayed.
3. [Optional] Delete the unused rules.
   For more information, see Delete a Rule or Rule Group.

Manage a Report

You can perform the following procedures to manage a report.

• Access Control for a Report or Report Group
• Delete a Report or Report Group
• Duplicate a Report
• Edit a Report
• Refresh a Report Group or Report List
• Edit a Scheduled Report
• Delete a Scheduled Report
• Export a Report
• Export a Report Group
• Import a Report or Report Group
• Enable or Disable a Scheduled Report
• Start or Stop a Scheduled Report
• View an Execution History of a Scheduled Report
• Manage and Select a Report Logo
• Search Reporting Details

Access Control for a Report or Report GroupAccess Control for a Report or Report Group

This section covers the access permissions the user has depending on the user role to manage a report and report group. The Reporting provides access control at the report and report group level. The user who has the right set of permissions can only perform the tasks in reporting module. The access control is managed by the administrator from the (Admin) > Security > Roles tab.

When creating users and user roles, the administrator must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.

Reports and Report Groups can be tied to a specific set of user roles so that when a user logs into NetWitness, the reports with the access rights for the specific user role can be viewed. Users that belong to a user role with the ‘Read & Write’ access permission can define reports. Further, the access can be tightened so that reports are accessed only by those who have the ‘Read Only’ access.

Note: You must have ‘Read Only’ permission for a group to view the reports within that group.

At the report level, you can set the following access permissions for the user roles in NetWitness:

• Read & Write
• Read Only
• No Access

Suppose, you want the NetWitness to have access to all the reports in a Report Group, you can set the permission 'Read & Write' at the Report Group level. And, if you do not want the Operator role to have access to a specific set of reports in a report group, you can set the permission 'No Access' at the Report Group level.

The permission is set only for the report group but not the reports, rules, or subgroups in the Report Group.

Access Control for a Report Group

When you want to change the report group permissions, you must select a report group and set access permissions using the Reports Permissions panel.

Before applying report group permissions, the default permission set for all the user roles is 'No Access' except for administrators (with full access in Reporting Engine service Config page) and reporting engine content administrators, as shown in the figure.

If you want to change the access permission for a specific user role, you must set these at the report group level, as shown in the figure. <suppose,>Administrators to have access to all the reports in a Report Group, you can set the permission 'Read & Write' in the Report Group Permissions panel.

You can also apply permissions to existing subgroups and reports in the group, as well as apply read-only permission to rules in the reports by selecting the appropriate checkboxes, as shown in the figure.

You can also apply permissions to all the new subgroups and reports by selecting the appropriate checkbox.

The three scenarios are explained in brief:

• Scenario 1: Permissions applied to Report Group/ Sub Group/ Report based on the user role.
• Scenario 2: Permissions applied to Sub Group and Report in the Group.
• Scenario 3: Read-only permission applied to Rules in the Report.

	Role (Analyst)	Permissions applied to Report Group/ Sub Group/ Report based on the user role	Permissions applied to Sub group and Report in the Group	Permission (Read-only) applied to Rules in the Report
Group	Read & Write	Read & Write	Read & Write	Read & Write
Sub Group	Read	Read	Read & Write - Inherited	Read & Write
Report	Read	Read	Read & Write - Inherited	Read & Write
Rules	Read	Read​	Read	Read

The Report Group will be assigned the role of a Security Analyst and permissions are set to Read & Write report group.

For scenario 1, each of the levels has a permission set depending on the user role. For scenario 2, the permission at the Report Group level (Read & Write) is inherited by the Sub Group and Reports in the Group. For scenario 3, the Read permission is set for the Rules except that the permission set for the rules cannot be higher than the permissions set for the Report Group.

Access Control for a Report

When you want to change the report permissions, you must select a report and set their access permissions using the Report Permissions panel.

Before applying the Report permissions, the default permission set for all the user roles is 'No Access' permission and the checkbox is unchecked, as shown in the figure.

If you want to change the access permission for a specific user role, you must set these at the report level, as shown in the figure. Suppose, you want the Administrators to have access to a specific report, you can set the permission 'Read & Write' in the Report Permissions panel.

You can apply read-only permission to rules in the reports by selecting the checkbox, as shown in the figure.

The two scenarios are explained in brief:

• Scenario 1: Permissions applied to Report Group/ Sub Group/ Report/ Rules.
• Scenario 2: Read-only permission applied to Rules in the Report.

	Role (Analysts)	Permissions applied to Report Group/ Sub Group/ Report/ Rules based on the user role	Permission (Read-only) applied to Rules in the Report
Group	Read & Write	Read & Write	Read & Write
Sub Group	Read	Read	Read & Write
Report	Read	Read	Read & Write
Rules	Read	Read​	Read

The Report will be assigned the role of a Security Analyst and permissions are set to Read & Write reports.

For scenario 1, each of the levels has a permission set based on the user role. For scenario 2, the Read permission is set for the Rules except that the permission for the rules cannot be higher than the permission for the Reports.

Note: If the permission for the rules is higher than the permission for the Reports then the permission is be applied only to the reports. For example, if you set the permissions for the Report Group as No Access and then specify the option Apply Read-only permission to Rules in the Reports, then the read-only permission is not set for the rules.

Access Control for a Report When Multiple Reports are Selected

​When you want to change permissions of multiple reports, you must select several reports and set their access permissions using the Report Permissions panel. The access permission that you choose is applied to all the selected reports.

Access Control for a Report When Multiple Reports with several rules are Selected

​When you want to change permissions when multiple reports with several rules are selected, you must select the checkbox in the Report Permissions panel, as shown in the figure. The read-only access permission is applied to all the rules of the selected reports, provided that the permission of the rules are lower than the permission of the reports.

Log in as a Specific User and View the Access Details

When you log in to the NetWitness UI as a user having 'Read access' permission, all the reports is denoted with the symbol () and when you click on the symbol the 'Read Only' callout is displayed on the Reports panel.

When you log in to the NetWitness UI as a user not having 'Read & Write' access permission on a Report, all the reports are denoted with the symbol () and the reports appear grayed out on the Reports panel.

​​The following figure shows the Reports panel when logged in with minimal 'Read & Write' access permission.

Note: If a User (other than the super user) creates a report there will be no access to that report for the super user.

Tabular Listing

The following table lists the various columns in the Reports Permissions Panel:

Column	Description
Roles	The role of the user logged into the NetWitness UI.
Read & Write	The user can access, view, edit, import, export, and delete the report on the Reports view. The user can also change the permission on the report.
Read Only	The user can only access and view the report on the Reports view.
No Access	The user cannot access or view the report for which this permission is set.
Apply these permissions to existing subgroups and Reports in this group	Select the checkbox to apply the selected permissions to the existing subgroups in the group and reports in the group. Note: This checkbox is populated only when you set access permissions for a Report Group.
Apply these permissions to all new subgroups and Reports in this group	Select the checkbox to apply the selected permissions to the all new subgroups in the group and reports in the group. Note: This checkbox is populated only when you set access permissions for a Report Group.
Apply Read-only permission to Rules in the Reports	Select the checkbox to automatically apply permissions to the rules in the reports.

Set Access Control for a Report

Prerequisites

Make sure that you have a minimal 'Read & Write' access permission to set access permissions for a report.

To set access permissions for a report, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports panel, select a report.

4. Click > Permissions.

   The Reports Permissions dialog is displayed.

   

5. Based on the user role, select the appropriate buttons.

6. (Optional) Select the checkbox, if you want to provide read access permission to rules in the reports​.

   Note: ​​On selecting the check box, all dependent rules are given READ access permission, provided the permissions for the report is higher compared to the permissions of the rules.

7. Click Save.

   A confirmation message that the permission is set for the selected report is displayed.

Set Access Control for a Report Group

Prerequisites

Make sure that you have a minimal 'Read & Write' access permission to set access permissions for a report group.

To set access permissions for a Report Group, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports Groups panel, select or right-click on a report group.

4. Click > Permissions.

   The Reports Permissions dialog box is displayed.

   

4. Based on the user role, select the appropriate buttons.
5. (Optional) Select the appropriate checkbox to apply the selected permissions to subgroups and reports in the group.
6. (Optional) Select the appropriate checkbox to apply the selected permissions to all the new subgroups and reports in this group.

7. (Optional) Select the appropriate checkbox to provide read access permission to rules in the reports.

   Note: ​​On selecting the check box, all dependent rules is given READ access permission, provided the permissions for the report is higher compared to the permissions of the rules.

8. Click Save.

   A confirmation message that the permission is successfully set for the selected report group is displayed.

Delete a Report or Report GroupDelete a Report or Report Group

To delete reports in a group or subgroup from the Reports panel:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports panel, do one of the following:

   • Select the reports and click .

   • Click > Delete.

     A confirmation dialog is displayed.

     

4. Click Yes to delete the report.

   A confirmation message that the report is deleted successfully is displayed and the selected report is deleted from the Reports panel.

Delete a Report Group

Prerequisites

Make sure that you have no reports associated with the report group.

To delete report groups in the default folder or subgroups under a report group, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports Groups panel, select the report group and click .

   A confirmation dialog is displayed.

   

4. Click Yes to delete the group.

   A confirmation message that the group is deleted successfully is displayed and the selected group is deleted from the Report Groups panel.

Duplicate a ReportDuplicate a Report

You can duplicate a report to schedule multiple report for the same report. The duplicated report is displayed in the Reports panel with suffixes. For example, Report (1).

Generally, the duplicate option is used in two scenarios:

• You want to make a copy of the report, to move the same report to another group.
• You want to retain most of the configuration settings for an object but modify few of these settings.
  For example, when you have a complex query in a rule or several rules in a report, it is very much appropriate to use the duplicate option.

To duplicate an existing report, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   ​The Report view is displayed.

3. In the Reports panel, select a report that you want to duplicate and click .

   The report is saved successfully and added to the Report list.

You can move the duplicated report to another group.

Edit a ReportEdit a Report

To edit reports in a group or subgroup from the Reports panel, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. Select a report and in Actions column, click > Edit.
   The Build Report view tab is displayed.

   

4. Modify the text and add more rules to the report (if required).

5. Click Save.

   A confirmation message that the report is saved successfully is displayed.

Refresh a Report Group or Report ListRefresh a Report Group or Report List

You can refresh a report group or reports to view the re-arrangement of groups or reports.

To refresh a report group or reports, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. Do the following to move the group or reports to a new location:

   • In the Reports Groups panel, drag and drop the group.
   • In the Reports panel, drag and drop the reports to the desired group in the Report Groups panel.
     The report group or reports are moved to the new location.

4. Do the following to refresh a group or report list:

   • In the Reports Groups panel, click .

     The report group gets refreshed.

   • In the Reports panel, click .

     The Report list gets refreshed.

Edit a Scheduled ReportEdit a Scheduled Report

To edit a scheduled report from the Scheduled Reports List panel, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports panel, select a report and in Actions column, click > View Scheduled Reports.

   The Report Schedule tab is displayed.

4. In the Report Schedule panel, do one of the following:

   • Select a report and click .

   • Select a report and click > Edit Schedule.
     The Schedule Report tab is displayed.

     
     

5. In the Schedule Report tab, do the following:

   1. In the Schedule Name field, modify the name for the schedule report configuration.
   2. To execute the reports as per the schedule, select the Enable checkbox.

   3. From the Data Source field, select the datasource.

      Note: If the data source is not listed, ensure you have Read permissions set for the data source. This is applicable for NWDB and Warehouse data source. For more information, see "Configure Data Source Permissions" topic in the Reporting Engine Configuration Guide.

6. (Optional) From the Warehouse Resource Pool drop-down, select the pool or queue for the report.

   Note: The Warehouse Resource Pool drop- down is displayed only if the Warehouse Rule is selected. If no pools or queues are entered for the Reporting Engine, this field is disabled.

7. From the Run field, select the type of run schedule. (For example, Now or Hourly).
8. Select the date range to run the query based on absolute duration or select the Use relative time duration checkbox to run the query based on relative duration.

9. (Optional) In the Output Actions panel, do the following:

   1. Type the email address and subject.
   2. Edit the body of the message for the report.
   3. Select the format of the attachment.
   4. Type a value for the CSV and Multivalue delimiters.

10. (Optional) In the Other Options field, do the following:

    1. Click > SFTP or URL or Network Share. Based on the selected option, a row gets added in the Other options field.
    2. Select the appropriate options to send the report in PDF or CSV format to the configured SFTP, URL or Network Share.
11. (Optional) To add a list in the Dynamic List panel, see Generate a List from the Scheduled Report section in Create and Schedule a Report.

12. (Optional) To choose another logo in the Logo panel, see Manage and Select a Report Logo section.

    Note: If you do not specify a logo, the default logo is used.

13. Click Schedule.

    The scheduled report executes as scheduled and provides the configured outputs.

Delete a Scheduled ReportDelete a Scheduled Report

To delete a scheduled report from the Scheduled Reports List panel, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports toolbar, click View All Schedules.

   View Report Schedule is displayed.

4. In the Report Schedule panel, select the report.

5. Click >Delete Schedule.

   A confirmation dialog is displayed.

   

6. Click Yes to delete the scheduled report.

   A confirmation message that the scheduled report is deleted successfully is displayed and the selected schedule is deleted from the Scheduled Reports List panel.

Export a ReportExport a Report

You can export the selected reports to an external file that can be later imported to another NetWitness environment.

Prerequisites

Make sure that you have reports in the report group.

To export selected reports in the Report Groups panel to an external file, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports panel, do one of the following:

   • Select a report and click > Export.
   • Click > Export.
   You can export multiple reports at a time. To select multiple reports, check the checkbox of the report to be exported. The exported file is saved to the local drive in an archived format.

Open CSV files with Unicode characters in MS Excel

To open downloaded CSV files containing Unicode characters in MS Excel, follow these steps:

1. Download and save the CSV file.
2. Open Microsoft Excel and navigate to the Data tab.
3. Click on From Text menu item; find the CSV file that you downloaded and click Import.
   The Text Import Wizard is displayed.
4. Select Delimited or Fixed Width data type from the Original data type radio button.
5. Click File origin drop down list and select 65001: Unicode (UTF-8) and click Next.
6. Select the delimiter that was used in the file that you imported and click Next.
7. Select the data format for each column of data that you want to import and click Finish.
   ​The correct output is displayed in an MS Excel sheet.

Export a Report GroupExport a Report Group

You can export a selected report groups to an external file that can be later imported to another NetWitness environment.

Note: Starting from NetWitness Platform version 12.5, the Export and Export as Text options are enabled by default when you choose All Groups in the Reports tab. This eliminates the need to enable these options for each report within the group manually.

Prerequisites

Make sure that you have reports in the Report Group.

To export selected report groups in the Report Groups panel to an external file, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports Groups panel, select a report group and click and select one of the following:

   • Export - This selection exports a report in a .zip file.
   • Export as Text - This selection exports all the content from the Reporting Engine in a .zip file which contains the data in text format.

   You can export multiple report groups at a time. To select multiple report groups, press and hold the CTRL button and select the report groups to be exported. The exported file is saved to the local drive.

Import a Report or Report GroupImport a Report or Report Group

You can import a group containing subgroups and reports from other instances of NetWitness into Report Groups panel. Reports must be in a valid binary file that was exported from another NetWitness instance.
During the import process, you select the binary file and specify whether existing reports with the same name must be overwritten or not by the reports contained in the binary import file.

• If you choose to overwrite, all duplicate rules, lists and reports are overwritten by the contents of the binary import file.
• If you choose not to overwrite, and a duplicate rule, list or report exists in the target folder, the import fails and display a message about duplicate reports.

You cannot import reports to a specific report group. The imported files are stored in the Allroot folder.

Prerequisites

Make sure that you have the reports or report groups exported from other instances of NetWitness.

To import groups containing subgroups and reports from other instances of NetWitness into Report Groups panel, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports Groups panel, select a folder to import the file.

4. Do one of the following:

   • In the Reports Groups toolbar, click > Import to import a group.
   • In the Reports toolbar, click > Import to import a report.
     The Import Report dialog is displayed. You can import multiple reports and report groups at a time. To select multiple reports or report groups, press and hold the CTRL button and select the reports or report groups to be imported.

5. Click Browse to select the binary file.

   NetWitnessprovides a file system view of the files.

6. Locate the binary file and click Open.

   The file gets added to the Import Report list.

7. (Optional) To overwrite any existing rule in the library with an identically named rule in the binary file when importing, check the Rule checkbox. If you do not select the Overwrite option, and an identical rule is encountered in the binary file, the binary file is imported and no error message is displayed.
8. (Optional) To overwrite any existing list in the library with an identically named list in the binary file, check the List checkbox. If you do not select the Overwrite option, and an identical list is encountered in the binary file, the binary file is imported and no error message is displayed.
9. (Optional) To overwrite any existing report in the library with an identically named report in the binary file when importing, check the Report checkbox. If you do not select the Overwrite option, and an identical report is encountered in the binary file, the binary file is imported and no error message is displayed.
10. Click Import to import the binary file.

Enable or Disable a Scheduled ReportEnable or Disable a Scheduled Report

To enable or disable a scheduled report from the Scheduled Reports List panel, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.
   The Report view is displayed.
3. In the Reports panel, select a report and click > View Scheduled Reports.
   View Report Schedule is displayed.
4. Select a report from the Report Schedule panel.
5. In the Actions column, click > Enable.
   The state of the report is changed to ‘Running’, if the report is scheduled to run immediately.

6. In the Actions column, click > Disable.
   The state of the report is changed to ‘Inactive’.

Start or Stop a Scheduled ReportStart or Stop a Scheduled Report

To start or stop a scheduled report, perform the following:

1. Go to Reports.
   The Manage tab is displayed.
2. Click Reports.
   The Report view is displayed.
3. In the Reports panel, select a report and click > View Scheduled Reports.
   The Report Schedule view is displayed.
4. Select a report from the Scheduled Reports List panel.
5. In the Actions column, click > Start.
   The state of the report is changed to ‘Running’, if the report is scheduled to run immediately.

6. In the Actions column, click > Stop.
   The state of the report is changed to ‘Completed’.

Note: If you have multiple executions running for a scheduled report and the state of the report is in Queued state, the STOP option is disabled till all the previous executions are completed and last execution is in running state. To stop the individual execution of a particular schedule, refer to Stop an Individual Execution of a Scheduled Report.

View an Execution History of a Scheduled ReportView an Execution History of a Scheduled Report

You can view the execution history of a scheduled report. You can view the history of a scheduled report that is run. You can view the history based on the following criteria:

• Number of past schedules executed
• Start date and end date for the date range

You can view the details such as how many times the scheduled report was executed, the time of execution (seconds), execution state. You can also view the report generated on a full screen.

To view the execution history of a scheduled report, perform the following:

1. Go to Reports.
   The Manage tab is displayed.
2. Click Reports.
   The Report view is displayed.
3. In the Reports panel, do one of the following:
   • Click > View Scheduled Reports.
   • Click the #Schedules column.
     The Schedule Reports view tab is displayed with the status of each of the scheduled report.
4. Do one of the following:
   • Select a scheduled report and click > Execution History.
   • Select a scheduled report and click .
     The Execution History view is displayed.

   Note: By default, you can view 10 number of execution history of a scheduled report. The execution history shown depends on the Retain Report History Configuration set on the Generaltab of the (Admin) > Services > Reporting Engine Config view.
   For example, if you set the Retain Report History Configuration to 100 days, the data displayed on the Execution History view. is the past 100 days execution history details considering the current date information.

5. From the Get history by: field, select the type of history to be fetched. (For example, Past or Range (Specific))
6. In the Count field, enter the number of executions to be displayed.
7. Click Show History.
   The execution history of the scheduled report is displayed.

Stop an Individual Execution of a Scheduled ReportStop an Individual Execution of a Scheduled Report

If you have multiple executions running for a scheduled report, you can stop the individual execution of the scheduled report in Execution History panel.

To stop the individual execution of a scheduled report, perform the following:

1. Go to Reports.
   The Manage tab is displayed.
2. Click Reports.
   The Report view is displayed.
3. In the Reports panel, do one of the following:
   • Click > View Scheduled Reports.
   • Click the #Schedules column.
     The Schedule Reports view tab is displayed with the status of each of the scheduled report.
4. Do one of the following:
   • Select a scheduled report and click > Execution History.
   • Select a scheduled report and click .
     The Execution History panel is displayed.
5. Select a schedule, in the Actions column, click .
   The state of the execution schedule is changed to 'Cancelled'.

Manage and Select a Report LogoManage and Select a Report Logo

Prerequisites

Make sure that you have the Reporting Engine service defined prior to managing a logo.

Manage Report Logos

To manage logos, perform the following:

1. Go to (Admin) > Services.

   The Services view is displayed.

2. In the Services panel​, select an Reporting Engine service and click View > Config.

   The services config view is displayed.

3. Select the Manage Logos tab.

   All the available logos are displayed.

Add a Logo

To add a logo, perform the following:

1. In the Manage Logos tab, click .

   A file browser opens where you can choose the file from the local drive.

2. Select the logo and click Open.

   The selected logo gets added to the Manage Logos section.

Delete a Logo

To delete a logo, perform the following:

1. In the Manage Logos tab, do one of the following:

   • Select the logo and click .
   • Perform (Ctrl+click) to select multiple logos and click .

   A confirmation dialog is displayed.

   

2. If you want to delete the logo, click Yes.

   The selected logo is deleted from the Manage Logos section.

Set Default Logo

To set a default logo, perform the following:

In the Manage Logos tab, select a logo and click .

The chosen logo is set as the default logo for the RE service.

Select a Logo

To select a logo, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click Reports.

   The Report view is displayed.

3. In the Reports panel, select a report.
4. Click > View Scheduled Reports.
   The View scheduled reports view tab is displayed.

5. Select a scheduled report and in Actions column, click > Edit Schedule.

   The Schedule Report view tab is displayed.

6. In the Logo panel, click Change Logo.

   The Change a Logo dialog box is displayed.

7. Do one of the following:

   • Click Upload new logo to upload another logo.
   • Select a logo from the list.

8. Click Select.
   The selected logo is available on the Logo panel.

Search Reporting DetailsSearch Reporting Details

This section provides instructions on how to perform a keyword search on name and content for each of the Reporting components. You can perform a keyword search on name and content for each of the Reporting components (Rule/Report/Chart/Alert/List) on the Reporting UI.

Note: You cannot search based on date and numeric values.

The following figure shows the search parameters available in the Reporting Module:

The following are the search parameters available on the Reporting UI:

1. Search for entities (rule, report, chart, alert, list).
2. Search for the entities based on either the name or content.

Note: Searches are case insensitive. For example, Completed is equivalent to completed.

Prerequisites

In the Reporting Module, you can perform a keyword search based on the name and content (definition). In this context, content implies definition of each of the reporting components. For instance, the value defined in the rule, report, report schedule, chart, and alert panel. You can also prioritize your search by selecting either or all of the components: Rule, Report, Chart, Alert, or List.

Note: You cannot search based on the List values and list path stored in schedule definition panel.

For example, to search for the rule name (ExpertRule), you must select Rule, Name, and Content in the filtering options drop-down to view all the rule names that matched the search. You can similarly search for a report, chart, alert, or list definition.

To search for reporting details from the Manage tab, perform the following:

1. Go to Reports.

   The Manage tab is displayed.

2. Click and select the appropriate criteria to search.

3. In the Search field, enter the text to be searched.

   The search drop-down list is displayed:

   

Search Syntax and Different Types of Search

The following table explains the search syntax and the possible searches that can be performed on the Reporting user interface.

Search Types	Description
Word or phrase based search	Word Based Search: To search for a word such as "action" or "meta", you must enter the word in the search box. The following figure shows the search results for the text action. Phrase based search: A Phrase is a group of words surrounded by double quotes such as "action meta". To search for a phrase, you must enclose phrases in double-quotes in the search box. The following figure shows the search results for the phrase "action meta".
Wildcard Search (Single/ Multiple/ Special Character Search) The question mark "?" symbol is used to perform a single character wild card search and asterisk "*" symbol is used to perform multiple character wildcard search.	Single character search: The single character wildcard search looks for terms that match with the single character replaced. For example, to search for "Expert" or "Export" you can use the search syntax: Exp?rt The following figure shows the search results for the wildcard character Exp?rt. Multiple character search: Multiple character wildcard search looks for 0 or more characters. For example, to search for Expert, or Experts, you can use the search syntax: Expert* The following figure shows the search results for the wildcard multiple character Expert*. Special character search: Certain punctuation and special characters are ignored during search (@#$%^&*(){}"~=+-[]\?|!:,.). For example, a search for action-login will be interpreted during search as "action" "login", that is, if rules exist with name "action-login" and "action@login" and search string is "action-login", the search result will return both the rules.
Search based on name or content	Search based on name: When you want to search based on the name of a report, select Reportand Namebox from the filtering options drop-down. For example, to search for the report name "Report With Multiple Rules", you can use the search syntax: "Access to Compliance Data" Note: When you search for a report, it implies you can search for the report schedules as well. The search result will return the report containing the specific name. Search based on content: When you want to search for the content within an alert, say alert description, select Alert and Content box from the filtering options drop-down. For example, to search for the alert description "Device IP Got Detected", you can use the search syntax: "Device IP Got Detected" The search will return the result having the specific content.