In order to create purposeful custom reports, you must consider the attributes or key pieces of information that you want to retrieve and analyze, such as threats, as well as the best way to categorize the information, such as grouping by rule UUID, which will allow you to see the rule that applies to each threat type. This consideration guides you in making the following selections in a custom report:
You can base the report on one of the following database types:
Reports based on detailed logs take much longer to run and are not recommended unless absolutely necessary.
The columns that you want to use as the match criteria. The attributes are the columns that are available for selection in a report. From the list of Available Columns, you can add the selection criteria for matching data and for aggregating the details (the Selected Columns).
Sort By/ Group By
The Sort By and the Group By criteria allow you to organize/segment the data in the report; the sorting and grouping attributes available vary based on the selected data source.
The Sort By option specifies the attribute that is used for aggregation. If you do not select an attribute to sort by, the report will return the first N number of results without any aggregation.
The Group By option allows you to select an attribute and use it as an anchor for grouping data; all the data in the report is then presented in a set of top 5, 10, 25 or 50 groups. For example, when you select Hour as the Group By selection and want the top 25 groups for a 24-hr time period, the results of the report will be generated on an hourly basis over a 24-hr period. The first column in the report will be the hour and the next set of columns will be the rest of your selected report columns.
The following example illustrates how the Selected Columns and Sort By/Group By criteria work together when generating reports:
The columns circled in red (above) depict the columns selected, which are the attributes that you match against for generating the report. Each log entry from the data source is parsed and these columns are matched on. If multiple sessions have the same values for the selected columns, the sessions are aggregated and the repeat count (or sessions) is incremented.
The column circled in blue indicates the chosen sort order. When the sort order (Sort By) is specified, the data is sorted (and aggregated) by the selected attribute.
The column circled in green indicates the Group By selection, which serves as an anchor for the report. The Group By column is used as a match criteria to filter for the top N groups. Then, for each of the top N groups, the report enumerates the values for all the other selected columns.
For example, if a report has the following selections:
The output will display as follows:
The report is anchored by Day and sorted by Sessions. It lists the 5 days (5 Groups) with maximum traffic in the Last 7 Days time frame. The data is enumerated by the Top 5 sessions for each day for the selected columns—App Category, App Subcategory and Risk.
The date range for which you want to analyze data. You can define a custom range or select a time period ranging from the last 15 minutes to the last 30 days. The reports can be run on demand or scheduled to run at a daily or weekly cadence.
The query builder allows you to define specific queries to further refine the selected attributes. It allows you see just what you want in your report using and and or operators and a match criteria, and then include or exclude data that matches or negates the query in the report. Queries enable you to generate a more focused collation of information in a report.
Generate Custom Reports
Generate Custom Reports You can configure custom reports that the firewall generates immediately (on demand) or on schedule (each night). To understand the selections available ...
Monitor > Manage Custom Reports
Monitor > Manage Custom Reports You can create custom reports to run on demand or on schedule (each night). For predefined reports, select Monitor Reports ...
Configure Custom URL Filtering Reports
Configure Custom URL Filtering Reports To generate a detailed report that you can schedule to run regularly, configure a custom URL Filtering report. You can ...
Generate, Schedule, and Email Reports
Generate, Schedule, and Email Reports You can configure reports to run immediately or schedule them to run at specific intervals. You can save and export ...
Monitor Data Center Block Rules and Tune the Rulebase
Monitor traffic that you explicitly block so that you can investigate potential attacks and evaluate whether you should allow any of the blocked traffic. ...
Step 5: Enable Logging for Traffic that Doesn’t Match Any...
Step 5: Enable Logging for Traffic that Doesn’t Match Any Rules Traffic that does not match any of the rules you defined will match the ...
Log Data Center Traffic that Matches No Interzone Rules
By default, the firewall denies traffic between data center zones (interzone traffic) that matches no Security policy allow rule. Log and examine this traffic to ...
Log Intra Data Center Traffic That Matches the Intrazone Al...
Data centers are a good place for attackers to hide because security often focuses on users and overlooks servers. Log east-west traffic between servers and ...
Identify Infected Hosts
See Infected Hosts that Attempted to Connect to a Malicious Domain After you have configured DNS sinkholing and verified that traffic to a malicious domain ...