Generate reports about alerts and other activity
Workload Security produces reports in PDF or RTF formats. Most of the reports have configurable parameters such as date range or reporting by computer group. Parameter options will be disabled for reports to which they don't apply. You can set up a one-time report (see Set up a single report) or set up a schedule to run a report on a regular basis (see Set up a scheduled report).
- In the Workload Security console, go to the Events & Reports tab and then in the left pane, click Generate Reports > Single Report.
- In the Report list, select the type of report that you want to generate. Depending on which protection modules you are using, these reports may be available:
- Alert Report: List of the most common alerts
- Anti-Malware Report: List of the top 25 infected computers
- Attack Report: Summary table with analysis activity, divided by mode. For details about what's included, see About attack reports.
- AWS Metered Billing Report: Summary table of AWS Metered Billing consumption in hours per day by instance size
- Azure Metered Billing Report: Summary table of Azure Metered Billing consumption in hours per day by instance size
- Computer Report: Summary of each computer listed on the Computers tab
- DPI Rule Recommendation Report: Intrusion prevention rule recommendations. This report can be run for only one security policy or computer at a time
- Firewall Report: Record of firewall rule and stateful configuration activity
- Forensic Computer Audit Report: Configuration of an agent on a computer
- Integrity Monitoring Baseline Report: Baseline of the computer(s) at a particular time, showing Type, Key, and Fingerprinted Date
- Integrity Monitoring Detailed Change Report: Details about the changes detected
- Integrity Monitoring Report: Summary of the changes detected
- Intrusion Prevention Report: Record of intrusion prevention rule activity
- Log Inspection Detailed Report: Details of log data that has been collected
- Log Inspection Report: Summary of log data that has been collected
- Recommendation Report: Record of recommendation scan activity
- Summary Report: Consolidated summary of Workload Security activity
- Suspicious Application Activity Report: Information about suspected malicious activity
- System Event Report: Record of system (non-security) activity
- User and Contact Report: Content and activity detail for users and contacts
- Web Reputation Report: List of computers with the most web reputation events
- Last 24 Hours: Includes events from the past 24 hours, starting and ending at the top of the hour. For example if you generate a report on December 5th at 10:14am, you will get a report for events that occurred between December 4th at 10:00am and December 5th at 10:00am.
- Last 7 Days: Includes events from the past week. Weeks start and end at midnight (00:00). For example if you generate a report on December 5th at 10:14am, you will get a report for events that occurred between November 28th at 0:00am and December 5th at 0:00am.
- Previous Month: Includes events from the last full calendar month, starting and ending at midnight (00:00). For example, if you select this option on November 15, you will receive a report for events that occurred between midnight October 1 to midnight November 1.
- Custom Range: Enables you to specify your own date and time range for the report. In the report, the start time may be changed to midnight if the start date is more than two days ago.
Reports use data stored in counters. Counters are data aggregated periodically from Events. Counter data is aggregated on an hourly basis for the most recent three days. Data from the current hour is not included in reports. Data older than three days is stored in counters that are aggregated on a daily basis. For this reason, the time period covered by reports for the last three days can be specified at an hourly level of granularity, but beyond three days, the time period can only be specified on a daily level of granularity.
- All Computers: Every computer in Workload Security
- My Computers: If the signed in user has restricted access to computers based on their user role's rights settings, these are the computers the signed in User has view access right to.
- In Group: The computers in a Workload Security group.
- Using Policy: The computers using a specific protection Policy.
- Computer: A single computer.
To generate a report on specific computers from multiple computer groups, create a user who has viewing rights only to the computers in question and then either create a scheduled task to regularly generate an "All Computers" report for that user or sign in as that user and run an "All Computers" report. Only the computers to which that user has viewing rights will be included in the report.
- Disable Report Password: Report is not password protected.
- Use Current User's Report Password: Use the current user's PDF report password. To view or modify the user's PDF report password, go to Administration > User Management > Users > Properties > Settings > Reports.
- Use Custom Report Password: Create a one-time-only password for this report. The password does not have any complexity requirements.
Scheduled reports are scheduled tasks that periodically generate and distribute reports to any number of users and contacts (this feature used to be named "Recurring Reports").
To set up a scheduled report, go to the Events & Reports tab and then in the left pane, click Generate Reports > Scheduled Reports. Click New. The New Scheduled Task wizard opens and will step you through the configuration process. Most of the options are identical to those for single reports, with the exception of Time Filter:
- Last [N] Hour(s): When [N] is less than 60, the start and end times will be at the top of the specified hour. When [N] is more than 60, hourly data is not available for the beginning of the time range, so the start time in the report will be changed to midnight (00:00) of the start day.
- Last [N] Day(s): Includes data from midnight [N] days ago to midnight of the current day.
- Last [N] Week(s): Includes events from the last [N] weeks, starting and ending at midnight (00:00).
- Last [N] Month(s): Includes events from the last [N] full calendar month, starting and ending at midnight (00:00). For example, if you select "Last 1 Month(s)" on November 15, you will receive a report for events that occurred between midnight October 1 to midnight November 1.
Reports use data stored in counters. Counters are data aggregated periodically from events. Counter data is aggregated on an hourly basis for the most recent three days. Data from the current hour is not included in reports. Data older than three days is stored in counters that are aggregated on a daily basis. For this reason, the time period covered by reports for the last three days can be specified at an hourly level of granularity, but beyond three days, the time period can only be specified on a daily level of granularity.
For more information on scheduled tasks, see the Schedule Workload Security to perform tasks.
Troubleshoot: Scheduled report sending failed
In Workload Security, you can schedule your regular reports and send them by email, however the size of the email cannot exceed 20 MB, otherwise the email will fail to send. In the Events & Reports page, a corresponding "Email Failed" event occurs, which displays the error message, mail subject, and mail-to information.
If the report email fails to send due to the message size exceeding the limit, separate the report into sub-reports by using a shorter time range or filtering the target computers by Group or Policy.