With EventLog Analyzer's correlation reports, you can intuitively understand complex incidents happening across your network devices, and get a clear picture of the sequence in which they unfold. Three types of reports are available:
You can also perform several report actions, which empower you to gain maximum value from your reports.
To know more about what correlation is, how correlation rules are structured, and more, see Understanding correlation.
Incidents overview report
The incidents overview report provides a summary of the various incident types encountered on the network. Each incident type corresponds to a correlation rule. For each incident type, you can view the total count of correlated events (or network actions that satisfied the correlation rule).
To view the incidents overview report, go to the Correlation tab of the product and select Recent incidents from the left hand menu:
An incident report provides the details of the various occurrences of a specific incident type (or correlation rule). It displays the count of correlated events over time.
To view the report for a specific rule, go to the Correlation tab of the product, navigate to the rule name on the left menu, and click on it. You can also go to the incident report from the incidents overview report, by clicking on the corresponding entry in the graphical or tabular parts of the report. A typical incident report looks like this:
You can also perform specific report actions on the various incident reports.
The timeline view report provides the history of correlated actions for each occurrence of an incident. It is a sequential listing of the logs that led to the rule being triggered.
To view the timeline report for a specific incident occurrence, go to the incident report, and click on 'View History' next to the corresponding entry in the table:
To view the details of each action or log, you can click on the 'Details' link next to each action.
Incident report actions
You can perform certain actions on the incident reports, as explained below:
You can export incident reports in either PDF or CSV format. To export a report, navigate to the required report, and click Export as on the top right of the report. Select the format in which you would like to export it.
The status of all previous and ongoing exports can be viewed by clicking the report export history icon next to the Export as button.
An incident report schedule allows you to generate incident reports at regular periods, and optionally distribute them via email. To view the list of existing schedules for a specific report, navigate to the required incident report and click on Schedule Report. You can enable/disable or edit the schedules by clicking on the respective icons. To create a new schedule, click on Add Schedule:
Specify the following details for the schedule and click Save once you are done:
- Schedule name: A name for the new schedule.
- Schedule frequency: The frequency with which to generate the report (only once/hourly/daily/weekly/monthly)
- Run schedule at: The day/time within the chosen period at which to generate the report.
- Export time range: The time range for which the report is to be generated.
- Report format: Report can be generated in PDF or CSV formats.
- Email address: The email address to which the report is to be sent to.
- Email subject line: The subject of the email to be sent.
You can choose what information is displayed in your incident report by adding or removing the required fields as columns in the report. To select the fields, click on the column selector icon on the top right of the tabular part of the required report:
Select the fields to be displayed in the report by choosing the respective checkboxes under each action.
You can also specify the below options for each field by clicking on the edit icon next to the required field:
- Display name: This is the name of the field as displayed in the report. This is useful if you would like to display the same field (e.g. username) from more than one action. You can distinguish between similar fields by changing their display names. For instance, 'Failed logon username' and 'Successful logon username'.
- Show value of: When you have specified a threshold value for the action, and it occurs more than once, you can choose to display the field value from either the first, last or all occurrences of the action.
Click Save once you have specified the required information to be displayed.