View and Manage Alert Reports

You can view and manage alert reports.

View an Alerts Report

1. Under Security Center, click Alerts.
2. Under Related Resources, click Reports.
3. In the Report Name column on the right, click the All Alerts report or a custom report.
   The report is displayed with its saved filters.

Modifying Columns in an Alerts Report

To add or remove columns in the report, do the following:

1. View a predefined or custom alerts report.
2. Click on the Actions drop down menu.
3. Click Manage Columns.

   The Manage Columns window is displayed.

4. Select columns that you want displayed in the report.
5. Deselect columns that you want to hide in the report.
6. Click Save Changes.

Basic Filtering in an Alerts Report

To apply basic filters in the report, do the following:

1. View a custom or predefined alerts report.
2. Click Another Filter.
3. Select a filter type, operator, and enter a value. All columns that are available in the report are available as filter types.
4. Click Apply.
5. Repeat steps two through four to apply additional filters.

To remove a filter, click the X beside the filter row.

To filter the report based on a total category (for example, Login Successes), click the total. The list of audit events in the table at the bottom of the report is automatically updated. To remove the filter, click the total again.

Note:

Only some totals in your report are single-click filters

Advanced Filtering in an Alerts Report

Advanced filtering of alert data can provide flexibility in the way that data is analyzed and reviewed, by allowing organizations to specify complex conditions and multiple criteria that must be met in order for data to be included or excluded from the analysis.

To apply advanced filters in the report, do the following:

1. View a predefined or custom alerts report.
2. Click Show Advanced SCIM Query Builder.
3. Use the provided filter builder and dropdowns to type in your filter(s). Advanced filtering uses System for Cross-Domain Identity Management (SCIM) syntax and supported operators include:
   • co: matches resources with an attribute that contains a given string
   • eq: matches resources with an attribute that is equal to a given value (not case sensitive)
   • eq_cs: matches resources with an attribute that is equal to a given value (case sensitive)
   • ew: matches resources with an attribute that ends with a given string
   • ge: matches resources with an attribute that is greater than or equal to a given value
   • gt: matches resources with an attribute that is greater than a given value
   • in: matches resources with an attribute that is equal to any of given values in list
   • le: matches resources with an attribute that is less than or equal to a given value
   • lt: matches resources with an attribute that is less than a given value
   • ne: matches resources with an attribute that is not equal to a given value
   • not_in : matches resources with an attribute that is not equal to any of given values in list
   • pr: matches resources with an attribute if it has a given value
   • sw: matches resources with an attribute that starts with a given string

   Operators can be grouped using parentheses to specify the order.

   Filters can also be combined using logical operators such as and and or.

   Note:

   If you have any basic filters currently applied they will appear in the query builder as well.
4. Click Apply.

To clear the query builder, click Clear. This will clear any basic filters applied as well.

Example 5-1 Critical or high severity alert advanced filter

((severity  eq "CRITICAL" or severity eq "HIGH") and status eq "OPEN")

Example 5-2 Critical alerts not on a virtual machine advanced filter

(featureDetails.clientHostname ne "vm") and (severity eq "Critical")

Example 5-3 Critical alerts on two target databases advanced filter

((targetNames eq "ATP01" or targetNames eq "ATP02") and (severity eq "Critical"))

Tips for Using the Filter Builder to Create Advanced Filters

• Pressing the escape key while in advanced filtering mode will clear the whole query.
• Pressing the space key will display the drop down with the list of available attributes or operators.
• Pressing the space key after entering a value like targetname (demo_tgt) will enclose the string with quotes: ("demo_tgt").
• Pressing enter will close the drop down listing the operators and attribute names.
• If a value like alert name has spaces in it, typing space will enclose the first word within quotes, "alert name". You will have to move the cursor back to the enclosed string and continue typing the rest of the string value.
• If you build a filter in advanced filtering that can't be displayed in basic filters, you can't switch back to basic filtering mode. For example, advanced filters with the or condition can't be displayed in basic filtering.
• A custom report with basic filter can be updated with advanced filter and saved.

For more information about SCIM, see the protocol documentation at https://www.rfc-editor.org/rfc/rfc7644.

For more information about filtering in SCIM, see the filtering section of the protocol documentation at https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.2.

Create or Change a Schedule for Alert Reports

1. Under Security Center, click Alerts.
2. Under Related Resources, click Reports.
   The Reports page is displayed, showing you a list of alert reports
3. Click the name of the report you would like to view.
4. Click on the Manage Report Schedule button.
   The Manage Report Schedule panel appears. It will be pre-loaded with either the existing schedule or the default schedule.
5. Change the Schedule Report Name if desired.
6. Change the Compartment the report is stored in if desired.
7. For Report Format select either a PDF or XLS output.
8. Select the Schedule Frequency.
   1. If you selected weekly for the schedule frequency, select the day of the week the schedule will run in the Every field.
   2. If you selected monthly for the schedule frequency, select the day of the month the schedule will run in the Day field.
9. In Time (in UTC) select a time.
10. In Events Time Span select the time span for which events will be included in the report. For example, selecting Last Months and entering 14 will always pull events from the last 14 months from the time the report is run.
11. Select a Row Limit.
12. Click Save Schedule.

Generate and Download a PDF or XLS Version of an Alerts Report

You can generate and download a PDF or XLS version of your alerts report. The downloaded report includes the details that you are currently viewing on screen.

1. Under Security Center, click Alerts.
2. Under Related Resources, click Reports.
3. Select the check box for an alert report.
4. Click Generate Report.
   The Generate Report dialog box is displayed.
5. Select a report format (PDF or XLS).
6. Enter a display name.
7. (Optional) Enter a description.
8. Select a compartment in which to store your report.
9. (Optional) Set a filter on the number of rows, the target databases, the report start time, and report end time.
10. Click Generate Report.
11. Wait until the report is generated.
    A message is displayed stating that the report generation is complete.
12. Download the report. You have two options:
    • In the Generate Report window next to To download report please, click the click here link. A dialog box is displayed providing you options to open or save the document.
    • Click Close to close the Generate Report window, and then click the Download Report button. A dialog box is displayed providing you options to open or save the document.
13. Save the report to your local computer or open and view it.

Create a Custom Alerts Report

You can create a custom report from any alerts report, including the predefined All Alerts report. The details saved to the custom reports are those that you are currently viewing on screen. You may want to create a custom report if you want to preserve the filters and columns displayed in a report that you are viewing online. You may also want to store your custom reports in specific compartments.

1. Under Security Center, click Alerts.
2. Under Related Resources, click Reports.
3. Click a report name and modify it as needed. If there aren't any custom reports saved, click the All Alerts report and make changes to it.
4. Click Create Custom Report.
   The Create Custom Report dialog box is displayed.
5. Enter a name for your custom report.
6. (Optional) Enter a description for your custom report.
7. Select the compartment to where you want to save your custom report.
8. Click Create Custom Report, and wait for a message that tells you the custom report is created.
9. (Optional) To open and view your custom report, click the click here link.
10. (Optional) To return to the report displayed on the screen, click Close.
    This report is not your saved report.

Update a Custom Alerts Report

1. Under Security Center, click Alerts.
2. Under Related Resources, click Reports.
3. In the Report Name column on the right, click the name of the custom report that you want to update.
   The report is displayed with its saved filters.
4. Modify the report as needed.
5. Open or close alerts as needed.
6. Click Save Report.
   The custom report is updated.

Delete a Custom Alerts Report

When you delete a custom alerts report, the report is permanently deleted and cannot be recovered. You cannot delete the predefined All Alerts report.

1. Under Security Center, click Alerts.
2. Under Related Resources, click Reports.
3. In the Report Name column on the right, click the name of the custom report that you want to delete.
   The report is displayed with its saved filters.
4. Click Delete Report.
   A Delete Report dialog box is displayed, asking you to confirm the deletion.
5. Click Delete Report.

View Alert Report History

When an alert report is created, either through a schedule or generated on-demand, it will be listed in Alert Report History. The history of reports will be kept for three months. During this time you can view a list of the reports that have been created, details about the reports, and download the reports from Alert Report History.

1. Under Security Center, click Alerts.
2. Under Related Resources, click Alert Report History.
   The Alert Report History table is displayed. It contains information regarding:

   • Report Name - The name of the alert report.
   • Lifecycle State - Either ACTIVE or UPDATING, shows if the report is currently accessible or if it is being updated.
   • Report Definition - Specifies the name of the report that provides data for this scheduled or generated report.
   • Generated Time - The date and time the report was created.
   • Report Type - Generated or Scheduled. Where generated reports are on-demand reports produced outside of the scheduling system and scheduled reports are those produced by the scheduling system.
   • File Format - PDF or XLS
   • Download Report - Option to download the report.
3. (Optional) Under Filters, narrow down the report history page based on the Report definition, Report type, and Time period.

Move an Alert Report to a Different Compartment

Any scheduled or generated alert report from the past three months can be moved to a different compartment that you have access to from Alert Report History.

1. Under Security Center, click Alerts.
2. Under Related Resources, click Alert Report History.
   The Alert Report History table is displayed.
3. Click on the name of an alert report from the list.
4. Click Move Resource.
5. In the move resource dialog box, select the compartment to move the alert report to. You must have the appropriate DATA_SAFE_REPORT_MOVE permissions for the selected compartment.
6. Click Move Resource.
   The alert report and Archive Data Retrieval will be moved to the selected compartment immediately.