Overview
You can use Report Builder to analyze the logs that you send to Blumira from all of your integrated data sources. Report Builder provides you access to the parsed logs, which is useful for conducting activities like:
- digital forensics and incident response (DFIR) work
- threat hunting
- general operational monitoring
Global reports, including Blumira's pre-built compliance reports, are available to all customers. You can also create custom queries. Users in any of the paid editions can save their custom reports for ongoing monitoring and analysis.
Using global and saved reports
To view a global report or one of your saved reports, follow these steps:
- Navigate to Reporting > Report Builder.
- Click View all Saved Reports.
- (Optional) In the Saved Reports window, find the report you want to run by doing any of the following:
- In the Search box, type a keyword to filter the list by title.
- Click Recent to see your most recently used reports.
- Click Favorite to see the list of reports you have previously starred as a favorite.
- To load a report, click the report's name.
Tip: Report Builder only displays up to 5,000 records in the app to ensure no web browser times out during a query. If your query has more than 5,000 results, you will see the error "Your search exceeded the maximum number of rows (5000)" above the table. To get all records for a query, use the Export option to download a CSV or JSON file that contains all of the relevant data.
Video Tutorial: Viewing Logs and Global Reports in Report Builder
Customizing reports
In addition to using Blumira's pre-built report queries, you can create custom queries ad hoc and save them for repeated use (not available in Free Edition).
To create a custom report do the following:
- In the Time Range box, select the timeframe of data that you want to return. You can select one of the provided values or click Custom to select specific dates and times.
- From the Data Sources list, select the source(s) of the logs that you want to analyze.
- Click Submit to view the results.
- (Optional) Click Edit Report, then add or remove Fields and/or Filters and click Submit to see the updated results.
Note: Blumira automatically hides fields that do not have any data from the log source. If you are expecting to see a field, you may need to adjust your filters to see the field as an option. The filters that you can use for the report depend on the data sources that you select. - (Optional) Save the new customized query to your Saved Reports list:
- Click and then click Save & Schedule Report.
- In the Name of Query box, type a name that is not already being used by another report.
Note: A previously saved report cannot be overwritten with the Save function. A new version must be saved with a new name if you edit the query of a saved report. - (Optional) Click the check box next to Create a scheduled report for saved query and set a schedule for sending an email that will contain a link to download the report.
- Click Save.
- To view the data in CSV or JSON format, click Export.
Editing saved reports
Renaming reports
In the Saved Reports menu, you have the option to edit the name of your custom reports. Blumira's Global Reports, which are shared across all accounts, cannot be renamed.
To rename one of your saved reports:
- In Report Builder, click View all Saved Reports.
- Search or scroll to find the report you want to edit.
- Next to the report's name, click .
- Edit the name of the report.
- Click to save the new name.
Changing a saved report's query
If you need to edit the query of one of your saved reports and replace the old version, complete the steps in Customizing reports to edit the report and save it with a new name.
Tip: Use a naming convention that includes a version number (v1, v2, etc.) or the date of creation to support version control.
After you save the new version of the report you can delete the old version, if desired.
Report Builder pro-tips
The following are ways to take your report-building skills to the next level:
- You can left-click on a value in the report table to display a menu of additional actions. This menu includes the options to add the value to your report's filters and to copy the value to your clipboard.
- You can click Edit Report to choose which fields you query against, dictate which fields are listed in the "Add Filter" options, enable and disable Suggested Fields options, apply a distinct count to your query results, and select all data sources available in your environment.
Note: Applying the Distinct Count to your query results removes the timestamp field. - You can clear the report and start over by clicking the three dots near the top of the page, then Reset Report.
- Report filters are made from conditions that include a field, an operator, and a value. Adjust the operator you use in a filter condition to improve your results.
Note: When using the IN or NOT IN operator with multiple possible values, you must press the Enter key to add the separate values to the filter before clicking Done. If you provide two conditions using IN, the query attempts to find both values instead of either one, which usually results in no data being found.
Example using the Equal or Contains operator
When running a report for Duo Security Admin Logs and filtering for results where there was a bypass action, using the operator "Equal" returns zero results.
Changing the operator to "Contains" provides all logs in the time range where the word "bypass" is in any part of the action name.