Overview
Report Builder is where you can find and analyze all the logs we have collected and retained for your organization, in accordance with the data retention terms of your license. Data retention begins at 14 days in free accounts, and we retain logs for up to one year in paid accounts, with longer-term retention available to meet specific compliance needs.
Report Builder gives you the capability to conduct activities like:
- digital forensics and incident response (DFIR) work
- threat hunting
- compliance reporting
- operational monitoring
Global reports, including Blumira's pre-built compliance reports, are available to all customers. You can also create custom queries. Users in any paid edition can save their custom reports for ongoing monitoring and analysis.
Using global and saved reports
To view a global report or one of your saved reports, follow these steps:
- In Blumira, navigate to Reporting > Report Builder.
- Click View all Saved Reports.
- (Optional) In the Saved Reports window, find the report you want to run by doing any of the following:
- In the Search box, type a keyword to filter the list by title.
- Click Recent to see your most recently used reports.
- Click Favorite to see the list of reports you have previously starred as a favorite.
- To load a report, click the report's name.
Tip: Report Builder displays up to 5,000 records in the app to prevent web browser timeouts during queries. If your query has more than 5,000 results, "Your search exceeded the maximum number of rows (5000)" appears above the table. To retrieve all records for a query, use the Export option to download a CSV or JSON file containing all relevant data.
Video Tutorial: Viewing Logs and Global Reports in Report Builder
Customizing reports
In addition to using Blumira's pre-built report queries, you can create custom queries with additional filters and columns of data to expand or narrow the information shown in the table. Users in paid editions can then save and schedule those custom reports for repeated use or email delivery.
To create a custom report, do the following:
- In the Time Range box, select the timeframe of data that you want to return. You can select one of the provided values or click Custom to select specific dates and times.
- From the Data Sources list, select the source(s) of the logs that you want to analyze.
- Click Submit to view the results.
- Click Edit Report, then add or remove Fields and/or Filters and click Submit to see the updated results.
Note: Blumira automatically hides fields that do not have any data from the log source. If you are expecting to see a field, you may need to adjust your filters to see the field as an option. The filters that you can use for the report depend on the data sources that you select. - (Optional) Save the new customized query to your Saved Reports list by doing the following:
- Open the additional actions menu by clicking the ellipsis
, and then click Save & Schedule Report.
- In the Name of Query box, type a name that is not already being used by another report.
Note: A previously saved report cannot be overwritten with the Save function. A new version must be saved with a new name if you edit the query of a saved report. - (Optional) Click the check box next to Create a scheduled report for saved query and set a schedule for sending an email that will contain a link to download the report.
- Click Save.
- Open the additional actions menu by clicking the ellipsis
- To view the data in CSV or JSON format, click Export.
Editing saved reports
Renaming reports
In the Saved Reports menu, you have the option to edit the name of your custom reports. Blumira's Global Reports, which are shared across all accounts, cannot be renamed.
To rename one of your saved reports, do the following:
- In Report Builder, click View all Saved Reports.
- Search or scroll to find the report you want to edit.
- Next to the report's name, click
.
- Edit the name of the report.
- Click
to save the new name.
Changing a saved report's query
If you need to edit the query of one of your saved reports and replace the old version, complete the steps in Customizing reports to edit the report and save it with a new name.
Tip: Use a naming convention that includes a version number (v1, v2, etc.) or the date of creation to support version control.
After you save the new version of the report you can delete the old version, if desired.
Report Builder pro-tips
The following are ways to take your report-building skills to the next level:
- You can left-click on a value in the report table to display a menu of additional actions. This menu includes the options to add the value to your report's filters and to copy the value to your clipboard.
- You can click Edit Report to choose which fields you query against, dictate which fields are listed in the "Add Filter" options, enable and disable Suggested Fields options, apply a distinct count to your query results, and select all data sources available in your environment.
Note: Applying the Distinct Count to your query results removes the timestamp field. - You can clear the report and start over by clicking the three dots near the top of the page, then Reset Report.
- Report filters are made from conditions that include a field, an operator, and a value. Adjust the operator you use in a filter condition to improve your results.
Note: When using the IN or NOT IN operator with multiple possible values, you must press the Enter key to add the separate values to the filter before clicking Done. If you provide two conditions using IN, the query attempts to find both values instead of either one, which usually results in no data being found.
Example using the Equal or Contains operator
When running a report for Duo Security Admin Logs and filtering for results where there was a bypass action, using the operator "Equal" returns zero results.
Changing the operator to "Contains" provides all logs in the time range where the word "bypass" is in any part of the action name.