You can use the Report Builder (Reporting > Report Builder) to analyze the logged events that you send Blumira. This is useful for conducting activities like:
- digital forensics and incident response (DFIR) work
- threat hunting
- general operational monitoring
The Report Builder includes global reports that are frequently used by Blumira customers, but you can also create your custom queries and save them for ongoing monitoring and analysis.
Using global and saved reports
To view a global report or one of your saved reports, follow these steps:
- Navigate to Reporting > Report Builder.
- Click to open the additional options menu.
- Click Load Saved Report.
- In the Saved Reports window, click the report that you want to use.
Note: You can type a name or keyword to filter the list or scroll to find a specific report.
Tip: Report Builder only displays up to 5,000 records in the app. This is to ensure no web browser times out during a query. If your query has more than 5,000 results, you will see the error "Your search exceeded the maximum number of rows (5000)" above the table. To get all records for a query, use the Export option to download a CSV or JSON file that contains all of the relevant data.
In addition to using Blumira's pre-built report queries, you can create your custom queries ad hoc and save them for repeated use.
To create a custom report:
- From the Time Range box, select the timeframe of data that you want to return. You can select one of the provided values or click Custom to select specific dates and times.
- From the Data Sources list, select the source(s) of the logs that you want to analyze.
- Click Submit to view the results.
- (Optional) Click Show Advanced, then add or remove Fields and/or Filters and click Submit to see the updated results.
Note: Blumira automatically hides fields that do not have any data from the log source. If you are expecting to see a field, you may need to adjust your filters to see the field as an option. The filters that you can use for the report depend on the data sources that you select.
- (Optional) Save the new customized query to your Saved Reports list:
- Click and then click Save & Schedule Report.
- In the Name of Query box, type a name that is not already being used by another report.
Note: A previously saved report cannot be overwritten with the Save function. A new version must be saved with a new name if you edit the query of a saved report.
- (Optional) Click the check box next to Create a scheduled report for saved query and set a schedule for sending an email that will contain a link to download the report.
- Click Save.
- To view the data in CSV or JSON format, click Export.
Editing saved reports
In the Saved Reports menu, you have the option to edit the name of your custom reports. Blumira's Global Reports, which are shared across all accounts, cannot be renamed.
To rename one of your saved reports:
- In Report Builder, click , then click Load Saved Report.
- Search or scroll to find the report you want to edit.
- Next to the report's name, click .
- Edit the name of the report.
- Click to save the new name.
Changing a saved report's query
If you need to edit the query of one of your saved reports and replace the old version, complete the steps in Customizing reports to edit the report and save it with a new name.
Tip: Use a naming convention that includes a version number (v1, v2, etc.) or the date of creation to support version control.
After you save the new version of the report you can delete the old version, if desired.
Report Builder pro-tips
The following are ways to take your report-building skills to the next level:
- You can left-click on a value in the report table to display a menu of additional actions. This menu includes the options to add the value to your report's filters and to copy the value to your clipboard.
- You can click Show Advanced to choose which fields you query against, dictate which fields are listed in the "Add Filter" options, enable and disable Suggested Fields options, apply a distinct count to your query results, and select all data sources available in your environment.
Note: Applying the Distinct Count to your query results removes the timestamp field.
- You can clear the report and start over by clicking the three dots near the top of the page, then Reset Report.
- Report filters are made from conditions that include a field, an operator, and a value. Adjust the operator you use in a filter condition to improve your results.
Note: When using the IN or NOT IN operator with multiple possible values, you must press the Enter key to add the separate values to the filter before clicking Done. If you provide two conditions using IN, the query attempts to find both values instead of either one, which usually results in no data being found.
Example using the Equal or Contains operator
When running a report for Duo Security Admin Logs and filtering for results where there was a bypass action, using the operator "Equal" returns zero results.
Changing the operator to "Contains" provides all logs in the time range where the word "bypass" is in any part of the action name.