Skip to main content

Using the Report Builder

  • Updated

Overview

You can use the Report Builder (Reporting > Report Builder) to analyze the logged events that you send Blumira. This is useful for conducting activities like:

  • digital forensics and incident response (DFIR) work
  • threat hunting
  • general operational monitoring

The Report Builder includes global reports that are frequently used by Blumira customers, but you can also create your own custom queries and save them for ongoing monitoring and analysis.

Using Global Reports

To use a Blumira-created global report, follow these steps:

  1. Navigate to Reporting > Report Builder.
  2. In Report Builder, open the additional options menu (three dots).
  3. Click Load Saved Report.
  4. In Saved Reports, select the report that you want to use.
    Note: You can type a name or keyword to filter the list or scroll to find a specific report.
  5. (Optional) After the selected report loads, you can adjust the time range, data sources, or advanced options (Show Advanced) to refine the report's results. Click Submit to load your customized results.

Tip: Report Builder only displays up to 5,000 records in the app. This is to ensure no web browser times out during a query. If your query has more than 5,000 results, you will see the error "Your search exceeded the maximum number of rows (5000)" above the table. To get all records for a query, use the Export option to download a CSV or JSON file that contains all of the relevant data.

Screen Shot 2022-06-06 at 10.59.11 AM.png

Screen Shot 2022-06-06 at 11.01.14 AM.png

mceclip3.png

Creating and Customizing Reports

In addition to Blumira's pre-built reports, you can create your own custom queries and save them for repeated use.

To create a custom report:

  1. From the Time Range box, select the timeframe of data that you want to return. You can select one of the provided values or click Custom to select specific dates and times.
  2. From the Data Sources list, select the source(s) of the logs that you want to analyze.
  3. Click Submit to view the results.
  4. (Optional) Adjust how the results appear by doing any of the following:
    • Click Show Advanced, then add or remove Fields and/or Filters and click Submit to see the updated results.
      Note: Blumira automatically hides fields that do not have any data from the log source. If you are expecting to see a field, you may need to adjust your filters to see the field as an option. The filters that you can use for the report depend on the data sources that you select.
    • Drag and drop columns to rearrange their position in the table.
    • Change the sort order by clicking a header label to sort by that field.
  5. If you want to use the query that you created again in the future, click Save Report.
    Tip: Name the report with your company name so that it's easy to find in the future.
  6. To view the data in CSV or JSON format, click Export.

Report Builder pro-tips

The following are ways to take your report-building skills to the next level:

  • You can left-click on a value in the report table to display a menu of additional actions. This menu includes the options to add the value to your report's filters and to copy the value to your clipboard.
  • You can click Show Advanced to choose which fields you query against, dictate which fields are listed in the "Add Filter" options, enable and disable Suggested Fields options, apply a distinct count to your query results, and select all data sources available in your environment.
    Note: Applying the Distinct Count to your query results removes the timestamp field.
  • You can clear the report and start over by clicking the three dots near the top of the page, then Reset Report.
  • Report filters are made from conditions that include a field, an operator, and a value. Adjust the operator you use in a filter condition to improve your results. Operator options include:
    • Equal
    • Not Equal
    • Contains
    • Not contains
    • In
    • Not in
    • Regex
    • Negate Regex

Example: When running a report for Duo Security Admin Logs and filtering for results where there was a bypass action, using the operator "Equal" returns zero results. 

Screen Shot 2022-10-17 at 11.17.10 AM.png

Changing the operator to "Contains" provides all logs in the time range where the word "bypass" is in any part of the action name.
Screen Shot 2022-10-17 at 11.44.28 AM.png


Screen Shot 2022-10-17 at 11.12.17 AM.png

 

Was this article helpful?
0 out of 1 found this helpful
Return to top

Related articles