14.4 Report Analyst

NOTE:Assumption, your Security Administrator has configured your Crystal Enterprise Web Server and published a list of available reports.

14.4.1 Analysis Tab

The Analysis tab allows for historical reporting. Historical and vulnerability reports are published on a Crystal Web Server, these run directly against the Sentinel database. These reports can be useful to track and investigate activity over a large time frame, for instance a week or a month. These reports can also be used as a high level reporting method to your supervisors. If your reporting Web Server is installed, look in the navigator bar to see what reports are available.

NOTE:Your reports might be different, Sentinel Crystal Reports are “living” reports. They are under constant updating.

For example, if you are responsible for generating reports to upper management within your organization, you can run Source Destination Reports. These are Top 10 Source to Destination IP Pairs on hosts names, ports, IPs and users. To run this report, do the following:

To run a Crystal Report:

Expand Top 10 and highlight Top 10 Source to Destination IP Pairs and click Create Reports (magnifying glass).
Specify Sentinel Report User (for SQL authentication and Oracle) as the username or your Windows Authentication username and specify your password.
Under Report Type, select one of the following:
- Specific Date Range
- Prior Day
- Daily Report
- Weekly Report
- Monthly Report
NOTE:Other reports might have additional parameters such as resource name and severity range.
Click OK. The following is a sample monthly report.
You can export this file as a doc, pdf, rtf, xls or as a Crystal Report by clicking Export (envelope).

Similar to the Security Analyst, if you have an event or events of interest within your reports, you can run an Event Query under the Analysis tab. To run a query, highlight Historical Events > Historical Event Queries and click Create Reports (magnifying glass). For more information, see section Event Query Sample Scenario.