Up
Previous Next

Sheriff CSMâ„¢

Create Custom Reports from SIEM Events

If the available report modules do not suit your needs, you can generate your own module, which defines the data that will be included in a report.

This section covers the following subtopics:

Occasionally you may want to generate a report from the security events that Sheriff CSM detects in your environment. To do that, you need to create a report module first.

To create a custom report from security events
  1. Go to Analysis > Security Events (SIEM) and perform a search to include the events you want to see.
  2. Click Change View to select a predefined view.

    Predefined views include Default, Taxonomy, Reputation, Detail, Risk Analysis, and IDM. Each view displays the same events but with different columns.

  3. Alternatively, click Change View and then select Create New View.

    1. In Create New Custom View, select the columns you want to see in this view.
    2. To apply the same query every time when you launch this view, select Include custom search criteria in this predefined view.
    3. Type a name for the view, and then click Create.

Sheriff CSM saves your changes and refreshes the page to display the view.
  1. Click Change View again and select Edit Current View.

  2. In Edit Current View, click Save as Report Module at the bottom.

  3. Go to Reports > All Reports, click Modules, and then expand Custom Security Events.

    See the new module listed. It has the same name as the custom view.

  4. To generate the report, click the blue arrow next to the module's name, and then go through the Report Wizard.

    Notice that the report module, Custom Security Events - <name of your custom view>, is already selected for you.

  5. Alternatively, follow the steps in Create a New Report from Scratch and add the new report module yourself.
Sheriff CSM saves the custom report under Reports > All Reports > Custom Reports. You can then run the custom reports as other built-in reports.

In the Sheriff CSM built-in reports, each report module only appears once. Sometimes you may want to use the same module multiple times, but with different parameters. For example, you may want to generate a report on all alarms ordered by different DS groups. In this scenario, you need to save the corresponding report module as a new report module, and then add it while building the custom report.

To create a new module from an existing one
  1. Run a report following the instructions in Modify Built-in Reports.

  2. In Step 3 of the wizard, locate the module you want to duplicate, change the parameters of the module as desired, and then click Add as a New Report Module.

  3. In Add a New Subreport, type a name and click Add.

    Sheriff CSM saves the module with the changed parameters.

To use the new module in a report
  1. Create a new report. For instructions, see Create Custom Reports.

  2. In Step 1 of the wizard, search for the module you just saved, and then add it to your report.

  3. Add more modules if you want and finish running the wizard.

Topic revision: r9 - 27 Apr 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.