Reports
From The MetaFlows Security System Documentation
The Report Interface manages the historical event reports. These reports summarize the events generated by the sensors at specific recurring intervals or at specific time periods. These reports can be used to document and archive past activity in a permanent format. They also provide some of the top-level information on the distribution of several invariants observed in the events. The reports are interactive; they allow you to click on most of the data that they contain to invoke a historical view (within one year).
Report List
This part of the interface provides a way to quickly locate past reports or delete old ones.
Report Specification
This form allows the creation of custom reports. The descriptions of the form fields are below.
- Report Name
- This is the name given to the report.
- Email PDF Report
- This allows the emailing a PDF report to one or more email addresses (separated by semicolon), when is generated.
- Group By
- This determines how the rows of events are aggregated.
- Detail Records
- This limits the number of rows in each event aggregation.
- Sort Aggregated Records By
- This determines how the aggregated records are sorted.
- Sort Detail Records By
- This allows the user to sort the detailed records with each aggregate.
- Include Cleared Records
- This includes records that have been cleared by the analysts as irrelevant.
- Ranked Events Only
- This strictly includes records with ranking > 0.
- Time Period
- Last Day: This generates a daily report.
- Last Week: This generates a weekly report.
- Custom Time Period: This will create one report for the specific time frame.
- IP Addresses
- This reports only the events with specific IP addresses.
- Source/Destination Ports
- This reports only the events with specific ports.
- Event Type
- This allows specifying which events on which to report.
- All Event Types: This shows all events.
- IDS events can be queried from individual rule files, event classifications, or specific GID or SID.
- Syslog events can be queried by the categories, or can be queried using a string search. In addition to the standard syslog categories, the following MetaFlows-specific events can be queried:
- File-inbound/outbound: This is any file transmission detected coming in our out of your network.
- Tracker: These are multi-session incident reports.
- BotHunter: They are dialog-based incident reports.
- MssBlock: These are SoftIPS blocking reports.
- ModSecurity: This details ModSecurity events.
- The Services option searches for specific services that were discovered.
- Exclude Events
- This allows the user to exclude any records which match this regular expression.
Sample Report
Previous Chapter | Next Chapter |