Lesson 12: Investigative Reports

Learn what investigative reports are and how to find specific information. Generate and modify a detail view report, and create Favorite reports that can be scheduled on a repeating cycle.

Investigative reports let you interact directly with the Internet activity data stored in the Log Database. Initially, a bar chart showing today’s activity by risk class is displayed. Investigate areas of concern by clicking appropriate chart elements to drill down for greater detail or by using the search feature.

  • Make a few selections to view multiple levels of information, such as the top 5 users in the top 5 categories.
  • A separate detail view gives you a tabular report of related information. You can customize the columns displayed, and create a summary view of this table.
  • See Investigative reports reference, for more information about what can be displayed in investigative reports.

In networks that use delegated administration, Super Administrators control who has access to these features.

Exercise 1: Use search to locate specific data

To generate reports on specific URL hosts, destination IP addresses, users, groups, source IP addresses, address ranges, or ports, you can start by performing a search.

  1. On the Main > Reporting > Investigative Reports page, open the Search for drop-down list and select one of the following options.
    • To identify a user by name, select User. (User Service must be installed.)
    • To identify a machine by its IP address, select Source IP.
  2. Enter all or part of a user name or IP address (depending on which option you entered in step 1), then click the right arrow button.
  3. A new report showing activity specific to the user or IP you entered is displayed.

Exercise 2: Drill down to investigate activity

In addition to search, you can click on or select items in a summary report to drill down into the details and locate the information that matters most to your organization.

  1. On the Reporting > Investigative Reports page, expand the Internet Use by list and select Risk Class.
  2. In the resulting summary report, click Security Risk to display a list of drill-down options.

    If there is no Security Risk entry, clients in your network have not requested any sites in that risk class. In that case, select another risk class.

  3. Select by User from the list of options to generate a new report showing each users activity in all categories assigned to the Security Risk class.

    If you are not using User Service, this list shows the source IP addresses for the requests.

  4. Click a user name or IP address, then select by URL Hostname. A new report is generated, showing the Security Risk URLs requested by the selected client.

Note that you can change the report time period using the View drop down list or the View from date fields. You can also change the measurement used to quantify activity by selecting a new option from the Measure drop-down list in the toolbar near the top of the content pane.

Exercise 3: Creating a multi-level report

Starting with a report on the main Investigative Reports page, you can define a second level of information to display. This allows you, for example, to compare the most active users in one category with the most active users in another category.

  1. In the breadcrumbs beside the Internet Use by list, click User.

    The chart displays the users in the risk class selected in the previous exercise.

  2. In the bar above the chart, enter the following:
    • Select top 5
    • by Category
    • and Display 10 Results
  3. Click the Display Results button.

    The chart updates to show bars for only the top 5 users. Below each bar is a list of the 10 categories requested the most often by that user during the timeframe.

You can create a multi-level report with different combinations of data. Simply modify the bar chart to show the high-level data of interest, then define the second level as described above.

Exercise 4: Using flexible detail reports

Flexible detail reports give a tabular view of data related to a specific area of interest. You can change to a summary view of the same data, and change the information columns displayed.

  1. On the main Investigative Reports page, select User from the Internet Use by list.
  2. Click the bar or number for any user that shows a significant number of hits.

    A detail view appears, showing a tabular report of today’s traffic for the selected user. The default report includes columns for Day, Time, URL Hostname, Category, and Hits.

  3. Click Modify Report in the toolbar at the top of the content pane.
  4. Use the controls in this dialog box to remove the Time column, and add Action as a column, between Date and URL Hostname.

    You can choose up to 7 columns in this dialog box. Be sure to choose columns that are appropriate for the data being reported, or the column will be blank.

    Notice that although the report shows hits, Hits does not appear as an entry in the list. Reports based on hits must include Hits as the rightmost column.

  5. Click Submit to close the dialog box and update the report.

    The new columns are now displayed, in the order you specified.

  6. Click Summary, in the upper right corner of the content pane.

    The updated report combines all hits with the same URL hostname and date into a single entry showing the total number of hits.

The Summary report option is available only when the Time column is not displayed. It combines rows that share a common element. The combined element varies according to the information in the report. In this example, it combines those with the same URL hostname.

Exercise 5: Saving and scheduling Favorites

Favorites are report definitions that you want to reproduce easily, and may want to schedule on a repeating cycle. You can save reports shown on the main Investigative Reports page, or the flexible detail view.

  1. Generate a report that shows information you want to reproduce easily.
  2. Click Favorite Reports at the top of the content pane.
  3. On the Favorite Reports page, a file name is suggested for the report. Accept that name or enter a different file name, if desired.

    Only letters, numbers, and underscore characters (_) are permitted in the file name.

  4. Click Add to save the report as a Favorite.
  5. Select the added report in the list, and then click Schedule to run the report on a repeating cycle.
  6. Fill in the information requested.

    To create a recipient list, enter an address in the Additional Email Addresses field, and then click Add. Be sure to highlight one or more email addresses to be recipients.

  7. Click Next after all entries are complete to display a confirmation screen showing your selections.
  8. Click Save to save the scheduled report job and display a list of all scheduled reports.

The job will run according to the schedule you set, and email the report to the selected recipients. At any time, you can review the list of scheduled jobs, edit a job definition, or delete an obsolete job by clicking Job Queue on the main Investigative Reports page.

If you are a reporting administrator in an investigative reporting role, you have completed the tutorial. See Where Do I Go Next?, for additional resources.

If you have Real-Time Monitor permissions, continue with Lesson 13: Real-Time Monitor.