Scheduled reports

You can schedule a report to show this information:

  • All Events
  • Threat Events
  • Access Control Events
  • Alerts only
  • DNS Summary Report data
  • Proxy Summary Report data

A scheduled report that's configured to show all alerts contains event information based on the threat categories or lists that are enabled with the Send Alerts setting in a policy. The Send Alert setting sends alert notifications to users who are configured to receive them. A scheduled report with only alerts shows the events that triggered these alerts.

If an administrator configures a report to show All Events, report recipients receive information about all events, regardless of whether a policy is enabled with the Send Alert setting.

In addition to showing all event and alert data, an administrator can configure a report to show only threat events, access control events, DNS summary report data, or proxy summary data. Generated report data for alerts and events are emailed to report recipients and presented in the body of the email. When you schedule a report with DNS summary or proxy summary data, the report recipient is emailed a PDF report that contains bar graphs. The bar graphs show the top activity based on report dimensions such as location, geographical region, domains, and more. This is the same data that an administrator can see in the DNS or proxy summary reports.

When creating a report, an ETP administrator can specify these settings:

  • Schedule a report to run on a daily or weekly basis.

  • Select the format of the report output. Report results are sent to the provided email addresses in HTML or plain text format. You enter the email addresses of ETP administrators or users who you want to receive report results.

  • Configure a scheduled report to show events for a specific location, sub-location, or multiple locations or sub-locations. By default, scheduled reports show data based on all locations. If you are a delegated or strict delegated administrator, you can select the locations that you are allowed to access.

Scheduled reports appear as a list on the Scheduled Reports page. With this view, you can easily review the settings associated with each report and if necessary, modify them.

Like alert notifications, an event report that is sent to administrators or ETP users is organized around domains and includes information about the event or alert such as the associated location, policy, and list. The report also includes alert or event details such as the action taken on the event. The report can show up to 5,000 events.

For more information on the data that is shown in report results, see Data in alert notifications and scheduled reports.

Schedule a report

You can schedule a report that includes alert information, all events, and specific event information. You can schedule a report to run daily or on a specific day of the week. You can also specify a location or multiple locations that you want to report on.

Report results are emailed to users you configure to receive the scheduled report.

You need to be an ETP administrator to perform this task. If you are a delegated administrator or strict delegated administrator, you can schedule a report, modify a scheduled report, enable or disable a scheduled report that you created. You cannot modify scheduled reports created by other administrators. Reports results that an administrator receives are based on the locations a delegated or strict delegated administrator created or is permitted to access. For more information, see Grant delegated or tenant access.

To schedule a report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports.

  2. Click the plus sign icon. A new row for a scheduled report appears with default settings that you can modify.

  3. In the Report Type column, click the menu and select one of these report types:

    • All Events
    • Threat Events
    • Access Control Events
    • Alerts Only
    • DNS Summary Report
    • Proxy Summary Report
  4. To report data for a specific location or sub-location, click the link icon and select the locations that you want to associate. By default, all locations are selected. After selecting the locations, click Associate.

  5. In the Recurrence column, click the menu and select Daily or a day of the week.

  6. In the Timezone column, click the menu and select the time zone for the report.

  7. In the Format column, click the menu and select HTML or Text.

  8. In the Recipient column, click the field and enter the email addresses of users who you want to receive the report.

  9. Click Save.

Edit a scheduled report

An ETP administrator can edit a scheduled report. You can modify most settings associated with the report, including report recurrence, time zone, and the users who are configured to receive report results. You cannot modify the report format.

📘

An ETP administrator can only edit the scheduled reports that they created. For more information, see Grant delegated or tenant access.

To edit a scheduled report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports.

  2. Modify the settings associated with the report:

    1. Click the column of the scheduled report that you want to edit.

    2. To modify the report type, recurrence, or time zone, select a new setting from the provided menus.

    3. To select new locations or sub-locations to report on, click the link icon. Select or deselect locations or sub-locations.

    4. If you are providing a new recipient, enter the new email address.

    5. To change the status, toggle the Status switch.

  3. Click Save.

Delete a scheduled report

An ETP administrator can delete a scheduled report that is no longer needed. A delegated or strict delegated administrator can delete a scheduled report that they created.

To delete a scheduled report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports.

  2. Click the trash bin icon.

  3. Click Yes to confirm the deletion.

Enable a scheduled report

If a scheduled report was previously disabled, you can enable it again. You need to be an ​Enterprise Threat Protector​ administrator to perform this task.

📘

A delegated or strict delegated administrator can enable a scheduled report that they created. For more information, see Grant delegated or tenant access.

To enable a scheduled report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports.

  2. Go to the report that you want to enable and in the status column, toggle the switch to enable it.

Disable a scheduled report

If you are an ​Enterprise Threat Protector​ administrator, you can disable a scheduled report configuration.

📘

A delegated or strict delegated administrator can disable a scheduled report that they created. For more information, see Grant delegated or tenant access.

To disable a scheduled report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports.

  2. Go to the scheduled report that you want to disable and in the status column, toggle the switch to disable it.

Data in alert notifications and scheduled reports

This table describes the data that is included in an alert notification email or scheduled report:

📘

If you select Text format for the report, columns and values in the report are shown in a pipe-delimited format.

📘

If you schedule a report for DNS or proxy summary data, an administrator is emailed a PDF that contains bar graphs with the top activity for a specific dimension, such as location, geographical region, domain, and more. This is the same data that an administrator can view in the DNS Summary and Proxy Summary activity reports.

Data in alert notifications and scheduled reports

Data

Description

Details

Includes the following information about the event or alert:

  • The requested domain. Domains appear as links to the Indicator Search page where additional information about the event is provided.
  • Whether the event was detected while the end user was on or off the corporate network
  • Action taken to mitigate the threat as a result of the associated policy configuration.
  • The confidence level that <> has in classifying the domain as a threat. The report indicates whether the domain is a confirmed or suspected threat.
**Note**: If the report is in text format, domain, detection, action taken, and confidence data appear as separate pipe-delimited values.

Location

The location or sub-location of the user who made the request. The provided location is also a link to the Locations page in ETP.

Policy

The policy that is associated with the location. The provided policy name is also a link to the Policies page in ETP.

List

The list where this domain is a confirmed or suspected threat. The provided list name is also a link to the Custom Lists page.

Affected Internal IP

The private or internal IP address of a machine in your network that communicates with the security connector and is known to be compromised. This value appears in a scheduled report when an Affected Internal IP is detected in a DNS security connector event. This data does not appear in alert notifications.

Count or DNS Count

The total number of alerts or events that are associated with the domain. The count for a domain is also a link to the Threat Events report.

URI(s)

Uniform Resource Identifier. Characters or string that identify a resource. For example, a URL. As a result of grouping data by domain and locations, more than one URI may be listed in alert notifications and scheduled report results.

Reason(s)

Informs how a threat event was identified.

Any of the these reasons may appear:

  • **<> Intelligence**: Indicates threat event was identified by <> or a threat category.
  • **Customer Intelligence**: Indicates threat event was found based on an administrator's custom list configuration.
  • **Document Static Analysis**: Indicates threat event was found based on inline payload analysis of a document.
  • **Executable Static Analysis**: Indicates threat event was found based on inline payload analysis of a document.
  • **AV scan**: Indicates threat event was found by an antivirus scan. As a result of grouping data by domain and locations, more than one reason may be provided in alert notifications and scheduled report results.

HTTP Count

The total number of alerts or events that are associated with HTTP traffic.


Did this page help you?