Scheduled reports and notifications

On the Scheduled Reports page, you can:

Scheduled reports

You can schedule reports to show:

  • Dashboards. You can send a report that provides a snapshot of a dashboard.
  • Events and Summary Data. You can send a report that shows one of these data types:
    • All Events
    • Threat Events
    • Access Control Events
    • Alerts
    • DNS Summary data
    • Proxy Summary data

When creating a report, you:

  • Schedule a report to run on a daily or weekly basis.
  • Provide the email addresses of ​​SIA​​ administrators or users who will receive report results.
  • Select the format of the report output. You can send event and alert reports in HTML or plain text format, while dashboard and summary data reports are sent in PDF only. Generated report data for alerts and events are emailed to report recipients and presented in the body of the email.
  • For event and summary reports, you can configure to show data for a specific location, sub-location, or multiple locations or sub-locations. By default, scheduled reports show data based on all locations. If you are a delegated or strict delegated administrator, you can select the locations that you are allowed to access.

When you schedule a report with DNS summary or proxy summary data, the report recipient is emailed a PDF report that contains bar graphs. The bar graphs show the top activity based on report dimensions such as location, geographical region, domains, and more. This is the same data that an administrator can see in the DNS or proxy summary reports.

A scheduled report that's configured to show all alerts contains event information based on the threat categories or lists that are enabled with the Send Alerts setting in a policy. The Send Alert setting sends alert notifications to users who are configured to receive them. A scheduled report with only alerts shows the events that triggered these alerts.

If an administrator configures a report to show All Events, report recipients receive information about all events, regardless of whether a policy is enabled with the Send Alert setting.

An event report that is sent to administrators or ​SIA​ users is organized around domains and includes information about the event or alert such as the associated location, policy, and list. The report also includes alert or event details such as the action taken on the event. The report can show up to 5,000 events.

For more information on the data that is shown in report results, see Data in alert notifications and scheduled reports.

Dashboard reports

A dashboard report provides a snapshot of the selected dashboard. You can select one dashboard for each report.

📘

If you create a dashboard report from the Dashboard page, you can select multiple dashboards that you want to report on. However, users receive separate reports for each dashboard. For more information, see Dashboard.

Report recipients receive a PDF that shows dashboard data. You can select the report to run on a daily or weekly basis. A daily dashboard report contains data from the previous 24 hour period (12 AM to 12 AM). A weekly report contains data for the seven days prior to the selected week day. For example, if you select to run a weekly Monday report, the report shows data for events or activity that occurred from the previous Monday (12 AM) to the most recent Monday (12 AM). Data is shown in the time zone you selected.

Schedule a report

You can schedule a report that includes alert information, all events, specific event information, or a snapshot of a dashboard. You can schedule a report to run daily or on a specific day of the week. You can also specify a location or multiple locations that you want to report on.

In this procedure, you also configure the users who receive report results.

You need to be an ​SIA​ administrator to perform this task. If you are a delegated administrator or strict delegated administrator, you can schedule a report, modify a scheduled report, enable or disable a scheduled report that you created. You cannot modify scheduled reports created by other administrators. Reports results that an administrator receives are based on the locations a delegated or strict delegated administrator created or is permitted to access. For more information, see Grant delegated or tenant access.

To schedule a report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports & Notifications.

  2. If you are scheduling a dashboard report, in the Dashboards section, click Add report. From the drop-down menu, select a dashboard.

  3. If you are scheduling an event or summary report, in the Reports section, do the following:

    1. Click Add report.

    2. In the Report Type menu, select one of these report types:

      • All Events
      • Threat Events
      • Access Control Events
      • Alerts Only
      • DNS Summary Report
      • Proxy Summary Report
    3. If you selected an alert or event report, select the format of the report. You can select HTML or TXT. For a summary data report, there is no option to select format. Summary data reports are sent in PDF only.

    4. By default, all locations are selected. To report data for specific locations or sub-locations, in the Locations column, click the link icon and deselect any location or sub-location that you don’t want to include in the report. Click Associate.

  4. In the Recipient column, click the link icon and enter an email address or an address for a distribution list. Click Submit.

  5. In the Frequency column:

    1. Select Daily or a specific day of the week when you want the report to run.
    2. Select the time zone that you want to use in the report.
  6. For the Status, select the toggle to turn it on or off. By default, a report you create is turned on

  7. Click the check mark icon to save your settings.

Edit a scheduled report

A ​SIA​ administrator can edit a scheduled report. You can modify most settings associated with the report, including report recurrence, time zone, and the users who are configured to receive report results. You cannot modify the report format.

📘

A ​SIA​ administrator can only edit the scheduled reports that they created. For more information, see Grant delegated or tenant access.

To edit a scheduled report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports & Notifications.

  2. Hover over the scheduled report that you want to modify.

  3. Click the menu icon and select Edit.

  4. To modify the frequency at which the report is run or the time zone used in the report, select new settings from the Frequency menus.

  5. To select new locations or sub-locations for an event or summary report, click the link icon. Select or deselect locations or sub-locations.

  6. If you are providing a new recipient, click the chain icon, enter a new email address, and click Submit.

  7. To change the status of the report, toggle the Status.

  8. Click the check mark icon to save your changes.

Delete a scheduled report

A ​SIA​ administrator can delete a scheduled report that is no longer needed. A delegated or strict delegated administrator can delete a scheduled report that they created.

To delete a scheduled report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports & Notifications.

  2. Hover over the scheduled report that you want to delete.

  3. Click the menu icon and select Delete.

  4. Click Yes to confirm the deletion.

Enable a scheduled report

If a scheduled report was previously disabled, you can enable it again. You need to be a ​SIA​ administrator to perform this task.

📘

A delegated or strict delegated administrator can enable a scheduled report that they created. For more information, see Grant delegated or tenant access.

To enable a scheduled report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports & Notifications.

  2. Go to the scheduled report that you want to enable.

  3. In the status column, toggle the switch to on.

Disable a scheduled report

If you are a ​SIA​ administrator, you can disable a scheduled report configuration.

📘

A delegated or strict delegated administrator can disable a scheduled report that they created. For more information, see Grant delegated or tenant access.

To disable a scheduled report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports & Notifications.

  2. Go to the scheduled report that you want to disable.

  3. In the status column, toggle the switch to off.

Data in alert notifications and scheduled reports

This table describes the data that is included in an alert notification email or a scheduled report for events or summary data.

If you select Text format for the report, columns and values in the report are shown in a pipe-delimited format.

📘

If you schedule a report for DNS or proxy summary data, an administrator is emailed a PDF that contains bar graphs with the top activity for a specific dimension, such as location, geographical region, domain, and more. This is the same data that an administrator can view in the DNS Summary and Proxy Summary activity reports.

Data in alert notifications and scheduled reports

DataDescription
DetailsIncludes the following information about the event or alert:

  • The requested domain. Domains appear as links to the Indicator Search page where additional information about the event is provided.
  • Whether the event was detected while the end user was on or off the corporate network
  • Action taken to mitigate the threat as a result of the associated policy configuration.
  • The confidence level that ​SIA​ has in classifying the domain as a threat. The report indicates whether the domain is a confirmed or suspected threat.

Note: If the report is in text format, domain, detection, action taken, and confidence data appear as separate pipe-delimited values.
LocationThe location or sub-location of the user who made the request. The provided location is also a link to the Locations page in ​SIA​.
PolicyThe policy that is associated with the location. The provided policy name is also a link to the Policies page in ​SIA​.
ListThe list where this domain is a confirmed or suspected threat. The provided list name is also a link to the Custom Lists page.
Affected Internal IPThe private or internal IP address of a device in your network.
Count or DNS CountThe total number of alerts or events that are associated with the domain. The count for a domain is also a link to the Threat Events report.
URI(s)Uniform Resource Identifier. Characters or string that identify a resource. For example, a URL. As a result of grouping data by domain and locations, more than one URI may be listed in alert notifications and scheduled report results.
Reason(s)Informs how a threat event was identified.

Any of the these reasons may appear:

  • ​Akamai​ Intelligence: Indicates threat event was identified by ​Akamai​ or a threat category.
  • Customer Intelligence: Indicates threat event was found based on an administrator's custom list configuration.
  • Document Static Analysis: Indicates threat event was found based on inline payload analysis of a document.
  • Executable Static Analysis: Indicates threat event was found based on inline payload analysis of a document.
  • AV scan: Indicates threat event was found by an antivirus scan.
    As a result of grouping data by domain and locations, more than one reason may be provided in alert notifications and scheduled report results.
HTTP CountThe total number of alerts or events that are associated with HTTP traffic.

Alert Notifications

Alerts are notifications that are sent to specific administrators or users with event information. Alerts are sent based on the Send Alert setting in a policy. For example, if the Send Alert setting is enabled for known threats in the Malware threat category, an alert is sent whenever a known Malware threat is detected and an event is logged in ​​SIA​.

When a new alert is triggered, users receive notifications at near real-time. If additional alerts are detected within a five minute period of sending out a notification, the user is notified about these alerts after the five minute period.

Users may receive alerts for inline or lookback events. Inline events are events that are detected at the time of access, while lookback events are discovered by ​SIA​ threat intelligence after access.

Data in alert notifications are organized by domain. If multiple locations or sub-locations are associated with alerts, alerts are also organized by location or sub-location. The email that is sent out contains important information about the alert such as the associated policy and list, the reason a threat was identified, as well as the action taken on the alert.

If your organization is enabled to do so, a ​​SIA​​ administrator can associate specific locations or sub-locations to an alert notification email address. This means that alert notifications can contain information based on the locations or sub-locations that the recipient is allowed to receive information about.

These conditions also apply:

  • If a location or sub-location is assigned to a policy that's enabled with ​​SIA​​ Proxy, the email notification contains additional information that is specific to HTTP traffic such as URI and the total number of HTTP threat events.
  • A maximum of 200 domains are listed in the email. To view additional information, users need to log in to ​SIA​. If the email is in HTML format, links to related ​​SIA​​ pages are also provided. For information on the data that is in an alert notification email, see Data in alert notifications and scheduled reports.
  • By default, all notifications are sent in HTML format. However, an administrator can choose to send alert notifications in HTML or text format. The format you select applies to all users configured to receive alert notifications.

📘

If your organization uses a ticket tracking system, such as ServiceNow, you can provide a ticketing system email to automatically create a ticket for each alert.

Configure an alert notification

When a new alert is detected, those who are configured to receive alert notifications are sent notifications at near real-time. If more alerts occur within a five minute period, the user is notified about these alerts after the five minutes.

Data in email notifications are organized by domain. If an alert is detected in multiple locations, alert information is also organized by location. The email also contains other important alert information, such as the associated policy, list, and the action taken on the alert.

To configure an alert notification:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports & Notifications.
  2. Select the format of the alert notification. You can send a notification in HTML or Text format. The format you select is used for all alert notifications.
  3. Click Add Alert.
  4. By default, All Locations is selected. If you want to assign specific locations to an alert notification, click the chain icon and deselect the locations that you want to exclude. If necessary, you can find locations by entering the location name in the provided search field. Click Associate.
  5. In the Recipients column, click the chain icon and in the dialog that appears, enter the email addresses of users who you want to receive the alert notification. Click Submit.
  6. Click the check mark icon to save the alert notification settings.

Select format of alert notifications

You can choose to send alert notifications in an HTML or text format email. The format you select applies to all users configured to receive alert notifications.

You need to be an ​​SIA​​ administrator to perform this task.

To select the format of alert notifications:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports & Notifications.
  2. In the Alerts section, go to the Alert format menu.
  3. Select HTML Email or Text Email.

System Issue and Upgrade Notifications

You can send email notifications about the following:

  • Upgrades to Security Connector. You provide the email addresses of users or administrators who should receive a notification when there's an available update to the Security Connector.
  • System issues. You provide the email addresses of administrators who should receive emails about ​SIA​ system issues. These issues include:
    • Configuration issues in ​​SIA​​. ​​SIA​​ sends notifications when a domain for a location resolves to an invalid IP address. ​​SIA​​​ sends out an email notification with the location name, domain, and the IP address.
      This email notification only applies if your organization uses dynamic DNS for a location configuration. For more information, see About locations.
    • An expiring certificate for ​​SIA​​ Proxy. ​​SIA​​​ sends a notification when the TLS MITM certificate that was generated or uploaded to ​​SIA​​​ is scheduled to expire in 30 days or less. Administrators set to receive System Issues notifications are sent an email notification until a new certificate is uploaded or generated. For more information on the certificate, see ​SIA​​ Proxy MITM certificate.

These notifications are sent to users in HTML format.

Add email addresses for Security Connector upgrade notifications

You can provide the email addresses of administrators or other users within your organization who you want notified when an upgrade to Enterprise Security Connector is available.

You need to be an ​​SIA​​​ administrator to perform this task.

To add email addresses for Security Connector upgrade notifications:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports & Notifications.

  2. Expand the System Issues and Upgrades section.

  3. In the Recipients column for Security Connector Upgrade, click the chain icon.

  4. In the provided dialog, enter an email address or multiple email addresses.

  5. Click Submit.

Add email addresses for system issue notifications

Complete this procedure to provide email addresses of users or administrators who should receive notifications about system issues. By default, these notifications are sent in HTML format.

To add email addresses for system notifications:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Scheduled Reports & Notifications.
  2. Expand the System Issues and Upgrades section.
  3. In the Recipients column for System Issues, click the chain icon.
  4. In the provided dialog, enter an email address or multiple email addresses.
  5. Click Submit.