SEM's Newly Enhanced and Automated Reporting
Have you ever struggled to keep up with a flood of compliance report requirements? Or have you found it challenging to distill security data into clear, concise formats for management? Perhaps you've been searching for a SIEM solution that balances simplicity with customization.
If you've nodded along to any of these questions, you're in luck. Join us as we uncover how Solarwinds Security Event Manager’s (SEM) enhanced reporting features can streamline your organization's security and compliance endeavors, offering efficiency and flexibility.
Within the Historical Events and Reports tab, we've introduced the ability to generate web-based reports from your search queries. These reports breathe life into your historical events, translating them into visually engaging pie charts and tables. This transformation simplifies identifying potential issues and empowers you to make well-informed decisions regarding your network activity.
Moreover, we've introduced automation to streamline the distribution of these reports to all relevant stakeholders. Whether via email attachments, through an external server using a secure file transfer protocol (SFTP) connection, or even through a network file-sharing capability, sharing critical insights has never been easier.
In this blog article, we'll delve into how organizations can leverage the capabilities of SEM Reporting to streamline their workflows.
Accessing Reports
Your journey begins within the 'Historical Events & Reports' section of SEM. Here, you'll find a user-friendly dashboard equipped with intuitive tools like a query search bar and filter & sort options. Dive into a world of data and insights presented elegantly in both tabular and histogram formats.
Security and compliance stakeholders can swiftly sift through vast amounts of logs from various sources, easily identifying anomalies and suspicious patterns. SEM offers over 40 predefined queries commonly used in the industry, providing users with a solid foundation. These can either be directly employed to retrieve data or serve as building blocks for crafting more specific queries tailored to your needs.
Once you've homed in on the exact query, you can choose to save it for future use or, better yet, save and schedule it to run regularly. For instance, if you need to investigate authentication events to your PCI servers daily, you can create a user-defined group containing all PCI assets' IP addresses and schedule a query to identify Log on/off/failure events within this group.
- To know how to create user-defined groups, head here: Configure user defined groups (solarwinds.com)
Generating Reports
Now, you can either generate reports on an ad hoc basis for immediate consumption or schedule them to run periodically and automatically send the reports via email or to a file server. SEM offers the flexibility to generate reports in .csv or .pdf formats.
For scenarios like PCI compliance, security and compliance stakeholders can leverage SEM's grouping capabilities. With support for eight category types and customizable tags, organizing queries becomes a breeze. By tagging queries with 'PCI', users can ensure ease of access and convenient future use.
- Learn more about tagging over here: Create and manage tags (solarwinds.com)
SEM further offers easy ways to share saved queries within different users of SEM and provides options to export them in a .json file format too.
The 'Manage Queries' wizard serves as a single stop to categorize, bulk manage, share, and export saved queries, as shown in the snippet below.
There are several ways to generate reports. Next to each saved query, you'll find a 3-dotted options icon, offering choices to generate or schedule reports. You can set daily, weekly, or monthly recurrence patterns and specify exact execution times while using the schedule reports feature.
Additionally, an options menu at the top right next to the query search bar provides similar options to generate or 'save & schedule' a query/report. Both methods allow you to choose between .csv and .pdf formats.
There’s also an export button placed conveniently above the results tabular column as shown in the image below, which can be quickly used to export the search results in a .csv format.
Viewing Options
The .csv format offers detailed information on events in a tabular format, containing every normalized field and its associated value. This detailed view is ideal for security and SOC teams needing structured, consumable information.
Meanwhile, the .pdf format is better suited for management-level stakeholders seeking an overview of events or security risks. Elegantly displayed with pie charts and histograms, .pdf reports offer a holistic view with detailed event information if required.
On-demand vs. Scheduled Reporting
The on-demand report, as well as the quick export of the search results table, downloads the report directly onto the current system. Depending on the options provided while configuring, the scheduled reports will either be sent as an attachment to the configured email addresses, or the report will be delivered to a file server via an SFTP connection. With the new release (2024.4), customers can take advantage of a network file share option using the SMB protocol.
Differences between CSV & PDF reports
Expanding on the hypothetical scenario of examining authentication events (logons, logoffs, and failures) on your PCI servers, let's generate both CSV and PDF reports to compare their distinctions.
Here's a redacted portion of the CSV report, displaying normalized log fields and their respective values. This excerpt presents only a subset of the available fields. However, the complete CSV report includes all normalized log fields.
The provided snippet clearly outlines the Event Type, such as UserLogon and UserLogoff, along with other crucial details like Event info, Detection IP, and Severity.
Now, shifting focus to the PDF report, it offers a more user-friendly interface. This version presents visually appealing pie charts depicting the top 10 event types, top 10 IP addresses, top 10 event information, and more. Additionally, it includes a histogram summarizing events over time, where the x-axis represents timestamps, and the y-axis represents the number of events.
Here's a pie chart example representing the top 10 event types from this specific report.
It illustrates five events, with three being logons and two logoffs.
Furthermore, the PDF report concludes with a tabular representation of event data following the visual summaries.
Conclusion: Empower Your Security Strategy
As demonstrated, SolarWinds SEM reporting offers a seamless blend of functionality and simplicity. By leveraging powerful query capabilities and robust reporting features, you can elevate your security monitoring and responses while streamlining day-to-day operations.
We encourage you to check out the free download if you’re reading this and are not already using SolarWinds Security Event Manager. It’s free to get started. It’s easy. Give it a try!