SEM's Newly Enhanced and Automated Reporting

Have you ever struggled to keep up with a flood of compliance report requirements? Or have you found it challenging to distill security data into clear, concise formats for management? Perhaps you've been searching for a SIEM solution that balances simplicity with customization.

If you've nodded along to any of these questions, you're in luck. Join us as we uncover how Solarwinds Security Event Manager’s (SEM) enhanced reporting features can streamline your organization's security and compliance endeavors, offering efficiency and flexibility.

Within the Historical Events and Reports tab, we've introduced the ability to generate web-based reports from your search queries. These reports breathe life into your historical events, translating them into visually engaging pie charts and tables. This transformation simplifies identifying potential issues and empowers you to make well-informed decisions regarding your network activity.

Moreover, we've introduced automation to streamline the distribution of these reports to all relevant stakeholders. Whether via email attachments, through an external server using a secure file transfer protocol (SFTP) connection, or even through a network file-sharing capability, sharing critical insights has never been easier.

In this blog article, we'll delve into how organizations can leverage the capabilities of SEM Reporting to streamline their workflows.

Accessing Reports

Your journey begins within the 'Historical Events & Reports' section of SEM. Here, you'll find a user-friendly dashboard equipped with intuitive tools like a query search bar and filter & sort options. Dive into a world of data and insights presented elegantly in both tabular and histogram formats.

A screenshot of the Historical Events & Reports page within the SEM dashboard

Security and compliance stakeholders can swiftly sift through vast amounts of logs from various sources, easily identifying anomalies and suspicious patterns. SEM offers over 40 predefined queries commonly used in the industry, providing users with a solid foundation. These can either be directly employed to retrieve data or serve as building blocks for crafting more specific queries tailored to your needs.

Once you've homed in on the exact query, you can choose to save it for future use or, better yet, save and schedule it to run regularly. For instance, if you need to investigate authentication events to your PCI servers daily, you can create a user-defined group containing all PCI assets' IP addresses and schedule a query to identify Log on/off/failure events within this group.

Generating Reports

Now, you can either generate reports on an ad hoc basis for immediate consumption or schedule them to run periodically and automatically send the reports via email or to a file server. SEM offers the flexibility to generate reports in .csv or .pdf formats.

A screenshot of a user clicking Generate report after clicking on the three dots that appear when clicking Queries on the top left of the screen within the SEM Historical Events & Reports page.

For scenarios like PCI compliance, security and compliance stakeholders can leverage SEM's grouping capabilities. With support for eight category types and customizable tags, organizing queries becomes a breeze. By tagging queries with 'PCI', users can ensure ease of access and convenient future use.

SEM further offers easy ways to share saved queries within different users of SEM and provides options to export them in a .json file format too.

The 'Manage Queries' wizard serves as a single stop to categorize, bulk manage, share, and export saved queries, as shown in the snippet below.

A screenshot of a user clicking Managed Saved queries after clicking on the queries option on the left side of the page and then clicking on the tabular column icon

There are several ways to generate reports. Next to each saved query, you'll find a 3-dotted options icon, offering choices to generate or schedule reports. You can set daily, weekly, or monthly recurrence patterns and specify exact execution times while using the schedule reports feature.

A screenshot of a user clicking Schedule report after clicking on the three dots that appear when clicking Queries on the top left of the screen within the SEM Historical Events & Reports page.

Additionally, an options menu at the top right next to the query search bar provides similar options to generate or 'save & schedule' a query/report. Both methods allow you to choose between .csv and .pdf formats.

There’s also an export button placed conveniently above the results tabular column as shown in the image below, which can be quickly used to export the search results in a .csv format.

Screenshot of a user clicking the Export button above the results tabular column within the SEM Historical Events & Reports page

Viewing Options

The .csv format offers detailed information on events in a tabular format, containing every normalized field and its associated value. This detailed view is ideal for security and SOC teams needing structured, consumable information.

Meanwhile, the .pdf format is better suited for management-level stakeholders seeking an overview of events or security risks. Elegantly displayed with pie charts and histograms, .pdf reports offer a holistic view with detailed event information if required.

On-demand vs. Scheduled Reporting

The on-demand report, as well as the quick export of the search results table, downloads the report directly onto the current system. Depending on the options provided while configuring, the scheduled reports will either be sent as an attachment to the configured email addresses, or the report will be delivered to a file server via an SFTP connection. With the new release (2024.4), customers can take advantage of a network file share option using the SMB protocol.

Differences between CSV & PDF reports

Expanding on the hypothetical scenario of examining authentication events (logons, logoffs, and failures) on your PCI servers, let's generate both CSV and PDF reports to compare their distinctions.

Here's a redacted portion of the CSV report, displaying normalized log fields and their respective values. This excerpt presents only a subset of the available fields. However, the complete CSV report includes all normalized log fields.

The provided snippet clearly outlines the Event Type, such as UserLogon and UserLogoff, along with other crucial details like Event info, Detection IP, and Severity.

Screenshot of a snippet of the CSV report

Now, shifting focus to the PDF report, it offers a more user-friendly interface. This version presents visually appealing pie charts depicting the top 10 event types, top 10 IP addresses, top 10 event information, and more. Additionally, it includes a histogram summarizing events over time, where the x-axis represents timestamps, and the y-axis represents the number of events.

Here's a pie chart example representing the top 10 event types from this specific report.

Screenshot of a snippet of the PDF report

It illustrates five events, with three being logons and two logoffs.

Furthermore, the PDF report concludes with a tabular representation of event data following the visual summaries.

Conclusion: Empower Your Security Strategy

As demonstrated, SolarWinds SEM reporting offers a seamless blend of functionality and simplicity. By leveraging powerful query capabilities and robust reporting features, you can elevate your security monitoring and responses while streamlining day-to-day operations.

We encourage you to check out the free download if you’re reading this and are not already using  SolarWinds Security Event Manager.  It’s free to get started. It’s easy. Give it a try!

THWACK - Symbolize TM, R, and C