Create Reports from a Template
Templates provide out-of-the-box reports that help you understand your organization’s security posture, the effectiveness of security staff, and the value of Secureworks® Taegis™ XDR. Leveraging Secureworks security operations expertise, these reports have been designed to address common reporting needs and can be utilized without an understanding of the Advanced Search query language.
Tip
Looking to create your own report? See Configure Custom Reports.
To create a PDF report from a template:
- From the Taegis Menu, select Reports.
- Select Create Report.
- Choose one of the predefined report templates and select Next.
Available Report Templates ⫘
The following predefined report templates are currently available in XDR.
Alert Summary Report ⫘
The Alert Summary Report provides an overview of alert activity, volume, and trends in your environment. It includes the following summary charts and statistical data:
- Alert Volume Trend by Severity — Highlights the volume of alerts over time by severity, including suppressed alerts
- Alert Trends Grouped by Status — Depicts increasing and decreasing trends in critical and high severity alerts grouped by alerts status
- Top Alert Trends by Volume — A series of charts showing Top 10 alerts names, users, host names, source IP, and target IP addresses based on alert volume
Alert Summary Report: Alert Volume Trend by Severity and Top Sensor Type
Executive Summary Report ⫘
The Executive Summary Report provides a high-level overview of the activity occurring in your environment. It includes the following summary charts and statistical data:
- Investigation Trends — Depicts trends in investigations grouped by type and status
- Alert Activity and Trends — Displays critical and high alerts trends by alerts status, alerts trends by severity and top sensor types, and the top names and usernames of critical and high alerts
- Event Trends — Depicts trends in event by destination port and block status
Executive Summary Report: Alert Activity and Trends
Investigation Summary Report ⫘
The Investigation Summary Report provides an overview of investigation activity occurring in your environment. It includes the following summary charts and statistical data:
- Investigation Overview — Depicts the funneling of events filtered through XDR from total events, to alerts, to those included in an investigation
Note
The Event Volume by Type metric included in the Investigation Overview is calculated once daily at 08:00 AM UTC rather than in real time when the report is run.
- Investigation Trends by Status — Displays the trends in volume of investigations grouped by all statuses or by status categories, with views for those created by the customer, those created by the service provider, and the aggregate of both
- Investigation Trends by Type — Displays the trends in volume of investigations by investigation type with views for those created by the customer, those created by the service provider, and the aggregate of both
- Investigation Creators and Assignees — Displays the top investigation creators and open investigation assignees over time
Investigation Summary Report: Investigation Overview
Event Schema Grouping ⫘
In the Investigation Overview funnel chart, event schema are grouped as follows:
- Network —
dnsquery
,generic
,netflow
,auth
,http
,nids
,dhcp
- Endpoint —
dnsquery
,generic
,netflow
,process
,auth
,persistence
,injection.thread
,managementevent
,registry
,filemod
,process_module
,apicall
,script_block
- Cloud —
generic
,auth
,cloudaudit
,apicall
- Business System —
email
,antivirus
- Others — any other schemas not in the four groups above
Note
The numbers for each grouping, which are located to the right side of the funnel, may not add up to the total event volume, which is located to the left side of the funnel. This is because events that fall into multiple schema groups get included in the count for each group.
Taegis NDR Change Management Report ⫘
Note
Taegis NDR is an evolution of iSensor, but with a new name and soon with expanded capabilities. You may see some references to the iSensor branding as we complete this transition.
The Taegis™ NDR Change Management Report displays detailed information about signature and ruleset updates made for each NDR Device in your tenant, including the CVEs that map to the rules. It includes the following data:
- Ruleset Version — The version Secureworks assigned to the ruleset
- Timestamp — The date and time this particular ruleset was rolled out
- New Signatures — Total number of new signatures pushed to this NDR Device in this particular ruleset rollout
- Changed Signatures — Total number of changed signatures pushed to this NDR Device in this particular ruleset rollout
- Deleted Signatures — Total number of deleted signatures from this NDR Device for this specific ruleset rollout
- Ruleset Description — Indicates a brief description of the rule
- Rule Status — Indicates whether this rule represents an add, change, or delete
Note
If you run this report but have no NDR Devices in your tenant, the Taegis™ NDR Data Sheet generates instead.
Taegis™ NDR Change Management Report
Taegis XDR Trends Report ⫘
The XDR Trends Report compares aggregate data on investigations, alerts, and data usage during the selected report period with data from two previous periods of the same length. It includes the following summary charts and statistical data:
Investigations ⫘
- Investigation Overview — A funnel chart that filters through the gigabytes of event data, then detections, then triaged alerts, then lastly investigations created from those events.
- Investigation Details by Status — A list of security investigation details including remediation/last activity, grouped by status.
- Investigations Created by Service Provider — A stacked bar chart displaying the total number of security investigations created by Secureworks or your service provider, broken down by status. It compares the selected report period with two previous periods.
- Investigations Created by Tenant — A stacked bar chart displaying the total number of security investigations created by members of your organization/tenant, broken down by status. It compares the selected report period with two previous periods.
- Response Time: Mean Time to Hand Off — A bar chart of the mean amount of time elapsed from when a Secureworks analyst took ownership of an investigation to the initial handoff to your organization. It compares the selected report period with two previous periods.
- Response Time: Mean Time to Acknowledge — A bar chart of the mean amount of time elapsed from when Secureworks initially handed off an investigation to when someone in your organization initially viewed it. It compares the selected report period with two previous periods.
- Response Time: Mean Time to Resolve — A bar chart of the mean amount of time elapsed from when Secureworks initially handed off an investigation to the time the investigation is resolved. It compares the selected report period with two previous periods.
XDR Trends Report - Investigations
Alerts ⫘
- Critical and High Alert Volume: Period Comparison — A stacked bar chart of the total number of critical and high alerts, broken down by severity. It compares the selected report period with two previous periods.
- Medium and Low Alert Volume: Period Comparison — A stacked bar chart of the total number of medium and low alerts, broken down by severity. It compares the selected report period with two previous periods.
- Alert Suppression: Period Comparison — A bar chart of the percentage of alerts that were suppressed, broken down by severity. It compares the selected report period with two previous periods.
- Critical Alert Volume Trend — A line chart comparing the volume of critical-severity alerts to the overall trend over time. It compares the selected report period with two previous periods.
- High Alert Volume Trend — A line chart comparing the volume of high-severity alerts to the overall trend over time. It compares the selected report period with two previous periods.
- Medium Alert Volume Trend — A line chart comparing the volume of medium-severity alerts to the overall trend over time. It compares the selected report period with two previous periods.
- Low Alert Volume Trend — A line chart comparing the volume of low-severity alerts to the overall trend over time. It compares the selected report period with two previous periods.
- Top 5 MITRE ATT&CK Techniques: Report Period — A bar chart of the top five MITRE ATT&CK techniques used by threat actors during the selected report period, broken down by number of alerts. It compares the selected report period with two previous periods.
- Top 5 MITRE ATT&CK Techniques: Previous Period — A bar chart of the top five MITRE ATT&CK techniques used by threat actors during the previous report period, broken down by number of alerts. It compares the previous report period with the report period of the same length before and after.
- Top 5 MITRE ATT&CK Techniques: Pre-previous Period — A bar chart of the top five MITRE ATT&CK techniques used by threat actors during the pre-previous report period, broken down by number of alerts. It compares the pre-previous report period with the two following periods.
- Top 10 Users: Period Comparison — A bar chart of the top 10 users related to alerts, in order of alert count. It compares the pre-previous report period with the two following periods.
- Top 10 Source IPs: Period Comparison — A bar chart of the top 10 source IPs related to alerts, in order of alert count. It compares the pre-previous report period with the two following periods.
- Top 10 Target IPs: Period Comparison — A bar chart of the top 10 target IPs related to alerts, in order of alert count. It compares the pre-previous report period with the two following periods.
XDR Trends Report - Alerts
Data Usage ⫘
- Data Usage and Allotment by Billing Cycle — A bar chart of the total number of gigabytes used by your organization, versus the total number allotted. It compares the pre-previous report period with the two following periods.
XDR Trends Report - Data
Report Periods Explained ⫘
Many charts in the XDR Trends Report compare different time periods. These include:
- Report Period — The time period you selected when creating the report (e.g., the last 30 days)
- Previous Period — The time period of the same length directly preceding the report period (e.g., 60-31 days ago)
- Pre-previous Period — The time period of the same length directly preceding the previous period (e.g., 90-61 days ago)
Taegis XDR User Admin Summary Report ⫘
The XDR User Admin Summary Report provides an overview of XDR user registration status, roles, activity, and change history in your XDR tenant. It includes the following summary charts and statistical data:
- User Registration — Shows XDR users by registration status and changes to registration status
- User Roles — Shows XDR users by role and changes to user roles
- User Profiles — Shows XDR users whose profile data is incomplete
- User Activity — Shows the most and least active XDR users, as well as XDR login trends and details
XDR User Admin Summary Report: User Registration & Activity
Step 1: Configure and Preview the Report ⫘
Reports created from templates are predefined, so at this time configuration options are limited to the timeframe of the report data.
As you adjust the configuration options, the report preview image updates automatically.
Preview of the Executive Summary Report
Note
Reports with alerts do not support data aggregation of more than 7 days if viewing All Tenants. Select an individual tenant, or reduce the timeframe.
Step 2: Schedule Report ⫘
A report can be scheduled to run at a variety of intervals as defined below. One scheduling option may be defined per report.
- Now — The report is executed immediately upon completion of the configuration process.
- Once — The report is executed once at a date and time specified by the user.
- Daily — The report is executed once every day of the week at a designated time.
- Weekly — The report is executed once per week on a specified day and time.
- Monthly — The report is executed once per month on a specified numeric day of the month and time. If the defined day is greater than the last day of the month, the report will be executed on the last day of the month.
- Annually — The report is executed once per year on a specified date and time.
Note
The time zone field specifies what time zone a scheduled report should run; it does not affect the timestamps used throughout the report data.
Scheduling an Executive Summary Report
Step 3: Report Name and Sharing ⫘
In the last step of report configuration, define the following:
- Report Name — A name for the report, which is used as the file name, the header inside the file, and a quick reference in the Scheduled and Completed Reports tables. (255 character limit; supported characters:
/ - _ ( ) % & # ! , . ' " @ $ ^ * ~
) - Description — (Optional) Descriptive text that provides context of the contents of the report for recipients’ benefit. This is embedded in the header of the report file. (1,000 character limit)
- Users — Any XDR users within the current tenant that will receive the report. Each named user, including the report creator, will receive email notifications when the report is completed, with a link to download the report. Users you share the report with can unsubscribe if they do not wish to receive the report.
- Share with Administrators — Check this option to add the report to the Completed Reports table for Tenant Administrator users when it runs. They will not receive notifications for the report.
- Language Selection — Select English or Japanese for the report language.
Note
You automatically receive any report that you create yourself; you do not need to add yourself to the user list.
Naming and Sharing an Executive Summary Report
Available Output File Formats ⫘
Reports are generated as PDF files by default. To generate a CSV and/or JSON file that contains the non-aggregated data with the PDF for supported reports, select the Export data to CSV and/or JSON option.
Step 4: Complete the Report ⫘
After all configuration steps are completed, select Finish. The query results page is displayed, with a banner informing you that the report is being created. You will receive an email notification when it is ready to download.