WEBVTT 1 00:00.000 --> 00:03.840 In this video, I get to take a look at many of the default reports. 2 00:03.840 --> 00:08.560 And I want you to remember that behind a report, there is also the option to 3 00:08.560 --> 00:10.160 use things like templates 4 00:10.160 --> 00:13.840 and charts and the data sets, identifying what data we're going to pull from 5 00:13.840 --> 00:14.880 the SQL database. 6 00:14.880 --> 00:18.000 But as we start with default reports, I just want to give you a big picture 7 00:18.000 --> 00:19.840 look at how valuable they are. 8 00:19.840 --> 00:22.960 So let's take a moment. I want to verify that I have my firewalls online. 9 00:22.960 --> 00:26.240 So I got firewall two, firewall three, the headquarters firewall right here, 10 00:26.240 --> 00:30.640 and the branch firewall right there. And they're all reporting to this 40 analy WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 10 00:26.240 --> 00:30.640 and the branch firewall right there. And they're all reporting to this 40 analy 11 00:30.640 --> 00:32.080 zer in the root ADOM, 12 00:32.080 --> 00:35.580 which is a fancy way of saying the root administrative domain. Because as a 13 00:35.580 --> 00:36.080 reminder, 14 00:36.080 --> 00:39.680 we can specify multiple different ADOMs with different Fortnite devices 15 00:39.680 --> 00:41.200 reporting to specific ADOMs 16 00:41.200 --> 00:44.680 and then have different administrators in charge of each of those. Now, that 17 00:44.680 --> 00:46.560 also applies to reports. 18 00:46.560 --> 00:51.800 So as we start customizing or scheduling reports, that's on a per ADOM basis. 19 00:51.800 --> 00:52.160 So in this set of 20 00:52.160 --> 00:55.650 videos, all four firewalls are reporting and saying their information to the 21 00:55.650 --> 00:56.720 root ADOM here 22 00:56.720 --> 01:00.740 on our 40 analyzer. So here we go. So here's the 40 analyzer. We're going to go WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 22 00:56.720 --> 01:00.740 on our 40 analyzer. So here we go. So here's the 40 analyzer. We're going to go 23 01:00.740 --> 01:01.360 ahead and log in as 24 01:01.360 --> 01:06.600 admin. Also play the password. We'll click on log in. And because ADOMs are 25 01:06.600 --> 01:08.000 enabled, it's asking me 26 01:08.000 --> 01:12.040 now which ADOM to go into. I want to go into the root ADOM. So we'll click on a 27 01:12.040 --> 01:13.520 root. And here we go. 28 01:13.520 --> 01:18.990 So there's our current feature version of the 40 analyzer 7.63. Great, great, 29 01:18.990 --> 01:19.680 great. This is 30 01:19.680 --> 01:23.070 good a device manager and here in device manager, I have all four devices are 31 01:23.070 --> 01:24.400 reporting. So these 32 01:24.400 --> 01:27.600 three here at the headquarters site, as part of our fabric, and I've got the 33 01:27.600 --> 01:28.320 branch firewall 34 01:28.320 --> 01:32.390 reporting as well. Fantastic. So for reports on the far left side here, we'll WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 34 01:28.320 --> 01:32.390 reporting as well. Fantastic. So for reports on the far left side here, we'll 35 01:32.390 --> 01:33.120 go to reports. 36 01:33.120 --> 01:37.130 Then I have a section for generated reports. So if you add some reports that 37 01:37.130 --> 01:37.920 were created, 38 01:37.920 --> 01:41.080 they would show up here and then we also have a timeframe you can sort by. So 39 01:41.080 --> 01:41.600 if you said I want 40 01:41.600 --> 01:44.900 to see all the reports that have been created in the last, for example, three 41 01:44.900 --> 01:46.080 months, we could 42 01:46.080 --> 01:50.570 put in a month's equals three there, press enter. And then currently I have no 43 01:50.570 --> 01:51.440 generated reports 44 01:51.440 --> 01:54.450 on this 40 analyzer. And that's okay. So we'll have some here in just a little 45 01:54.450 --> 01:55.200 bit. So we go 46 01:55.200 --> 02:00.820 to report definitions. Here are the built in report definitions. So in the tabs WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 46 01:55.200 --> 02:00.820 to report definitions. Here are the built in report definitions. So in the tabs 47 02:00.820 --> 02:01.440 up on top, 48 02:01.440 --> 02:06.340 I've got all reports. And then I've got a tab for templates. Again, a template, 49 02:06.340 --> 02:06.800 think of it like 50 02:06.800 --> 02:11.270 the cookie cutter for a report. If we want to use that template, I've got a 51 02:11.270 --> 02:12.240 chart library 52 02:12.240 --> 02:16.560 with a whole bunch of different pre defined charts, right, Iraq, I've got the 53 02:16.560 --> 02:17.520 data sets tab, 54 02:17.520 --> 02:21.230 which is the SQL queries they're going to be used to get the information out of 55 02:21.230 --> 02:22.400 the SQL database. 56 02:22.400 --> 02:25.680 And then we also have that subset. Well, I think of a subset of a data set. And 57 02:25.680 --> 02:26.320 that's the macro 58 02:26.320 --> 02:30.480 library, think of them like little itty bitty requests, looking for certain WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 58 02:26.320 --> 02:30.480 library, think of them like little itty bitty requests, looking for certain 59 02:30.480 --> 02:31.840 elements of data 60 02:31.840 --> 02:36.320 from the SQL database. But for now, they could go back to all reports. And 61 02:36.320 --> 02:38.320 there are a lot of them. 62 02:38.320 --> 02:43.600 So here in the bottom right, it says 321, meaning there are 321 pre defined 63 02:43.600 --> 02:44.400 reports 64 02:44.400 --> 02:48.320 that we can choose from. And the little folder icon represents there's various 65 02:48.320 --> 02:48.960 folders 66 02:48.960 --> 02:53.770 that these reports are kept in. So when you think of a report, think of the 67 02:53.770 --> 02:55.120 actual report that can 68 02:55.120 --> 02:59.660 be generated. And then if we generate a report, there's also another section 69 02:59.660 --> 03:00.640 for reports that we WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 69 02:59.660 --> 03:00.640 for reports that we 70 03:00.640 --> 03:05.160 can actually look at those generated reports. So let's sort and search for how 71 03:05.160 --> 03:07.280 about 360. So I'm 72 03:07.280 --> 03:11.030 going to do a search for 360 up here. And that's going to refine our list here 73 03:11.030 --> 03:12.160 with the filter, 74 03:12.160 --> 03:18.800 looking at anything that has 360 in it. So here is a sock 360 degree security 75 03:18.800 --> 03:20.160 review. And over here, 76 03:20.160 --> 03:23.220 it says it's built in. And here at the time period, it's showing how far back 77 03:23.220 --> 03:24.480 it's going to go. So 78 03:24.480 --> 03:27.780 for this right here, I may have modified it to be this year in the previous 79 03:27.780 --> 03:28.960 seven days. But for the 80 03:28.960 --> 03:32.690 360 degree security review, if we double click on it, that's going to take us WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 80 03:28.960 --> 03:32.690 360 degree security review, if we double click on it, that's going to take us 81 03:32.690 --> 03:34.080 into the first tab 82 03:34.080 --> 03:38.540 here, the generated report. So if we had generated a report based on this 83 03:38.540 --> 03:39.760 report, it would show up 84 03:39.760 --> 03:43.100 here. Actually, if we generate in the last three months, it would show up here. 85 03:43.100 --> 03:43.920 And if we click on 86 03:43.920 --> 03:47.390 settings, here's where we can tweak and modify the settings for this report, 87 03:47.390 --> 03:48.480 including things such 88 03:48.480 --> 03:53.170 as what time period would you like this report to cover. So currently, I have a 89 03:53.170 --> 03:54.320 set for this year. 90 03:54.320 --> 03:58.650 And I also can specify which devices and or subnets I want to limit to. And 91 03:58.650 --> 03:59.520 there's also some options 92 03:59.520 --> 04:03.170 down here regarding scheduling and notification and auto cash and filters and WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 92 03:59.520 --> 04:03.170 down here regarding scheduling and notification and auto cash and filters and 93 04:03.170 --> 04:04.320 advanced settings. 94 04:04.320 --> 04:08.320 And we'll get back to those a little bit later in the set of videos. So that's 95 04:08.320 --> 04:09.120 the settings tab. 96 04:09.120 --> 04:13.750 And then here in the editor, so we're looking at here is text as part of this 97 04:13.750 --> 04:14.560 report that if we 98 04:14.560 --> 04:19.310 generate this text, and then here's one chart followed by this chart followed 99 04:19.310 --> 04:20.160 by this chart, 100 04:20.160 --> 04:23.240 I'm just scrolling down here, followed by this chart, this is going to have 101 04:23.240 --> 04:24.480 this text, then it's 102 04:24.480 --> 04:27.890 going to have this table, then it's going to have page break, and the list goes 103 04:27.890 --> 04:28.880 on. So this is just a 104 04:28.880 --> 04:33.390 visual representation of how the report will look based on the text here and WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 104 04:28.880 --> 04:33.390 visual representation of how the report will look based on the text here and 105 04:33.390 --> 04:34.400 the charts being used, 106 04:34.400 --> 04:38.040 and all that also could have come from the template that this report is 107 04:38.040 --> 04:39.360 choosing to use. So I'm not 108 04:39.360 --> 04:42.060 going to make any changes here. I'm going to click on return, and I'm going to 109 04:42.060 --> 04:42.880 right click here, 110 04:42.880 --> 04:45.820 and then from the dropdown, I can click run report. That's one way of running 111 04:45.820 --> 04:46.560 this report. 112 04:46.560 --> 04:49.840 Another way would be to highlight this report here, and then click here and run 113 04:49.840 --> 04:50.720 report. That would do 114 04:50.720 --> 04:55.300 it. Or we could do this. We could go into the generated reports here, and there 115 04:55.300 --> 04:56.400 currently aren't any. 116 04:56.400 --> 05:00.720 We could click on run report here. That also would run this report. Also just WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 116 04:56.400 --> 05:00.720 We could click on run report here. That also would run this report. Also just 117 05:00.720 --> 05:02.240 right here where it says 118 05:02.240 --> 05:06.470 last end months, that's referring to what it's showing here as far as reports 119 05:06.470 --> 05:07.440 that have been run 120 05:07.440 --> 05:10.800 in the last three months. However, if we go to settings for this report, we're 121 05:10.800 --> 05:11.360 here where it says 122 05:11.360 --> 05:15.290 this year, the actual data in the report is pulling from this year as of this 123 05:15.290 --> 05:16.320 recording. So it's going 124 05:16.320 --> 05:22.010 to be January from 2025 to December 31st, 2025, because I'm recording this in 125 05:22.010 --> 05:23.520 2025. All right, 126 05:23.520 --> 05:27.230 so I'm going to go back to generated reports here and just click on run report, 127 05:27.230 --> 05:28.160 and that will take 128 05:28.160 --> 05:32.930 a little bit of time to run. So in a moment here, we should see a report WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 128 05:28.160 --> 05:32.930 a little bit of time to run. So in a moment here, we should see a report 129 05:32.930 --> 05:33.920 showing up, and we'll give 130 05:33.920 --> 05:38.310 that a minute to do that. And so it's on its way. It's not quite done yet. So 131 05:38.310 --> 05:39.360 when it's done, 132 05:39.360 --> 05:44.450 it'll fill in the format column here with options to see that report, including 133 05:44.450 --> 05:45.760 HTML, PDF, there it is 134 05:45.760 --> 05:50.190 XML, CSV, and JSON. So there's our reports. Let me go ahead and collapse this 135 05:50.190 --> 05:51.280 left hand side. 136 05:51.280 --> 05:54.150 So we're in the reports report definitions. I'm going to go ahead and collapse 137 05:54.150 --> 05:54.480 that left, 138 05:54.480 --> 05:58.560 give us a little more room, and it took 14 seconds to run that report. So to 139 05:58.560 --> 05:59.920 see the report, we simply 140 05:59.920 --> 06:03.780 click here on HTML. If you want to see an HTML version that'll open a new tab WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 140 05:59.920 --> 06:03.780 click here on HTML. If you want to see an HTML version that'll open a new tab 141 06:03.780 --> 06:04.720 for you, or if you 142 06:04.720 --> 06:07.860 want to see XML raw, you can click on that if you want to see a PDF, you can 143 06:07.860 --> 06:09.040 click there. So let's 144 06:09.040 --> 06:12.930 click here on HTML and take a look at this report. So here's the report. So 145 06:12.930 --> 06:13.760 over on the left, 146 06:13.760 --> 06:16.980 this is all clickable. So if we want to go for example, to high risk 147 06:16.980 --> 06:18.480 applications in use, 148 06:18.480 --> 06:22.120 or high risk application, my category, we can click on any of these sections, 149 06:22.120 --> 06:22.880 it'll take us there. 150 06:22.880 --> 06:26.400 So let's scroll back to the top and as I scroll up, it's also tracking on the 151 06:26.400 --> 06:27.680 left there. Fantastic. 152 06:27.680 --> 06:32.060 So here's this report. Here's the summary. And then it has those tables based WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 152 06:27.680 --> 06:32.060 So here's this report. Here's the summary. And then it has those tables based 153 06:32.060 --> 06:32.880 on that report 154 06:32.880 --> 06:36.710 definition and then information being populated based on the data set that was 155 06:36.710 --> 06:37.200 being used in the 156 06:37.200 --> 06:40.840 background to pull that information from the SQL database. So here's regarding 157 06:40.840 --> 06:41.520 application 158 06:41.520 --> 06:45.680 visibility and control, threat detection and prevention, no information on data 159 06:45.680 --> 06:46.800 exfiltration, 160 06:46.800 --> 06:52.020 then high risk applications in use, we got some proxy avoidance it looks like 161 06:52.020 --> 06:53.280 and some peer-to-peer 162 06:53.280 --> 06:58.170 applications. If he keeps crawling down, it has application risk definitions, 163 06:58.170 --> 06:58.560 you know, all the 164 06:58.560 --> 07:03.410 way from severe down to low, and then application categories, and then a table WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 164 06:58.560 --> 07:03.410 way from severe down to low, and then application categories, and then a table 165 07:03.410 --> 07:04.560 representing the 166 07:04.560 --> 07:09.250 application categories. So as far as data throughput, the most used application 167 07:09.250 --> 07:11.040 would be video/audio, 168 07:11.040 --> 07:14.190 and that was 11 gigabytes based on this calendar year, and that's here in my 169 07:14.190 --> 07:15.200 lab environment based 170 07:15.200 --> 07:18.800 on those four, 48 firewalls. Then if we continue to scroll down, we have web 171 07:18.800 --> 07:19.680 application section 172 07:19.680 --> 07:24.170 here, and these are sorted by risk. So proxy websites, then BitTorrent, then 173 07:24.170 --> 07:25.120 OneDrive, and blah, 174 07:25.120 --> 07:28.430 blah, blah, blah, all the way down. And then we have web categories, including 175 07:28.430 --> 07:29.120 their respective 176 07:29.120 --> 07:33.680 bandwidth usage, so information technology, web analytics. And if you go down, WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 176 07:29.120 --> 07:33.680 bandwidth usage, so information technology, web analytics. And if you go down, 177 07:33.680 --> 07:34.320 here's some for 178 07:34.320 --> 07:38.800 gambling, malicious websites, proxy avoidance. And as we continue to scroll 179 07:38.800 --> 07:39.680 down here, we have 180 07:39.680 --> 07:43.220 threat detection and prevention. So we had an iCAR test file that I used a few 181 07:43.220 --> 07:44.080 times, 182 07:44.080 --> 07:47.830 and then we have some information here regarding malware and botnets. So for 183 07:47.830 --> 07:48.640 malware botnets, 184 07:48.640 --> 07:52.020 there was two sites that we were trying to reach. And as far as command and 185 07:52.020 --> 07:52.880 control networks, 186 07:52.880 --> 07:56.240 we're going to domains and IPs detected with DNS filtering. There's a whole 187 07:56.240 --> 07:56.640 bunch here, 188 07:56.640 --> 08:00.820 and these are all generated by me to build some logs that we could look at. And WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 188 07:56.640 --> 08:00.820 and these are all generated by me to build some logs that we could look at. And 189 08:00.820 --> 08:01.760 then here is our 190 08:01.760 --> 08:05.680 iCAR test file. And then we have top 10 victims of phishing sites, and here's 191 08:05.680 --> 08:06.240 that information 192 08:06.240 --> 08:10.420 here, and then top 25 malicious phishing sites, that information is here, and 193 08:10.420 --> 08:11.120 then intrusion 194 08:11.120 --> 08:16.370 and attacks. And again, it's all based on the details specified by that report. 195 08:16.370 --> 08:16.640 So here we 196 08:16.640 --> 08:20.690 had some IPS events, and then we scroll down has other sections as well, based 197 08:20.690 --> 08:21.520 on that report. 198 08:21.520 --> 08:25.440 And this opens up in a separate tab. So if we go back to the 40 analyzer, so 199 08:25.440 --> 08:26.160 here back at the 40 200 08:26.160 --> 08:29.260 analyzer, we're going to go ahead and open up the left hand column here, and we 201 08:29.260 --> 08:29.840 get a report 202 08:29.840 --> 08:35.490 definitions. If we scroll down, here's our SOC reports, here's our 360 degree WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 202 08:29.840 --> 08:35.490 definitions. If we scroll down, here's our SOC reports, here's our 360 degree 203 08:35.490 --> 08:36.080 security review, 204 08:36.080 --> 08:39.680 if we double click on that, it'll then show us any reports that have been 205 08:39.680 --> 08:40.720 generated based on 206 08:40.720 --> 08:43.840 that report. Another way of seeing this report is we could go into reports to 207 08:43.840 --> 08:45.040 generated reports, 208 08:45.040 --> 08:48.580 and it's right here as well. We could also associate this report we needed to 209 08:48.580 --> 08:49.360 our one or two 210 08:49.360 --> 08:53.570 with an incident, and that way this report would be easily available as part of 211 08:53.570 --> 08:54.480 that incident. 212 08:54.480 --> 08:58.080 So now that we've taken a look at an example of running a default report, one 213 08:58.080 --> 08:59.040 of the hundreds 214 08:59.040 --> 09:02.280 available on the 40 analyzer in the next video, we're going to take a closer WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 214 08:59.040 --> 09:02.280 available on the 40 analyzer in the next video, we're going to take a closer 215 09:02.280 --> 09:03.120 look at the wonderful 216 09:03.120 --> 09:07.760 world of templates. So I'll see you in the next video in just a moment.