Create & Schedule Reports

A major part of the Stellar Cyber Platform is the ability to generate reports that you can view in the UI and schedule for recurring generation and delivery to specified recipients. Stellar Cyber lets you schedule reports based on PDF reports (in 5.4.0 Beta) and exported dashboards. Use the instructions in this article to understand how to view, clone, schedule, delete, send, and download reports.

PDF Reports

PDF Reports are available as part of an Early Access Program and might not appear in your version of the Stellar Cyber Platform. Contact your account manager to inquire about taking part in the Early Access Program.

On the Reports (Beta) tab at Respond | Reports, there are two predefined, or "pre-canned", PDF reports: Case Report and Executive Summary.

The Case Report contains a table of contents followed by three sections:

• Executive Summary – This shows the case volume for the current period and three previous periods, making any trend in case load over this time immediately apparent. It also displays the number of created cases vs. the number of resolved cases, which lets you see how your team is handling its case load.

• Case Funnel – This shows how much data Stellar Cyber ingested and how many individual alerts it discovered and correlated into cases, how many cases it filtered, and then, from 5.3.0, how many cases it determined to be true positives.

• Top 10 Cases by Severity – This shows the most critical issues the team faced in the current period reported.

The Executive Summary contains a table of contents followed by sections for Deployment Summary, Cases, Alerts, Assets, and Visibility. Each section has one or more subsections that provide a high-level summary of the incidents Stellar Cyber discovered, assets it detected, and amount of data it received.

A few notes about the Executive Summary content:

• In Deployment Summary: Visibility

  • The reported number of deployed sensors might not always match the actual number because the Executive Summary includes only sensors that are actively running on the network during the time that the report covers, not the total number of sensors that are in the Stellar Cyber database.

  • Device Sensors Deployed – For SaaS deployments, this count includes Modular Sensors only. For on-premises deployments, it includes Modular Sensors, Security Sensors, and Network Sensors. (Note: Security Sensors and Network Sensors are types of Device Sensors available for deployment on-premises until the 5.1.1 release.)

• In Visibility (second chart) – The data volume for Sensors includes data from all available sensors: Linux, Windows, and Modular. In addition, for on-premises installations deployed before 5.1.1, the data volume also includes data from Security Sensors and Network Sensors.

When you generate either of these reports, Stellar Cyber produces a PDF. It's formatted in landscape orientation for viewing on monitors. If printed, the reports are designed for A4 paper sizes (21.0 x 29.7 cm, or 8.27 x 11.69 in).

The logo that appears on the report is the same as the Organization Logo set in System | Settings.

Generate a PDF Report

To generate a Case Report or Executive Summary, select its name. Stellar Cyber immediately generates a new PDF report for data gathered the previous day.

Create a Scheduled PDF Report

To clone the selected report, change time zones, schedule it to cover a specified period of time, and either run it immediately or at a recurring interval, select Schedule and configure the settings displayed.

Generate and View a Scheduled PDF Report

To generate and view a scheduled report, select the View scheduled report icon in Actions column in the Manage table. Because Stellar Cyber doesn't store previously generated reports, when you select this icon, it generates a new report and displays that. To see its settings after viewing the newly generated report, select Schedule.

Generate and Edit a Scheduled PDF Report

To edit a scheduled report, select the Edit scheduled report icon in the Actions column in the Manage table. Stellar Cyber generates a new report and displays it and its schedule settings. You can edit any of the settings of reports that you or someone with the same administrative scope (root, partner, or tenant) as you. A user with a higher scope can edit most settings in a report created by a user with a lower scope except the tenants that the report is about. Therefore, a root-level user cannot change the tenants of a report created by a partner or tenant, and a partner cannot change the tenant in a report created by a tenant.

Delete a Scheduled PDF Report

To delete a scheduled report, select the Delete report icon in the Actions column in the Manage table. This icon doesn't appear for scheduled reports created by users with a lower administrative scope than yours. As a result, a root-level user cannot delete a report created by a partner or tenant, and a partner cannot delete a report created by a tenant.

Generate and Send a Scheduled Report

To send a scheduled report to specified recipients outside of its usually scheduled runtime, select the Send report icon in the Actions column in the Manage table. Stellar Cyber prompts you to confirm running the report outside its scheduled runtime. Confirm your decision to run the report and send it to the recipients.

Download a Scheduled PDF Report

To generate and download a scheduled report, select the View schedule report or Edit scheduled report icon in the Actions column in the Manage table. When Stellar Cyber displays the generated report, select the Download icon in the upper right corner of the page and save it to your local system.

Exported Dashboards

On the Visualize | Dashboards page, you can view, clone, and modify existing dashboards and create new ones. All the dashboards from that page also appear on the Exported Dashboards tab at Respond | Reports and can be used as the basis for another type of report. In fact, in releases prior to 5.4.0, exported dashboards were called “reports”. From 5.4.0, they’re called “exported dashboards” to differentiate them from PDF-formatted reports (Case Report and Executive Summary).

Existing dashboard exports are not affected by upgrading to 5.4.0.

The Exported Dashboards tab shows dashboards organized into various categories: General, PCI Compliance, CIS Compliance, HIPAA Compliance, License Usage, and Custom. In contrast to predefined dashboards, dashboards that you create or clone are stored in the Custom tab. Stellar Cyber generates license usage reports based on the information from System | Licensing tabs of the same name. You don't create these in Visualize | Dashboards but can use the same tools to clone, edit, and schedule them.

Generate and View an Exported Dashboard

On the Exported Dashboards tab at Respond | Reports, select the name of an exported dashboard. Stellar Cyber immediately generates data to populate the tables, charts, and widgets in the selected dashboard and displays it.

When you view it, Stellar Cyber provides options to Schedule, Clone Report, and Download. If it's a custom exported dashboard, you also have the option to edit it at Visualize | Creation | Dashboards.

Clone and Edit an Exported Dashboard

When you clone an exported dashboard, you can use it as the basis for a custom dashboard.

To clone an exported dashboard on Respond | Reports | Exported Dashboards, select the dashboard and select Clone Report. Complete the Clone Report settings: enter a name, choose a tenant, enter a description, and enable or disable Clone all charts.

The charts used in predefined asset reports such as CIS Control 1 - Inventory of Hardware Assets Summary and CIS Control 1 - Inventory of Hardware Assets Details rely on a definition that is present with their associated dashboard. For that reason, the option to clone all charts when you clone a dashboard has been disabled for these reports.

Stellar Cyber saves the dashboard at Visualize | Dashboards | Custom and displays the new dashboard with settings to Edit, Clone, Export, and Delete it.

There are also options to edit the time settings (Time Type, Time Interval, and Auto Refresh) in the upper right of the page and set data filters in the upper left of the page.

The data in a dashboard is subject to the filters and queries defined on the page. The exception to this are the Operational Dashboard and Analyst View, which are intentionally unaffected by the Status (event_status) filter.

When select Edit, you have options to change the layout of the content in the dashboard, add and delete widgets, and use the Chart Builder to modify widgets.

When done with your edits, Save them.

If you want to make more edits to a dashboard later, select the dashboard at Visualize | Dashboards | Custom.

Schedule a Report Based on an Exported Dashboard

Select a dashboard name, select Schedule, and configure the settings displayed.

Download an Exported Dashboard

To download an exported dashboard on Respond | Reports | Exported Dashboards, select the name of the dashboard and then select the Download icon in the upper right of the page.

Stellar Cyber opens a PDF version of the exported dashboard in a new browser tab.

You might need to enable your browser to allow pop-ups and multiple-file downloads from the Stellar Cyber UI.

To download the PDF, select the Download icon in the upper right of the page and save it to your management system. When done, close the browser tab and return to the Stellar Cyber UI.

Notes on Predefined Exported Dashboards

In general, the contents of predefined exported dashboards are self-explanatory. This section provides some additional notes to help you understand what you're seeing:

• The byte counts in Ingestion Dashboard (in the General category) represent the amount of data sent by connectors and sensors to the Stellar Cyber Platform. After data arrives at the Stellar Cyber Platform from these sources, it undergoes additional enrichment and compression before it's stored on disk. Because of this, the byte counts shown in the Ingestion Dashboard don't match those in System | Licensing | Volume Usage or the exported dashboards in the License Usage category, which represent the actual data stored on disk, post-enrichment and compression. To summarize:

  • Ingestion Dashboard – Reports byte counts based on data sent by connectors and sensors to the Stellar Cyber Platform prior to enrichment and compression.

  • License Usage exported dashboards – Report byte counts based on actual data stored on disk. These are the counts used for licensing purposes.

• Some exported dashboards, including Alerts (in the General category), include sections breaking out alerts into Critical, Major, Minor, and Notice severities. Each of these severities corresponds to a different bucket of Alert Scores, as follows:

  Alert Severity in Stellar Cyber	Best Practices for Monitoring and Investigation	Alert Score
  Critical	Alerts of high severity and fidelity that must be investigated immediately	Alert Score ≥ 75
  Major	Alerts that are likely to be true positives or that could have significant security consequences and should be given priority to investigate	Alert Score ≥ 50 and < 75
  Minor	Alerts of lesser severity and/or fidelity that should be investigated if time permits; or otherwise be investigated together with correlated alerts in cases	Alert Score ≥ 25 and < 50
  Notice	Alerts of weak abnormal signals that are likely false positives or of less security concern, and may be investigated together with related alerts and events, such as alerts in the same cases and relevant events identified in threat hunting	Alert Score < 25

• Similarly, exported dashboards might break out alerts according to their fidelity (High Fidelity or Other Fidelity). These fidelity levels correspond to fidelity scores as follows:

  Fidelity Level in Stellar Cyber	Fidelity Score
  High Fidelity	Fidelity Score ≥ 75
  Other Fidelity	Fidelity Score < 75