Acquire Usage Reports

ProtectNow! Support
  • Updated
Follow

This article shows you how to scope/ acquire :Assess Reports that contain KODiAC Audit records with Transaction details.

Introduction

Previous Walkthroughs introduced basic SSProtect :Foundation Client capabilities to you - from protecting and accessing data to Restoring :Recover content. This article shows you how to scope/ acquire :Assess Usage Reports that include KODiAC Audit Records with transaction details.

Prerequisites

This article assumes you have downloaded and installed the :Foundation Client as described in the article, Installing the :Foundation Client. It's helpful if you have also worked through the following Walkthroughs:

You can Provision a Test Account as described in the article, Provision Test Accounts, then work through the above Walkthrough's STEPS, though this article doesn't rely on specifics for detailed insight. We however recommend the noted ordered approach since future changes and/ or future :Assess Walkthrough details may choose to take advantage of details for additional clarity.

Auditing and Reporting Overview

:Assess auditing is carried out by KODiAC (Cloud) Services using a combination of host-specific claims and deterministic KODiAC (Cloud) transaction details. Auditing is a native part of every KODiAC transaction, and a requirement for proper execution. Content is indexed, securely stored, and replicated for high-performance Analysis (:Respond) and Reporting.

Report content is generated on-demand. When you submit a request with the :Foundation Client, KODiAC queries audit data then filters results for CSV delivery. The :Foundation Client feeds results to an appropriate, (signed) Excel macro template then displays the resulting Workbook for review.

:Assess Reports

STEP 1: Log In to your Test Account then navigate to the notification tray, right-click SSProtect and park your mouse over the Usage Reports menu selection to view the Quick Reports in the submenu:

Tutorial-Assess-Menu.png

SSProtect offers the following :Assess Reports, available to all Accounts:

  • File Detail Report - Conversion transaction details for Managed Content activities
  • File Sequence Report - Summary Managed Access, Open, and Close progressions 
  • Admin Report - Configuration and maintenance activity; noted as User Report for Non-Privileged Accounts
  • Integrated Report - Combined Report with File Details and Admin/ User Report records

Report Scope for Privileged/ Non-Privileged Users

The Admin Report is, as noted, listed as a User Report for Non-Privileged Users. The real difference is in data scope: The Admin Report (for Privileged Users) contains configuration and maintenance activity for all Accounts in the managed Organization, whereas the User Report (for Non-Privileged Users) only contains activity for the caller's Account.

This fact holds true for all Reports, though other Quick Report menu names don't change with caller context. Other than the Header Title, each respective Report is the same: KODiAC queries the same record types and includes the same level of detailed output (for a given Report type).

Display Quick Reports

STEP 2: From the context menu, choose the Integrated Report:

Tutorial-Assess-2dIntegrated.png

Though difficult to see in the screenshot, you should recognize a series of operations that represent Authentication/ Authorization for Login (and perhaps Logout) along with Restore and/ or Conversion transaction details (as you scroll through the Report). The latter details would be included in a File Detail Report whereas the former in an Admin (User) Report.

Note that Quick Reports span the last 24 hours of activity.

STEP 3: From the context menu, choose each of the other Quick Reports, and review content to compare output detail.

Quick Report Result Files/ Filenames

Refer to the Excel Window Caption that shows the associated stored filename: Quick Report output is stored in a temporary location - %localappdata%\DefiniSec\Config\Reports - that is cleared when your Login Session is terminated. The filename uses the following format: <Type>-yymmddhhmmss.xlsx. This allows for multiple Reports to be stored without overwriting previously-generated content.

You can, of course, perform a Save As operation in Excel to keep a permanent copy of the results.

At the same time, however, raw CSV data is stored in two locations - a temporary file in the same \Reports scratch folder using the <type>_last.csv format, and one in your Default Folder that uses a slightly more user-friendly name of yyyy.mm.ddq-<type>.csv. This latter file remains unless you request another instance of the same Quick Report, in which case it is overwritten with the most recent CSV data.

This CSV file is used as input to an associated Excel Macro-Enabled (and signed) Workbook Report Template that formats results for viewing.

Apply CSV Results to Report Templates

To apply the Quick Report CSV data to the proper Report Template, visit the Usage Report dialog:

STEP 4: From the context menu, hover over Usage Reports then choose Manage when the submenu appears:

Tutorial-Assess-ReoprtDetail.png

The upper half of this dialog is specific to :Assess Reporting (as noted by the containing boundary text) while the lower half is specific to Host Debug Logfiles, described in the article, Accessing Host Debug Logs.

In this article, we are interested in the Filename detail, which in this case refers to a Quick Report for File Sequences*, as you can see by the filename suffix and yyyy.mm.ddq-<type> presence.

* Your Filename details may be different, and will be consistent with the last Report you generated before displaying this dialog. In our case, in STEP 3, we generated the 1d File Sequence Report just before navigating to the dialog shown above.

STEP 5: Click the Report... button to have SSProtect re-apply the Filename's CSV data to the proper (installed) Report Template, which then automatically displays the result

The resulting Report will be exactly the same as before, which gives you another opportunity to perform Save As... to retain a copy of the Workbook results. Remember that any subsequent Quick Report of the same type will overwrite the target CSV data, without prompting. This is one of the few cases where content is overwritten, because...

Report Data is Immutable

Report content is immutable, that is, it will not change over time. Should you inadvertently generate another Quick Report, overwriting previously stored CSV content, you can manually generate the same Report spanning the same target timeframe to acquire the exact same results (in corresponding records).

STEP 6: From the currently displayed Report, pick a date/ time and make note of the associated record content (Excel row data). Close the file.

STEP 7: From the Usage Reports dialog, choose the Type that matches the previous Report - if you check both Admin and File, as shown in the screenshot, you will generate an Integrated Report else you will generate the Report that matches the box you check. For example, if you check Seq, the Admin/ File checkboxes become disabled and you will generate a Sequence Report. Deselect Seq to re-enable Admin/ File. Make the appropriate selection to match your desired Report.

STEP 8: Leave the End Date (not labeled) as displayed, which will be the present day UTC (if you're in North America and it's a few hours before midnight, the date will be your current date + 1 day). Change the Days designation to make sure the Report spans your target record's date/ time. The first Day in the count is the day that's displayed, UTC. Refer to the next section for additional details.

STEP 9: Click Acquire then choose the target CSV filename, which by default uses the same file format as the associated Quick Report without the date's, "q" qualifier. Click Save to have SSProtect request and acquire the resulting CSV content from KODiAC, then apply it to the matching Excel Report Template for display.

STEP 10: Search through the resulting Report to find the date/ time you identified in STEP 6 then verify that record content is the same. If your Report does not include the target Date/ Time, continue to the next section to review the way UTC date/ time values scope Report output.

NOTE: You can, as suspected, correlate content between the Integrated Admin Report and the File Detail Report, and also more loosely correlate File Sequence insight with File Detail and/ or Integrated Admin content.

Looking Deeper: Usage Report UTC End Date And Days Designations

SSProtect allows you to request Reports using a target End Date and some number of Days. This is reflected in both the Usage Report UI and also :Respond Report controls. Quick Reports (using the Quick Action menu) use the current day as the End Date and a count of one (1) for Days, as shown by the 1d designation for each of the Quick Report menu items.

This can be confusing, specifically when submitting a request shortly after midnight UTC but from a time zone in North America such that your Date is not the same as the UTC Date.

Though we have plans to make significant adjustments to simplify these controls, there is a fairly simple way of aligning your need with system results.

First, starting in v10.7.4, the Days designation reflects the number of 24-hour periods prior to the target date/ time, which for Quick Reports reflects the time at which the request was carried out, and for Usage Report controls reflects the Date settings when you choose Acquire.

In certain cases, the results are very unlikely to align with typical content, and SSProtect adds an extra 24-hour period (increases the Days value submitted with the request) to include additional, prior event records in an attempt to provide practical results.

Consider: It's 4:05pm in San Francisco during the winter, which means your clock reflects PST which is 8 hours prior to UTC. As such, you're about to submit a request five (5) minutes after midnight UTC, but late in the afternoon for you.

In this scenario, the (default) End Date will reflect your local PST date plus one (+ 1) because it's past midnight UTC. If you submit your request using this value, and use a Days value of one (1) (or use the Quick Report), you'd get the last (5) minutes of data.

SSProtect, in this case, makes an adjustment and adds an extra Day to your request. This results in the last five (5) minutes of data followed by the previous 24-hours of data, addressing the spirit of the 1d request.

Additional :Assess Detailed Review

Subsequent Walkthroughs will focus on the Report details, for example File Detail transaction content as it relates to Managed Files/ Restore values. Refer back to this article for specific links when the associated Walkthrough is available, and review the article, Acquiring Data Access Reports for more information.

Additional Resources

You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.

In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.

This article was updated w/ v10.7.1 of the :Foundation Client