This article shows you how to scope/ acquire :Assess Reports that contain KODiAC Audit records with Transaction details.
Introduction
Previous Walkthroughs introduced basic SSProtect :Foundation Client capabilities to you - from protecting and accessing data to Restoring :Recover content. This article shows you how to scope/ acquire :Assess Usage Reports that include KODiAC Audit Records with transaction details.
Prerequisites
This article assumes you have downloaded and installed the :Foundation Client as described in the article, Installing the :Foundation Client. It's helpful if you have also worked through the following Walkthroughs:
You can Provision a Test Account as described in the article, Introduction and Preparation, then work through the above Walkthrough's STEPS, though this article doesn't rely on specifics for detailed insight. We however recommend the noted ordered approach since future changes and/ or future :Assess Walkthrough details may choose to take advantage of details for additional clarity.
Auditing and Reporting Overview
:Assess auditing is carried out by KODiAC (Cloud) Services using a combination of host-specific claims and deterministic KODiAC (Cloud) transaction details. Auditing is a native part of every KODiAC transaction, and a requirement for proper execution. Content is indexed, securely stored, and replicated for high-performance Analysis (:Respond) and Reporting.
Report content is generated on-demand. When you submit a request with the :Foundation Client, KODiAC queries audit data then filters results for CSV delivery. The :Foundation Client feeds results to an appropriate, (signed) Excel macro template then displays the resulting, macro-free Workbook for review.
:Assess Reports
STEP 1: Login to your Test Account then navigate to the notification tray, right-click SSProtect and park your mouse over the Usage Reports menu selection to view the Quick Reports in the submenu:
SSProtect offers the following :Assess Reports, available to all Accounts:
- File Detail Report - Conversion transaction details for Managed Content activities
- File Sequence Report - Summary Managed Access, Open, and Close progressions
- Admin Report - Configuration and maintenance activity; noted as User Report for Non-Privileged Accounts
- Integrated Report - Combined Report with File Details and Admin/ User Report records
Report Scope for Privileged/ Non-Privileged Users
The Admin Report is, as noted, listed as a User Report for Non-Privileged Users. The real difference is in data scope: The Admin Report (for Privileged Users) contains configuration and maintenance activity for all Accounts in the managed Organization, whereas the User Report (for Non-Privileged Users) only contains activity for the caller's Account.
This fact holds true for all Reports, though other Quick Report menu names don't change with caller context. Other than the Header Title, each respective Report is the same: KODiAC queries the same record types and includes the same level of detailed output (for a given Report type).
Display Quick Reports
STEP 2: From the context menu, choose the Integrated Report:
Though difficult to see in the screenshot, you should recognize a series of operations that represent Authentication/ Authorization for Login (and perhaps Logout) along with Restore and/ or Conversion transaction details (as you scroll through the Report). The latter details would be included in a File Detail Report whereas the former in an Admin (User) Report.
Note that Quick Reports span the last 24 hours of activity.
STEP 3: From the context menu, choose each of the other Quick Reports, and review content to compare output detail. File Conversion details will be detailed in a Walkthrough that will be available shortly.
Quick Report Result Files/ Filenames
Refer to the Excel Window Caption that shows the associated stored filename: Quick Report output is stored in a temporary location - %localappdata%\DefiniSec\Config\Reports - that is cleared when your Login Session is terminated. The filename uses the following format: <Type>-yymmddhhmmss.xlsx. This allows for multiple, subsequent Reports to be stored without overwriting recent content.
You can, of course, perform a Save As operation in Excel to keep a permanent copy of the results.
At the same time, however, raw CSV data is stored in two locations - a temporary file in the same \Reports scratch folder using the <type>_last.csv format, and one in your Default Folder that uses a slightly more user-friendly name of yyyy.mm.ddq-<type>.csv. This latter file remains unless you request another instance of the same Quick Report, in which case it is overwritten with the most recent CSV data.
This CSV file is used as input to an associated Excel Macro-Enabled (and signed) Workbook Report Template that formats results for viewing.
Apply CSV Results to Report Templates
To apply the Quick Report CSV data to the proper Report Template, visit the Usage Report dialog:
STEP 4: From the context menu, hover over Usage Reports then choose Manage when the submenu appears:
The upper half of this dialog is specific to :Assess Reporting (as noted by the containing boundary text) while the lower half is specific to Host Debug Logfiles, described in the article, Accessing Host Debug Logs.
We are, however, currently interested in the Filename detail, which in this case refers to a Quick Report for File Sequences, as you can see by the filename suffix and yyyy.mm.ddq-<type> presence.
STEP 5: Click the Report... button to have SSProtect re-apply the Filename's CSV data to the proper (installed) Report Template, which then automatically displays the result
The resulting Report will be exactly the same as before, which gives you another opportunity to perform Save As... to retain a copy of the macro-free Workbook results. Remember that any subsequent Quick Report of the same type will overwrite the target CSV data, without prompting. This is one of the few cases where content is overwritten, because...
Report Data is Immutable
Report content is immutable, that is, it will not change over time. Should you inadvertently generate another Quick Report, overwriting previously stored CSV content, you can manually generate the same Report spanning the same target timeframe to acquire the exact same results (in corresponding records).
STEP 6: From the currently displayed Report, pick a date/ time and make note of the associated record content (Excel row data). Close the file.
STEP 7: From the Usage Reports dialog, choose the Type that matches the previous Report; checking both Admin and File, as shown in the included screenshot, generates the Integrated Report else the Report matching the checked box. If you check Seq, the Admin/ File checkboxes are disabled (which generates the Sequence Report). Deselect Seq to re-enable Admin/ File. Make the appropriate selection to match your details.
STEP 8: Leave the End Date (not labeled) as displayed, which will be the present day UTC (if you're in North America and it's a few hours before midnight, the date will be your current date + 1 day). Change the Days designation to make sure the Report spans your target record's date/ time. The first Day in the count is the day that's displayed, UTC. Refer to the next section for additional details.
STEP 9: Click Acquire then choose the target CSV filename, which by default uses the same file format as the associated Quick Report without the date's, "q" qualifier. Click Save to have SSProtect request and acquire the resulting CSV content from KODiAC, then apply it to the matching Excel Report Template for display.
STEP 10: Search through the resulting Report to find the date/ time you identified in STEP 6 then verify that record content is the same. If your Report does not include the target Date/ Time, continue to the next section to review the way UTC date/ time values scope Report output.
Looking Deeper: Usage Report UTC End Date And Days Designations
SSProtect allows you to request Reports using a target End Date and some number of Days. This is reflected in both the Usage Report UI and also :Respond Report controls. Quick Reports (using the Quick Action menu) use the current day as the End Date and a count of one (1) for Days, as shown by the 1d designation for each of the Quick Report menu items.
This can be confusing, specifically when submitting a request shortly after midnight UTC but from a time zone in North America such that your Date is not the same as the UTC Date.
Though we have plans to make significant adjustments to simplify these controls, there is a fairly simple way of aligning your need with system results.
First, starting in v10.7.4, the Days designation reflects the number of 24-hour periods prior to the target date/ time, which for Quick Reports reflects the time at which the request was carried out, and for Usage Report controls reflects the Date settings when you choose Acquire.
In certain cases, the results are very unlikely to align with typical content, and SSProtect adds an extra 24-hour period (increases the Days value submitted with the request) to include additional, prior event records in an attempt to provide practical results.
Consider: It's 4:05pm in San Francisco during the winter, which means your clock reflects PST which is 8 hours prior to UTC. As such, you're about to submit a request five (5) minutes after midnight UTC, but late in the afternoon for you.
In this scenario, the (default) End Date will reflect your local PST date plus one (+ 1) because it's past midnight UTC. If you submit your request using this value, and use a Days value of one (1) (or use the Quick Report), you'd get the last (5) minutes of data.
SSProtect, in this case, makes an adjustment and adds an extra Day to your request. This results in the last five (5) minutes of data followed by the previous 24-hours of data.
This adjustment is applied when your local time zone is different than UTC. This will change to simplify matters in upcoming UI changes.
Additional :Assess Detailed Review
Subsequent Walkthroughs will focus on the Report details, for example File Detail transaction content as it relates to Managed Files/ Restore values. Refer back to this article for specific links when the associated Walkthrough is available, and review the article, Acquiring Data Access Reports for more information.
Additional Resources
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v10.7.1 of the :Foundation Client