Acquire Usage Reports

ProtectNow! Support
  • Updated
Follow

This article shows you how to scope/ acquire :Assess Reports that contain KODiAC Audit records with Transaction details.

Introduction

Previous Walkthroughs introduced basic SSProtect :Foundation Client capabilities to you - from protecting and accessing data to Restoring :Recover content. This article shows you how to scope/ acquire :Assess Usage Reports that include KODiAC Audit Records with transaction details.

Prerequisites

This article assumes you have downloaded and installed the :Foundation Client as described in the article, Installing the :Foundation Client. It's helpful if you have also worked through the following Walkthroughs:

You can Provision a Test Account as described in the article, Introduction and Preparation, then work through the above Walkthrough's STEPS, though this article doesn't rely on specifics for detailed insight. We however recommend the noted ordered approach since future changes and/ or future :Assess Walkthrough details may choose to take advantage of details for additional clarity.

Auditing and Reporting Overview

:Assess auditing is carried out by KODiAC (Cloud) Services using a combination of host-specific claims and deterministic KODiAC (Cloud) transaction details. Auditing is a native part of every KODiAC transaction, and a requirement for proper execution. Content is indexed, securely stored, and replicated for high-performance Analysis (:Respond) and Reporting.

Report content is generated on-demand. When you submit a request with the :Foundation Client, KODiAC queries audit data then filters results for CSV delivery. The :Foundation Client feeds results to an appropriate, (signed) Excel macro template then displays the resulting, macro-free Workbook for review.

:Assess Reports

STEP 1: Login to your Test Account then navigate to the notification tray, right-click SSProtect and park your mouse over the Usage Reports menu selection to view the Quick Reports in the submenu:

Tutorial-Assess-Menu.png

SSProtect offers the following :Assess Reports, available to all Accounts:

  • File Detail Report - Conversion transaction details for Managed Content activities
  • File Sequence Report - Summary Managed Access, Open, and Close progressions 
  • Admin Report - Configuration and maintenance activity; noted as User Report for Non-Privileged Accounts
  • Integrated Report - Combined Report with File Details and Admin/ User Report records

Report Scope for Privileged/ Non-Privileged Users

The Admin Report is, as noted, listed as a User Report for Non-Privileged Users. The real difference is in data scope: The Admin Report (for Privileged Users) contains configuration and maintenance activity for all Accounts in the managed Organization, whereas the User Report (for Non-Privileged Users) only contains activity for the caller's Account.

This fact holds true for all Reports, though other Quick Report menu names don't change with caller context. Other than the Header Title, each respective Report is the same: KODiAC queries the same record types and includes the same level of detailed output (for a given Report type).

Displaying Quick Reports

STEP 2: From the context menu, choose the Integrated Report:

Tutorial-Assess-2dIntegrated.png

Though difficult to see in the screenshot, you should recognize a series of operations that represent Authentication/ Authorization for Login (and perhaps Logout) along with Restore and/ or Conversion transaction details (as you scroll through the Report). The latter details would be included in a File Detail Report whereas the former in an Admin (User) Report.

STEP 3: From the context menu, choose each of the other Quick Reports, and review content to compare output detail. File Conversion details will be detailed in a Walkthrough that will be available shortly.

Quick Report Result Files/ Filenames

Refer to the Excel Window Caption that shows the associated stored filename: Quick Report output is stored in a temporary location - %localappdata%\DefiniSec\Config\Reports - that is cleared when your Login Session is terminated. The filename uses the following format: <Type>-yymmddhhmmss.xlsx. This allows for multiple, subsequent Reports to be stored without overwriting recent content.

You can, of course, perform a Save As operation in Excel to keep a permanent copy of the results.

At the same time, however, raw CSV data is stored in two locations - a temporary file in the same \Reports scratch folder using the <type>_last.csv format, and one in your Default Folder that uses a slightly more user-friendly name of yyyy.mm.ddq-<type>.csv. This latter file remains unless you request another instance of the same Quick Report, in which case it is overwritten with the most recent CSV data.

This CSV file is used as input to an associated Excel Macro-Enabled (and signed) Workbook Report Template that formats results for viewing.

Applying CSV Results to Report Templates

To apply the Quick Report CSV data to the proper Report Template, visit the Usage Report dialog:

STEP 4: From the context menu, hover over Usage Reports then choose Manage when the submenu appears:

Tutorial-Assess-ReoprtDetail.png

The upper half of this dialog is specific to :Assess Reporting (as noted by the containing boundary text) while the lower half is specific to Host Debug Logfiles, described in the article, Accessing Host Debug Logs.

We are, however, currently interested in the Filename detail, which in this case refers to a 2d Quick Report for File Sequences, as you can see by the filename suffix and yyyy.mm.ddq-<type> presence.

STEP 5: Click the Report... button to have SSProtect re-apply the Filename's CSV data to the proper (installed) Report Template, which then automatically displays the result

The resulting Report will be exactly the same as before, which gives you another opportunity to perform Save As... to retain a copy of the macro-free Workbook results. Remember that any subsequent Quick Report of the same type will overwrite the target CSV data, without prompting. This is one of the few cases where content is overwritten, because...

Report Data is Immutable

Report content is immutable, that is, it will not change over time. Should you inadvertently generate another Quick Report, overwriting previously stored CSV content, you can manually generate the same Report spanning the same target timeframe to acquire the exact same results (in corresponding records).

STEP 6: From the currently displayed Report, pick a date/ time and make note of the associated record content (Excel row data). Close the file.

STEP 7: From the Usage Reports dialog, choose the Type that matches the previous Report; checking both Admin and File, as shown in the included screenshot, generates the Integrated Report else the Report matching the checked box. If you check Seq, the Admin/ File checkboxes are disabled (which generates the Sequence Report). Deselect Seq to re-enable Admin/ File. Make the appropriate selection to match your details.

STEP 8: Leave the End Date (not labeled) as displayed, which will be the present day UTC (if you're in North America and it's a few hours before midnight, the date will be your current date + 1 day). Change the Days designation to make sure the Report spans your target record's date/ time. The first Day in the count is the day that's displayed, UTC. Refer to the next section for additional details.

STEP 9: Click Acquire then choose the target CSV filename, which by default uses the same file format as the associated Quick Report without the date's, "q" qualifier. Click Save to have SSProtect request and acquire the resulting CSV content from KODiAC, then apply it to the matching Excel Report Template for display.

STEP 10: Search through the resulting Report to find the date/ time you identified in STEP 6 then verify that record content is the same. If your Report does not include the target Date/ Time, continue to the next section to review the way UTC date/ time values scope Report output.

Looking Deeper: Usage Report UTC End Date And Days Designations

SSProtect aimed to simplify Report output by allowing you to select a target End Date then specify the number of Days you wanted to include. This is reflected in both the Usage Report UI and also :Respond Report controls. Quick Reports (using the Quick Action menu) use the current day as the End Date and a count of one (1) for Days.

This creates confusion, especially when submitting a request shortly after midnight UTC but from a time zone in North America.

First, the Days designation isn't intended to target a 24 hour timespan - it specifically indicates which days to include in the final Report. For example, a value of one (1) for Days means to only include event records that fall exactly on the target End Date, whereas a value of two (2) means to include records for the End Date and the day before, and so forth.

Second, the target End Date is always UTC, which in scenarios like the one noted above, means the UTC date is different than your local time zone's date.

The results: If you submitted a Report from San Francisco at 4:05pm in the winter time (time zone = PST, UTC - 8) and you submitted the request using a value of one (1) for Days, you'd get the last 5 minutes (and some seconds) of event records (of course with a type that matches the type of Report you requested).

This is not usually the intent of such a request.

Starting in v10.7.1, the :Foundation Client detects this case and make an adjustment that results in the last 24h and 5m of event records (for the given case). This applies to Quick Action Reports and those you request with the Usage Reports UI - :Respond Reports and :Expand API Report requests are not adjusted.

This adjustment is only applied when the End Date is +1 from the current date/ time in your local time zone. For manually submitted Reports from the Usage Reports UI, the, "current" date/ time used for this calculation depends on the date/ time when you invoke the UI display, not when you submit the request. As a result, if you display the dialog at 3:59:59 PM PST and 20 seconds later choose your Report Type then execute Acquire, you'll only see event records for the current day rather than those that have been recorded since you displayed the UI (that would be, "after midnight UTC", which triggers the adjustment rule).

Additional :Assess Detailed Review

Subsequent Walkthroughs will focus on the Report details, for example File Detail transaction content as it relates to Managed Files/ Restore values. Refer back to this article for specific links when the associated Walkthrough is available, and review the article, Acquiring Data Access Reports for more information.

Additional Resources

You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.

In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.

This article was updated w/ v10.7.1 of the :Foundation Client