Table of contents

Generate reports about alerts and other activity

Workload Security produces reports in PDF or RTF formats. Most of the reports have configurable parameters such as date range or reporting by computer group. Parameter options will be disabled for reports to which they don't apply. You can set up a one-time report (see Set up a single report) or set up a schedule to run a report on a regular basis (see Set up a scheduled report).

Set up a single report

  1. In the Workload Security console, go to the Events & Reports tab and then in the left pane, click Generate Reports > Single Report.
  2. In the Report list, select the type of report that you want to generate. Depending on which protection modules you are using, these reports may be available:

    • Alert Report: List of the most common alerts.
    • Anti-Malware Report: List of the top 25 infected computers.
    • Attack Report: Summary table with analysis activity, divided by mode. For details, see About attack reports.
    • Computer Report: Summary of each computer listed on the Computers tab.
    • DPI Rule Recommendation Report: Intrusion prevention rule recommendations. This report can be run for only one security policy or computer at a time.
    • Firewall Report: Record of firewall rule and stateful configuration activity.
    • Forensic Computer Audit Report: Configuration of an agent on a computer.
    • Integrity Monitoring Baseline Report: Baseline of the computers at a particular time, showing Type, Key, and Fingerprinted Date.

      For customers who subscribed to Workload Security on or before July 12, 2021 and are using the agent version 20.0.0-2593 or later, the baseline has been removed and the Integrity Monitoring Baseline Report is no longer available. For customers who subscribed before July 12, 2021, the report is unavailable as of January 1, 2022. For more information, see Removal of the Integrity Monitoring Baseline Report from Trend Cloud One - Endpoint & Workload Security.

    • Integrity Monitoring Detailed Change Report: Details about the changes detected.

    • Integrity Monitoring Report: Summary of the changes detected.
    • Intrusion Prevention Report: Record of intrusion prevention rule activity.
    • Log Inspection Detailed Report: Details of log data that has been collected.
    • Log Inspection Report: Summary of log data that has been collected.
    • Recommendation Report: Record of recommendation scan activity.
    • Recommendation Summary Report: Consolidated summary of Workload Security activity.
    • Security Module Usage Report: Breakdown of consumption hours by cloud account.
    • Summary Report: Consolidated summary of Workload Security activity.
    • Suspicious Application Activity Report: Information about suspected malicious activity.
    • System Event Report: Record of system (non-security) activity.
    • User and Contact Report: Content and activity detail for users and contacts.
    • Web Reputation Report: List of computers with the most web reputation events.
  3. Select the Format for the report, either PDF or RTF. The Security Module Usage Report is an exception, and is always outputted as CSV files.

  4. You can also add an optional Classification to PDF or RTF reports: BLANK, TOP SECRET, SECRET, CONFIDENTIAL, FOR OFFICIAL USE ONLY, LAW ENFORCEMENT SENSITIVE (LES), LIMITED DISTRIBUTION, UNCLASSIFIED, INTERNAL USE ONLY.
  5. You can use the Tag Filter area to filter the report data using event tags (if you have selected a report that contains event data). Select All for all events, Untagged for only untagged events, or select Tag(s) and specify one or more tags to include only those events with your selected tags.

If you apply multiple contradicting tags, the tags counteract each other, rather than combine. For example, if you select User Signed In and User Signed Out, there will be no system events.

  1. You can use the Time Filter area to set a time filter for any period for which records exist. This is useful for security audits. Time filter options:

  2. Last 24 Hours: Includes events from the past 24 hours, starting and ending at the top of the hour. For example, if you generate a report on December 5th at 10:14am, you get a report for events that occurred between December 4th at 10:00am and December 5th at 10:00am.

  3. Last 7 Days: Includes events from the past week. Weeks start and end at midnight (00:00). For example, if you generate a report on December 5th at 10:14am, you get a report for events that occurred between November 28th at 0:00am and December 5th at 0:00am.
  4. Previous Month: Includes events from the last full calendar month, starting and ending at midnight (00:00). For example, if you select this option on November 15, you receive a report for events that occurred between midnight October 1 to midnight November 1.
  5. Custom Range: Enables you to specify your own date and time range for the report. In the report, the start time may be changed to midnight if the start date is more than two days ago.

Reports use data stored in counters. Counters are data aggregated periodically from Events. Counter data is aggregated on an hourly basis for the most recent 60 hours. Data from the current hour is not included in reports. Data older than 60 hours is stored in counters that are aggregated on a daily basis. For this reason, the time period covered by reports for the last 60 hours can be specified at an hourly level of granularity, but beyond 60 hours, the time period can only be specified on a daily level of granularity.

  1. In the Computer Filter area, select the computers whose data needs to be included in the report.

  2. All Computers: Every computer in Workload Security.

  3. My Computers: If the signed in user has restricted access to computers based on their user role's rights settings, these are the computers to which the signed-in User has view access right.
  4. In Group: The computers in a Workload Security group.
  5. Using Policy: The computers using a specific protection Policy.
  6. Computer: A single computer.

To generate a report on specific computers from multiple computer groups, create a user who has viewing rights only to the computers in question and then either create a scheduled task to regularly generate an All Computers report for that user or sign in as that user and run an All Computers report. Only the computers to which that user has viewing rights are included in the report.

  1. In the Encryption area, you can protect the report with the password of the currently signed in user or with a new password for this report only:

  2. Disable Report Password: Report is not password protected.

  3. Use Current User's Report Password: Use the current user's PDF report password. To change the active user's PDF report password, from within Workload Security, click Workload Security User Properties at the top of the screen, then click the Settings tab. In the Password Protected Reports section, select Reports generated by this user are password protected if necessary, then enter and confirm the new password.
  4. Use Custom Report Password: Create a one-time-only password for this report. The password does not have any complexity requirements.

Set up a scheduled report

Scheduled reports are scheduled tasks that periodically generate and distribute reports to any number of users and contacts (this used to be called Recurring Reports).

To set up a scheduled report, go to the Events & Reports tab and then in the left pane, click Generate Reports > Scheduled Reports. Click New. The New Scheduled Task wizard opens to step you through the configuration process. Most of the options are identical to those for single reports, with the exception of Time Filter:

Time filter

  • Last [N] Hour(s): When [N] is less than 60, the start and end times are at the top of the specified hour. When [N] is more than 60, hourly data is not available for the beginning of the time range, so the start time in the report will be changed to midnight (00:00) of the start day.
  • Last [N] Day(s): Includes data from midnight [N] days ago to midnight of the current day.
  • Last [N] Week(s): Includes events from the last [N] weeks, starting and ending at midnight (00:00).
  • Last [N] Month(s): Includes events from the last [N] full calendar month, starting and ending at midnight (00:00). For example, if you select "Last 1 Month(s)" on November 15, you receive a report for events that occurred between midnight October 1 to midnight November 1.

Reports use data stored in counters. Counters are data aggregated periodically from events. Counter data is aggregated on an hourly basis for the most recent 60 hours. Data from the current hour is not included in reports. Data older than 60 hours is stored in counters that are aggregated on a daily basis. For this reason, the time period covered by reports for the last 60 hours can be specified at an hourly level of granularity, but beyond 60 hours, the time period can only be specified on a daily level of granularity.

For more information on scheduled tasks, see the Schedule Workload Security to perform tasks.

Troubleshoot: Scheduled report sending failed

In Workload Security, you can schedule your regular reports and send them by email, however the size of the email cannot exceed 20 MB, otherwise the email fails to send. In the Events & Reports page, a corresponding Email Failed event occurs, which displays the error message, mail subject, and mail-to information.

If the report email fails to send due to the message size exceeding the limit, separate the report into subreports by using a shorter time range or filtering the target computers by Group or Policy.