Report Generator
You can use a template and filters to generate a report.
Introduction
You can select a report template, specify filters, generate a report, and save the template with your filter and display settings. You can also set up an export schedule for reports. You can download reports in the following formats: PDF, CSV and HTML.
Generated reports that you can view in Sophos Central support up to 10,000 records in a report. Scheduled exports support up to 100,000 records in a report for CSV, and up to 10,000 records for HTML and PDF.
The report generator tab includes the following areas:
- Filters
- Chart
- Table
Filters
Under Filters, you can select the firewalls, report template, and time frame. You can also specify queries.
Select your firewalls from the drop-down list and click Apply.If you want to deselect all of your firewalls, go to the drop-down list and click Deselect all then click Apply. You can also deselect them one at a time.
If you selected multiple firewalls, you can click on the text, for example, 3 Firewalls to see the names of those firewalls.
Under Report templates, you can select one of the following report templates:
- ATP: Threats coming from specific IP addresses detected by ATP (Advanced Threat Protection).
- Antivirus: Malware or suspicious items that are blocked.
- Bandwidth usage: Bandwidth used by specific applications.
- Cloud app risks and usage: Cloud apps used and any risks associated with those apps.
- Firewall: Numbers of connections between specific IP addresses.
- IPS: Attempted attacks caught by IPS (Intrusion Prevention System).
- Log viewer & search: Log entries
generated by the firewall in non-aggregated form.
The Log viewer & search report doesn't include a chart, only a table.
- Sandstorm events: Files and emails that contain suspicious attachments that are sent to Sandstorm.
- Threat geo activity: Blocked threats from certain countries.
- Threats & events blocked: All types of threats and events that are blocked.
- VPN usage: Amount of usage of specific VPN connections.
- Web usage: Visits to specific websites.
Under Time frame, you can specify the time frame for which information is shown by selecting one option. If you select Custom, you can select the dates and times between which information is shown.
Add filters
Charts
You can select the chart type in the top right of the area.
- Bar
- Horizontal bar
- Pie
- Line
- Stack-area
To select which information is shown on each axis, do as follows:
-
Click the screwdriver and spanner button in the top right of the area:
.
- In the top box, select which information is shown on the x-axis.
- In the next box, click the arrow and select which information is shown on the y-axis.
- If a line or stack-area chart is shown, in the bottom box, click the arrow and select which information is shown on the z-axis.
When you select a different chart type, it shows default information on each axis, even if you previously changed it.
If you hover over the chart, the data values are shown.
Schedule reports
You can download your exported reports from Scheduled Exports.
Save a report template
Click Save Template to save the selected report template with any of the filters or display settings that you've applied, including the following:
- Query filters
- Chart type
- Chart axes
- Table sorting
- Table columns
This saves you from having to make all the selections again. The report template is saved to the Saved Templates tab. The data isn't saved with the template.
You also can turn export scheduling on and off for this report template.
Tables
When the table is first shown, it uses a default set of columns. You can select which columns to show by
clicking the column selection button in the top right of the table area: .
The rows are combined to remove duplicate rows. For example, by default, the table shows the number of hits for a specific rule ID, source IP, destination IP, and country. This is represented by one row:
FIREWALL RULE ID |
SOURCE IP |
DESTINATION IP |
SOURCE COUNTRY |
HITS |
---|---|---|---|---|
0 |
1.1.1.1 |
255.255.255.255 |
Australia |
3 |
However, if you add another column in which the data is different in each row, for example, the user, one row is shown for each hit, with each row having the same rule ID, source IP, destination IP, and country:
FIREWALL RULE ID |
USER |
SOURCE IP |
DESTINATION IP |
SOURCE COUNTRY |
HITS |
---|---|---|---|---|---|
0 |
John Smith |
1.1.1.1 |
255.255.255.255 |
Australia |
1 |
0 |
Paul Jones |
1.1.1.1 |
255.255.255.255 |
Australia |
1 |
0 |
George Harris |
1.1.1.1 |
255.255.255.255 |
Australia |
1 |
The more columns you add the more granular the information that is shown.
If the date column is shown, duplicate rows are grouped on the date and time as follows:
Time frame |
Row grouping |
---|---|
Less than or equal to 1 hour |
Rows in which the date and time are the same (to the nearest minute). |
Greater than 1 hour but less than or equal to 48 hours |
Rows in which the date and time are the same (to the nearest hour). |
Greater than 48 hours |
Rows in which the date and time are the same (to the nearest day). |
Some columns include values that are hyperlinks. If you click one of these, a filter on that value is added to the Query box. You can then use this to filter the report. For example, in the table above, if you click Australia, a filter is added: Source Country = Australia. You can repeat this for other values to make the filter more specific. For the Threats & events blocked report, such hyperlinks also link to one of the other reports.
For the Log viewer & search report, the buttons in the top right of the area allow you to switch between the tabular view, which shows a limited number of columns, and the raw view, which shows all columns.