The New Security Overview Report
What is the Security Overview Report?
To help gain a better perspective of security-related activity within your Umbrella environment, the Security Overview report gives you easy to read charts of your organization's identities and their activity. You easily see what's going on with groups of identities and the types of internet requests they're making and where any problems might be popping up. Then you can pivot to more advanced reports and determine if there are security risks to your environment that require you take action.
The Security Overview report's been upgraded! You can still access the old report by downgrading Umbrella. To access the old report's documentation, see Security Overview Report.
Accessing the Security Overview Report
Navigate to Reporting > Security Overview.
The Security Overview report is divided into three main areas. At the top, you'll find overview charts for security events. The middle area provides you with a hierarchical view of your security activity—what is generating the most activity—and from which you can click through to other reports—Destination, Identity, and Activity Search. The bottom of the report is where you'll find statistical charts documenting the deployment activity for your organization.
Filtering based on time period
The Security Overview report is time-based and can be generated to show activity for the last 24 hours, the previous calendar day (yesterday), the last seven days, or the last month.
Scheduling a report
You can schedule a report to be emailed to you at regular intervals. Your emailed report is a table showing an HTML version of the report and an attached CSV file containing the entire data set. Also included in your email is a link to a live version of the same report. To schedule the security overview report:
- Click the Schedule Report icon.
- Select the report type you'd like (Executive Summary, selected by default) and click Next.
- Add email addresses for the recipients of the report and click Next.
- Schedule the frequency of when you'd like the report sent and click Next.
- Give your report a name that's easy to remember and click Save.
To learn more about scheduled reports, click here.
TIP
Umbrella reports are highly time dependent. The time is UTC by default, but can be changed to a different timezone on a per-user basis. Navigate to Settings > Accounts and update your account's time setting.
Filtering Security Activity
The filter control allows you to change the types of identities shown in the security blocks section, as well as toggle between "monitoring only mode" by choosing All Security Events or Security Blocks. The All Security Events includes those events tagged as security but were not blocked.
The report is intelligent enough to default to the correct mode, so if your organization has no security blocks for the time period selected, it will automatically default to All Security Events, showing the potential events that could have been blocked. If there are any security blocks for a time period, the report will show the blocks. This filter allows users to toggle back and forth between the two views.
The filter control is simply under the filters button and filters both for Events and Identities:
Filters: Events and Identities
The Events and Identities filters work in conjunction with each other, meaning that they are always both on but can be set up in different combinations. You might select Events > Security Blocks in combination with Identities > All Identities or Events > Security Blocks with Exclude Sites & Networks.
Obviously, networks generate a far higher volume of traffic than single computers so excluding them from the report can help identify particular machines with an unusually high volume of security events being blocked (or allowed, as the case may be).
Selecting an Events filter changes the events returned for the most active destinations, identities, and request types:
- Security Blocks—Lists only those requests blocked by Umbrella for the selected time period.
- All Security Events—Lists all security events for the selected time period. This is the default view if there are no security events within the selected time period.
Selecting an Identities filter changes the identities returned for the most active destinations, identities, and request types:
- All Identities—Lists all requests for all identities for the selected period.
- Exclude Sites & Networks—Lists all requests for roaming clients and active directory (AD) users.
Selecting any combination of filter will change the charts to reflect that combination:
Events – Security Blocks and All Security Events
The top set of charts provides you with a quick and easy to follow overview of security activity that has occurred within your organization for the selected time period. Your view is based on the default Events filter selected:
- Security Blocks—If there has been a security event within the selected time period.
- All Security Events—If there has NOT been a security event within the selected time period.
You can quickly see spikes in activity that might indicate a change or threat to your environment that requires your attention. You can roll over each chart to see the number of events that occurred at that time and then click at that point to go the Activity Search page to see activity details for that specific time.