® Enterprise Reporter EVALUATION GUIDE Models: ER HL/SL Software Version: 5.0.00 Document Version: 01.07.
ENTERPRISE REPORTER EVALUATION GUIDE © 2009 8e6 Technologies All rights reserved. Printed in the United States of America Local: 714.282.6111 • Domestic U.S.: 1.888.786.7999 • International: +1.714.282.6111 This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine readable form without prior written consent from 8e6 Technologies. Every effort has been made to ensure the accuracy of this document.
CONTENTS 8E6 ENTERPRISE REPORTER EVALUATION GUIDE ............................................1 Overview. ......................................................................................................................... 1 Note to Evaluators. ......................................................................................................... 1 INSTALL THE ENTERPRISE REPORTER ..............................................................2 CONFIGURE, TEST THE ENTERPRISE REPORTER .................
CONTENTS Create a Custom Report for a specific user. .............................................................. 22 How to use the Custom Report Wizard .................................................................................. 22 Generate a new Custom Report ...................................................................................... 22 Next steps for documenting, monitoring specific user activity ......................................... 24 Export a Custom Report......................
8E6 ENTERPRISE REPORTER EVALUATION GUIDE OVERVIEW 8E6 ENTERPRISE REPORTER EVALUATION GUIDE Overview Thank you for choosing to review 8e6 Technologies’ Enterprise Reporter. The Enterprise Reporter helps administrators manage internal Web-based threats by documenting historical Internet usage information by user.
INSTALL THE ENTERPRISE REPORTER NOTE TO EVALUATORS INSTALL THE ENTERPRISE REPORTER To install the appliance, configure the box and to test reporting is operational please refer to the step-by-step instructions found in the Enterprise Reporter Quick Start Guide provided in the box. Please note that prior to reviewing the Enterprise Reporter you should install the R3000 Internet Filter, which is required for sending logs to the Reporter.
CONFIGURE, TEST THE ENTERPRISE REPORTER UNDERSTAND THE MOST COMMON AND USEFUL FEATURES CONFIGURE, TEST THE ENTERPRISE REPORTER Understand the most common and useful features One of the advantages of a hardware appliance, in addition to its compatibility and extremely low profile on the network, is its ease of use.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE CUSTOM CATEGORY GROUPS TO NARROW YOUR SEARCH Use custom Category Groups to narrow your search Prior to running any reports, there are a few recommended configuration steps that create a more customized experience for the evaluator. The first step is to create category groups, which are customized groupings from the 8e6 library of more than 99 filter categories.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE CUSTOM CATEGORY GROUPS TO NARROW YOUR SEARCH Group Definitions frame The Group Definitions frame displays to the right in the Category Groupings window. In this frame you define a category group by specifying which categories will belong to that group. How to add Categories to a Category Group 1. Select a category group from the Group Name pull-down menu. Any categories previously entered display in the list box in this frame.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE CUSTOM USER GROUPS TO NARROW YOUR SEARCH Use custom User Groups to narrow your search The next step is to create user groups, which are customized groupings of users that reside on the organization’s network. For example, most enterprise customers prefer to set up user groups for each department within the company, and education customers prefer to setup separate user groups for each classroom or grade level.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE CUSTOM USER GROUPS TO NARROW YOUR SEARCH Group Definitions frame The Group Definitions frame displays to the right in the User Groupings window. In this frame you can view members of a user group, and can define a user group by specifying which users will belong to that group. Define a User Group When defining a user group, you can add and/or exclude users to/from that group. Modifications to a user group can be made at any time, as necessary. 1.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE CUSTOM USER GROUPS TO NARROW YOUR SEARCH • Please Enter IP Range - This frame is used for including users based on a range of IP addresses. For example, you might have one range of IP addresses for sales, and another for admin. Enter the IP address range in the From and To fields. Click the Add IP Range button to add the IP address range. • Individual Adds/Removes - This frame is used for including and/or excluding specified users.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER TO CONDUCT AN INVESTIGATION Use Enterprise Reporter to conduct an investigation Once custom category groups and user groups have been created, administrators can begin running their first reports. In most cases, administrators will employ the Enterprise Reporter as a forensic tool to determine if anomalous Internet behavior exists in their organization.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER CANNED REPORTS Use Enterprise Reporter Canned Reports As previously stated, the first thing the administrator will see when logging into the Enterprise Reporter is a dashboard of graphical reports called “Canned Reports”. By viewing these reports, an administrator has an at-a-glance view of any anomalous behavior that warrants an investigation.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER CANNED REPORTS How to generate a Canned Report To generate a canned report: 1. Go to the navigation panel and click Canned Reports to display yesterday’s Top 20 (Internet Filtering) Categories by Page Count report view in the right panel: Yesterday’s Top 20 Categories by Page Count Report TIP: Click the left arrow or right arrow at the edges of the dashboard to display thumbnail images that are currently hidden.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER CANNED REPORTS Sample Bar Chart Canned Report Sample Pie Chart Canned Report The header of the generated canned report includes the date range, Report Type, and criteria Details. The body of the first page of the report includes the following information: • Bar chart - name of category, username, username path, URL or site IP address, or user group name, and corresponding bar graph.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER DRILL DOWN REPORTS The body of the following page(s) of the report includes Count columns and corresponding totals. The Grand Total and Count display at the end of the report. NOTE: See ‘Summary Drill Down Report navigation’ for information about report elements referenced above.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER DRILL DOWN REPORTS How to generate a Summary Drill Down Report To generate a summary drill down report: 1. Go to the navigation panel and click Drill Down Reports to display (by default) today’s Categories report view by Page Count in the right panel: Sample Drill Down Categories Report (Summary report) 2.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER DRILL DOWN REPORTS 3. Use the tools in the right panel to create the desired drill down view. NOTE: See ‘Summary Drill Down Report navigation’ for information on using the reporting elements described in this sub-section. 4. The drill down view can be exported, saved, and/or scheduled to run at a specified time.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER DRILL DOWN REPORTS Count columns Columns for specified “item counts” display in the body of all drill down report views. The column for the current report type does not display and therefore cannot be selected. Count columns • Category Count - displays the number of categories a user has visited, or the number of categories included within a given site.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER DRILL DOWN REPORTS However, if an advertisement or banner ad (an object on the page) is actually a page from another site, this item would not be classified as an object but as a page, since it comes from a different server.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER DRILL DOWN REPORTS • in the Record navigation field, click any of the four arrow buttons to advance forward or backward through the list of records. In the order in which they display in the Record field, clicking these buttons moves you to the first record, the record prior to the selected record, the record following the selected record, and the last record.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER DRILL DOWN REPORTS • Filter Action - the Filter Action column displays the type of filter action used by the R3000 in creating the record: "Allowed", "Blocked", "Warn Blocked" (for the first warning page that displayed for the end user), "Warn Allowed" (for any subsequent warning page that displayed for the end user), "X-Strike", or "N/A" if the filter action was unclassified at the time the log file was created.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER DRILL DOWN REPORTS Evaluation steps For the purpose of this evaluation, follow these steps to witness how the 8e6 Enterprise Reporter is best-in-class in terms of the extent of detailed page and object information it provides.
CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER DRILL DOWN REPORTS Click the URL link to launch the actual Web site viewed by the user to verify the content that was accessed. Step 4: Sort by “Content Type” Sort by the column labeled “Content Type” by clicking that column header. This will sort all records by the search type filtered on the R3000 Internet Filter.
CONFIGURE, TEST THE ENTERPRISE REPORTER CREATE A CUSTOM REPORT FOR A SPECIFIC USER Create a Custom Report for a specific user After reviewing the detail drill down report, if the administrator is confident that an individual has violated the Internet Acceptable Use Policy (AUP), the most common step to take next is to run a custom report for this specific individual that covers a greater time period period.
CONFIGURE, TEST THE ENTERPRISE REPORTER CREATE A CUSTOM REPORT FOR A SPECIFIC USER • At the From Time field, specify the start of the time range by making a selection from any of the pull-down menus for the hour (1-12), minute (00-59), or AM or PM. • At the To Time field, specify the end of the time range by making a selection from any of the pull-down menus for the hour (1-12), minute (00-59), or AM or PM. 3.
CONFIGURE, TEST THE ENTERPRISE REPORTER CREATE A CUSTOM REPORT FOR A SPECIFIC USER NOTE: As the report is generating, a window displays on the screen providing status on which stage of the report process is underway. When completely generated, the specific user report displays in the view pane. This report has the same format as the detail drill down report discussed earlier. The custom report view can be exported, saved, and/or scheduled to run at a specified time.
CONFIGURE, TEST THE ENTERPRISE REPORTER CREATE A CUSTOM REPORT FOR A SPECIFIC USER Save a Detail Custom Report 1. Click the Save Report button to open the Save Custom Report pop-up box: Save Custom Report option (Detail report) 2. In the Save Name field, enter a name for the report. This name will display in the Report Name pull-down menu in the Saved Custom Reports option accessible via the Custom Reports menu. 3. In the Description field, enter the report description.
CONFIGURE, TEST THE ENTERPRISE REPORTER CREATE A CUSTOM REPORT FOR A SPECIFIC USER add—a check mark in the checkbox. By entering a check mark in this checkbox, activity on machines not assigned to specific end users will not be included in report views. Changing this selection will not affect the setting previously saved in the Options window. (For purposes of this evaluation, leave this checkbox deselected.) 7.
CONFIGURE, TEST THE ENTERPRISE REPORTER CREATE A CUSTOM REPORT FOR A SPECIFIC USER Schedule a report to run Once a report view has been saved, it can be scheduled to run at a designated time. To schedule a report to run: 1. Go to the Settings menu in the navigation panel and select Event Schedule. The Event Schedule option is used for maintaining a schedule for generating a customized report. Event Schedule window (administrator login) If logged in as the administrator, all scheduled events display.
CONFIGURE, TEST THE ENTERPRISE REPORTER CREATE A CUSTOM REPORT FOR A SPECIFIC USER 4. Select the Report to Run from the pull-down menu. 5. Select the frequency When to Run from the pull-down menu (“Daily”, “Weekly”, or “Monthly”). If Weekly, specify the Day of the Week from the pull-down menu (Sunday Saturday). 6. Select the Start Time for the report: 1 - 12 for the hour, 00 - 59 for the minute, and AM or PM. NOTE: The default Start Time is 8:00 AM.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX A: SAMPLES OF COMMONLY USED REPORTS Appendix A: Samples of Commonly Used Reports Though this Evaluation Guide is primarily designed to lead the evaluator through the process of an investigation, there are many other useful features to explore in the Enterprise Reporter.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX A: SAMPLES OF COMMONLY USED REPORTS Report format For each report, the header of the reports contain the following information: • Sort Order: Page Count, descending • From: / To: today’s date displays • the name of the report displays The footer of the reports contain the following information: • today’s date (MM/DD/YYYY) and time (HH:MM:SS AM/PM) the report was generated • Page number • Filter: None • Generated by: manager’s login ID Examples of available
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX A: SAMPLES OF COMMONLY USED REPORTS Sample Report 2: “Top 20 Sites by User/Site” This report will document the top 20 sites visited for every user in the organization. This is a useful tool in monitoring the high level Web activity of users, and can help fine-tune sites the administrator allows users to access.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX A: SAMPLES OF COMMONLY USED REPORTS Sample Report 3: “By Category/User/Site” This is an example of a triple break report that shows all activity on the network, broken out by category, then user, and then site. This is a useful report if the administrator is looking for an all-encompassing view of Internet activity within the organization. However, please note that this is usually a very lengthy report since it captures all user information by site.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS Appendix B: Export and Save Summary Reports The Enterprise Reporter has a variety of different reporting options. In a fashion similar to the Specific User Report creation process described in the sample investigation earlier in this guide, administrators can also create custom reports from a Summary Drill Down Report view.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS Step 3: Export a Summary Drill Down Report 1. Click the Export Report button to open the Export Drill Down Report pop-up box: Export Drill Down Report option (Summary report) NOTE: Information on using the fields in this pop-up box can be found in the ‘Report fields’ sub-section. 2.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS How to save a Summary Drill Down Report 1. Click the Save Report button to open the Save Custom Report pop-up box: Save Custom Report option (Summary report) 2. In the Save Name field, enter a name for the report. This name will display in the Report Name pull-down menu in the Saved Custom Reports option accessible via the Custom Reports menu.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS 5. Choose the break type, output type and format: • Break type - available selections are based on the type of report generated. There are no break types available for specific user reports. • Output type - choose either “E-Mail As Attachment”, or “E-Mail As Link”. • Format - selections include: “MS-DOS Text”, “PDF”, “Rich Text Format”, “HTML”, “Comma-Delimited Text”, and “Excel (English)”. 6.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS Other Summary Report tools Set Result Limit 1. Click the Set Result Limit button to open the Set Result Limit pop-up box: Set Result Limit option (Summary report only) 2. Indicate the Result Set Limit by selecting the appropriate radio button: • Show all records - Click this radio button to include all records returned by the report query.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS Week", “Last Weekend", “Current Week", “Last Month”. Reports can be run for any data saved in the ER Server’s memory. • Today - this option generates the report view for today only, if logs from the Web access logging device have been received and processed. • Month to Date - this option generates the report view for the range of days that includes the first day of the current month through today.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS NOTE: The Default Top Value entry in the Default Options window is accessible via Default Options in the Settings menu. See the Default Options sub-section in Chapter 2: Customizing the Client of the Enterprise Reporter Web Client User Guide for more information about the Default Top Value.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS NOTES: For pie or bar chart selections, “PDF” displays grayed out since this is the only output format available for these report types. Information on report formats can be found in the ‘Methods for exporting a Drill Down Report’ sub-section.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS Methods for exporting a Drill Down Report A drill down report view can be emailed or viewed in a specified output format via the Export Drill Down Report option. Email option The email option for exporting reports lets you electronically send the report in the specified file format to designated personnel.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS 4. Click E-mail to send the report to the designated recipient(s). As a result of this action, the Email Report pop-up box now displays information to indicate the report is being generated. WARNING: Large reports might not be sent due to email size restrictions on your mail server. The maximum size of an email message is often two or three MB.
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS View and print tools In the browser window containing the report, the tools available via the toolbar let you perform some of the following actions on the open report file: File: • Save (Ctrl+S) or Save As - save the report file to your local drive • Print (Ctrl+P) - open the Print dialog box where specifications can be made before printing the report file, such as changing the orientation of the printed page by selecting
CONFIGURE, TEST THE ENTERPRISE REPORTER APPENDIX B: EXPORT AND SAVE SUMMARY REPORTS PDF This is a sample of the Categories report in the PDF format, saved with a .pdf file extension: Categories report, PDF format Examples of other report formats are provided in the Enterprise Reporter Web Client User Guide.