Reporting Group

This article provides a hands-on overview of browsing cubes in IT Analytics Solution 7.1 and the Symantec Data Loss Prevention Content Pack.  You will learn how to browse cubes and configure Pivot Tables using a number of common usage scenarios.  Using the ad-hoc data mining capabilities of IT Analytics we will perform some forensic analysis of DLP incidents in the environment by status history and detection date.

To complete this exercise, you should have IT Analytics with the Symantec Data Loss Prevention Content Pack 3.0 already installed. For more information, please refer to the Connect article for installing IT Analytics.

Report #1: Incident Remediation SLA

In this exercise, we will create a report to monitor remediation team productivity by showing the number of incidents reviewed and time it took to remediate per incident status.

1. Launch the Symantec Management Console 7.1.
2. Click the Reports menu item and select All Reports.
3. Expand the Reports folder.
4. Expand the IT Analytics folder.
5. Expand the Cubes folder.
6. Select the DLP Incident Status History Cube.
7. Click anywhere in the PivotTable window to display the Field List.  Clicking on this icon   in the toolbar will also cause the field list to be displayed.
8. Drag and drop the Incident Count measure into the Totals pane:

9. Drag and drop the Incident History - Status attribute into the Rows pane:

10. Drag and drop the Change Role - Name attribute into the Filter pane at the top. If desired, you can click on the downward facing triangle on the header to filter the data by a specific role name:

Now that we have built our initial incidents view which showcases the number of incidents by status history, we will expand upon this view by bringing in more information.

11. Drag the additional measures just to the left of Incident Count:

• Avg Hours in Status
• Avg Hours to Status

12. Drag the Incident History - Next Status attribute into the Rows pane, in front of the Incident History - Status attribute. Expand a few of the statuses (by clicking on the '+' before the status name) to see a progression of the status and corresponding incident count, with times in and to the next status.

Report #2: Incident Detection Date vs. Message Date

In this exercise, we will create a report to monitor the delay between the incident occured date vs report date by showing the endpoint incident creation date vs detection date.

1. Staying within the console, as per the directions above, select the DLP Endpoint Incident Summary Cube.
2. Click anywhere in the PivotTable window to display the Field List.
3. Drag and drop the Incident Count measure into the Totals pane and the Detection - Date Range attribute into the Rows pane:

4. Drag and drop the Agents Count measure into the Totals pane.
5. Drag and drop the following attributes (in order) right after the Detection - Date Range attribute:

• Detection - Date
• Message - Date Range
• Message - Date
• Endpoint Incident - On or Off the Network

6. Expand a date range and drill into a specific detection date (by clicking on the '+' before the status name) to see how the detection date compares to the message date with a corresponding incident count and additionally, how many associated agents are on or off the network.

We will now continue exploring this data by leveraging some of the default charting capabilities in IT Analytics.

7. Click the Chart icon  in the toolbar to switch the view to chart format.

8. Select the Commands and Options button  on the toolbar, then click on the Type tab.
9. Select Column chart and the orientation depicted in the screenshot below:

10. Click the 3D View tab and select the Orthographic projection mode:

11. You should see the new pivot chart depicted as follows:

12. Remove the Message - Date Range and Message - Date attribute from the chart by clicking and dragging them down until you see a 'X' appear.
13. Drag the Detection - Date Range attribute from the bottom of the chart and place it in the filter pane at the top, then change it to display only incidents from 31-60 Days Ago:

14. Drag the Endpoint Incident - On or Off the Network attribute from the bottom to the Series Fields on the right of the chart.
15. Select the Show/Hide Legend button  from the toolbar.
16. Select the Commands and Options button on the toolbar, then click on the Type tab.
17. Select Area chart and the orientation depicted in the screenshot below:

18. You now should have a trending graph that looks similar to the following:

Note that based on the incidents in your environment, the chart data will look different.

19. Finally you can save this report by clicking the Save icon   in the toolbar.
20. Select the “Save as new view” radio button and name it appropriately.
21. You may also check the “Available to all users” checkbox in the event that you would like this report to be available to all users.  Leaving this unchecked will make this a private view only available to you.
22. Refresh the SMP Console and navigate back to the DLP Endpoint Incident Summary Cube (Reports > IT Analytics > Cubes).
23. To open the view you just saved click this icon   in the toolbar and select the report you just created in the dropdown list.  Note that the report is loaded exactly as you left it.

The ad-hoc nature of browsing the pivot tables and charts provides a simple and efficient way of creating custom reports on the fly, without previous knowledge of the DLP database schema or any query languages. Depending on your reporting requirements, you will want to experiment with the different cubes and fields to discover how IT Analytics can best meet your needs.