Analytics & Reporting
BeyondInsight contains a data warehouse solution with business intelligence and analytics. This module extracts data from the BeyondInsight database and then processes the data in Microsoft SQL Server Integration and Analysis Services. You can browse these cubes in BeyondInsight, Microsoft SQL Server Management Studio, or using tools such as Microsoft Excel.
Using an on-premises BeyondInsight Analytics & Reporting deployment, you can perform the following:
- Run reports on:
- User accounts
- Asset details
- BeyondInsight user audit activity by user action, username, and IP address
- BeyondInsight, Endpoint Privilege Management, Password Safe, and Workforce Passwords licensing usage
- Password Safe activity, such as:
- Detailed view of all password and session activity
- Password Safe release and update activity
- Scheduled password changes
- Password age for managed accounts
- User and group entitlements
- Smart Rule details
- Assets and managed accounts that are associated with multiple Smart Rules
- Details on whether or not sessions were reviewed, when, and by whom
- Who has admin access to your managed applications
- User and product events and statistics
- Scan job history and metrics
- Secrets Safe entitlements
- Subscribe to reports to generate them on a schedule for automatic delivery to a network file share or through email.
- Save report views to easily reuse a report with predefined parameters.
- Download reports as the following file types: Word, Excel, PowerPoint, PDF, TIFF, MHTML (web archive), CSV (comma delimited), XML, data feed.
- Create report snapshots to save static views of report data.
- Interactively explore data and create and save custom reports with a pivot grid.
Prerequisites
To view reports, users must have read permissions to the Analytics and Reporting and Management Console Access features, which are assigned at the user group level. Administrators can view all reports.
Some report categories are visible only when specific product licenses are detected and if read permissions have been assigned to the user group for specific features, as listed below.
| Report Category | License and Permission Requirement |
|---|---|
| Active Directory Bridge | AD Bridge license |
| Endpoint Privilege Management | Endpoint Privilege Management license and read permissions for the Endpoint Privilege Management feature |
| Licensing | Read permissions for the License Reporting feature |
| Privilege Management UNIX Linux | Privilege Management for Unix & Linux license and read permissions for the Endpoint Privilege Management for Unix & Linux feature. |
| Password Safe | Password Safe license |
| Secrets Safe | Password Safe license |
Report by category in an on-premises BeyondInsight deployment
The below table provides a list of reports, with their descriptions, found in each report folder in an on-premises deployment of BeyondInsight Analytics & Reporting.
| Report Folder | Report Name | Report Description |
|---|---|---|
| Account | Account Delta by Day | Shows the daily delta change for user accounts (added, removed, ending counts). |
| Account Delta by Month | Shows the monthly delta change for user accounts (added, removed, ending counts). | |
| Account Delta by Week | Shows the weekly delta change for user accounts (added, removed, ending counts). | |
| Account Last Login | Provides a list of user accounts with their last login date and time. | |
| Account Password Age by Last Scan | Provides a list of asset user accounts grouped by the latest password change date of each, as reported by the last successful scan. | |
| Database User List | Provides a list of database users with their details. | |
| User Account List | Provides a list of asset user accounts with their details, filtered by location, status, group membership and more. | |
| Active Directory Bridge | Access by Server | Shows users with logon access rights by server. |
| Access by User | Shows servers to which this user has been granted logon rights. | |
| Asset | Asset Delta | Shows asset change rate based on combined software, service, ports, and user accounts. |
| Asset Delta Details | Shows added and removed software, service, ports, and user accounts. | |
| Asset Item State | Shows assets missing one or more selected items. | |
| Asset Software Delta Trend | Shows the delta trend (added, removed, current) for software installed on assets. | |
| Asset Software Details by OS | Shows software installed by operating system. | |
| Assets Discovered | Lists discovered assets, grouped by operating system. | |
| Custom Attributes | Lists assets along with their custom attributes. | |
| Hardening Security Dashboard | Displays an asset hardening compliance dashboard. | |
| Operating System Discovered | Lists discovered operating systems with the count of assets. | |
| Smart Group Software Details | Provides a list of software installed on assets, grouped by Smart Group. | |
| Clarity | Event Review - Endpoint Privilege Management | Provides a breakdown of alert triggers for Endpoint Privilege Management events by threat level. |
| Event Review - Password Safe Release Events | Provides a breakdown of alert triggers for Password Safe Release events by threat level. | |
| Event Review - Privilege Management for Unix & Linux | Provides a breakdown of alert triggers for Privilege Management for Unix & Linux events by threat level. | |
| Top 10 Assets by Total Threat Level | Shows top 10 assets by overall threat level. | |
| Top 10 Users by Threat Level | Shows top 10 users by overall threat level. | |
| Configuration | Active Users | Provides a list of application users that have logged in to the console in X number of days. This is helpful in determining the active user count for licensing purposes, as well as for general housekeeping to disable accounts not being used. It also provides a total for the number of groups a user belongs to, which has a drillthrough option to see the group names. |
| BeyondInsight Entitlement by Group | Provides a detailed real-time view of group membership and permissions. | |
| Smart Rule Details | Provides a list of Smart Rules and details by type and category. | |
| User Audits | Shows the activity of BeyondInsight users by action, user name, IP address, and more, including ability to drill down into each row to view specific details. | |
| Console Reports > Asset | Port Delta | Shows the delta for ports between two date ranges grouped by assets. |
| Service Delta | Shows the delta for services between two date ranges grouped by assets. | |
| Software Delta | Shows the delta for software between two date ranges grouped by assets. | |
| User Account Delta | Shows the delta for user accounts between two date ranges grouped by assets. | |
| Assets | Shows the asset details for the selected host machines. | |
| Operating System | Shows the operating systems for the selected host machines. | |
| Port | Shows the ports for the selected host machines. | |
| Service | Shows the services for the selected host machines. | |
| Software | Shows the software for the selected host machines. | |
| User Account | Shows the user accounts for the selected host machines. | |
| Windows Events | Shows collected Windows events. | |
| Console Reports > Endpoint Privilege Management | Applications ActiveX Details | Provides a summary of Endpoint Privilege Management ActiveX details. |
| Applications By Computer | Provides a summary ofEndpoint Privilege Management applications by computer. | |
| Applications By Hash | Provides a summary ofEndpoint Privilege Management applications by hash details. | |
| Applications By Path | Provides a summary ofEndpoint Privilege Management applications by path details. | |
| Dashboard Report | Displays an Endpoint Privilege Management dashboard. | |
| File Integrity By Asset | Provides a summary of Endpoint Privilege Management file integrity by asset. | |
| File Integrity By Rule | Provides a summary of Endpoint Privilege Management file integrity by rule. | |
| Rule Justification | Provides a summary of Endpoint Privilege Management file integrity by rule justification. | |
| Shell Rule Executions | Provides a summary of Endpoint Privilege Management shell rule executions. | |
| Console Reports > Licensing | Password Safe User Licensing | Shows Password Safe logins by month, week, or day for a specified time period. |
| Console Reports > Scan | Discovery | Provides details for the list of targets scanned. |
| Network Discovery | Provides details for the list of targets scanned across multiple scans. | |
| Endpoint Privilege Management | Privileged Rule Impact Dashboard | Displays a dashboard that breaks down theEndpoint Privilege Management shell rule and custom rule applied events. |
| Requested Elevation Impact Dashboard | Displays a dashboard that breaks down theEndpoint Privilege Management application requested elevation and ActiveX events. | |
| UAC Impact Dashboard | Displays a dashboard that breaks down the Endpoint Privilege Management UAC prompt events. | |
| Agent Heartbeat Check Report | Provides a list of Endpoint Privilege Management agents that have not updated. | |
| Event Details Report | Provides a list of Endpoint Privilege Management event data listed by occurrence, filterable, and available for export in common for export in common formats. | |
| Event Rollup Report | Provides a list of Endpoint Privilege Management events grouped by occurrence, with user sort and custom filtering options. | |
| Events by Hour | Provides a weekly break down of Endpoint Privilege Management events by hour of the day. | |
| Events by Month | Shows Endpoint Privilege Management events trending by month. | |
| Events by User and Rule | Shows Endpoint Privilege Management events by user and rule. | |
| File Integrity Monitoring by Rule | Provides detailed reporting by asset and rule to determine file system changes. | |
| Lateral Movement and Suspicious Activity by User | Displays Endpoint Privilege Management activities, by user, common in lateral movement attacks. | |
| Shell Rule Usage | Shows shell rule events frequency and count by user. | |
| Licensing | BeyondInsight Product Usage Details by Organization | Provides a list of assets by organization for BeyondInsight license usage details. |
| Endpoint Privilege Management License Usage Report by User | Provides user event driven Endpoint Privilege Management license usage summary by month. | |
| Endpoint Privilege Management Product Usage Details by Organization | Provides a list of assets by organization for Endpoint Privilege Management license usage details. | |
| Password Safe Product Usage Details by Organization | Provides a list of assets and cloud accounts by organization for Password Safe license usage details. | |
| Usage Summary by Product and Organization | Shows the asset count by product and organization for license usage summary. | |
| Workforce Passwords Usage Summary | Provides a list of users with the ability to access the Workforce Passwords feature. | |
| Password Safe | Account Password Age by Last Scan | Provides a list of users along with the accounts they have access to. |
| Smart Rule Details | Provides a list of Smart Rules and details by type and category. | |
| Activity | Contains a detailed history of all Password Safe changes made to the appliance by any user. | |
| Admin Session Activity | Provides a detailed view of Password Safe admin session activities. | |
| Application Audit | Provides a list of who has administrative access to managed applications, by application name, Smart Group, user group, Password Safe role, username, and managed account. | |
| Application Inventory | Provides a list of application inventory details. | |
| Entitlement by Group | Provides a detailed view of Password Safe group membership and permissions. | |
| Entitlement by User | Provides a list of users along with the accounts they have access to. | |
| Inactive Managed Accounts | Provides a list of accounts that are inactive or not accessed by a requester in a specified number of days. The default number of days is 30. This can be modified. | |
| Managed Account Password Age | Lists all accounts managed by Password Safe along with the password age details. | |
| Managed vs Unmanaged Account Details | Provides a list of asset user accounts and their details, and indicates which are under Password Safe management. | |
| Password and Session Activity | Provides a detailed transactional view limited to top 50,000 Password Safe password and session activities. | |
| Password Release Activity | Provides a list of Password Safe password release activity details. | |
| Password Reset-on-Release Reconciliation | Provides auditable evidence that managed account passwords have been reset appropriately at session end, for any account configured with the Change Password after any release option. | |
| Password Update Activity | Lists details of Password Safe password update activity, showing which user initiated a manual password change by either UI or API. | |
| Password Update Schedule V2 | Lists details of upcoming scheduled password updates. | |
| Remote Session Activity | Provides a detailed view of Password Safe remote session activities. | |
| Reviewed Sessions | Provides details on when and who reviewed sessions, and provides a filter to show sessions that have not been reviewed. | |
| Scheduled Password Change Configuration | Provides details of Password Safe upcoming scheduled password changes. | |
| Service Account Usage | Provides a detailed list of what systems are using a Password Safe service account to start one or more services. | |
| Smart Rule Overlap | Shows assets or managed accounts that are selected for management in Password Safe by multiple Smart Rules. Overlapping Smart Rules cause an increase in database updates for account settings, which degrades system performance. | |
| Synchronized Accounts | Provides a list synchronized accounts. | |
| Privilege Management UNIX Linux | Dashboard Report | Displays a quick graphic and text overview of the most active Privilege Management for Unix & Linux hosts and users. |
| Event List | Shows a user-filtered list of Privilege Management for Unix & Linux events. | |
| Events By Hour | Shows a list of Privilege Management for Unix & Linux events by hour. | |
| Events by Status and Timeframe | Shows Privilege Management for Unix & Linux events trending report by month. | |
| Usage Statistics | Shows Privilege Management for Unix & Linux event statistics in graph form: top 10 hosts, commands, users, and accept and reject breakdown. | |
| Scan | Authentication Summary Alert | Provides a summary of authentication alerts for selected Smart Groups. |
| Authentication Alerts by Smart Group | Shows assets listed for each authentication alert for a selected Smart Group. | |
| Scan Job History by Day | Shows job execution history grouped by day. | |
| Scan Job History by Month | Shows job execution history grouped by month. | |
| Scan Job Metrics | Shows job execution metrics by scan agent. | |
| Secrets Safe | Secrets Safe Entitlement Report | Provides a list of user groups and the secrets they are entitled to. |
| Sudo Manager | Dashboard Report | Displays a Sudo events dashboard showing a quick graphic and text overview of the most active hosts and users. |
| Event List | Provides a Sudo event list showing a user-filtered list of events. | |
| Events by Hour | Shows Sudo events by hour. | |
| Events by Status and Timeframe | Provides a Sudo events trending report by month. | |
| Usage Statistics | Shows Sudo event statistics in graph form: top 10 hosts, commands, users, accept and reject breakdown. |
Configure Clarity analytics
BeyondInsight Clarity is a behavior analytics tool that examines and classifies events and activities to identify outliers or anomalies. An outlier is an observation which deviates so much from the other observations that it arouses suspicion. Clarity ranks activities and classifies assets according to their deviation from normal activity. The normal activity or baseline is formed from:
- History of past activities
- Risk attributes of an observed activity
Each activity or event has several key characteristics. When an observed characteristic goes beyond normal, an alert is issued. More flagged alerts indicates higher level of abnormality and threat level. The numeric threat level is the sum of all flagged alerts. In addition, all assets are grouped into clusters by similarity, taking into account all available information including vulnerabilities, attacks, installed applications, services, open ports, running applications, etc.
As a result, the behavior analytics:
- Assigns a threat level to each event from BeyondTrust Discovery Scanner, Endpoint Privilege Management, Privilege Management for Unix & Linux, and Password Safe.
- Assigns cluster ID to all assets.
You can use Clarity to analyze data from the following sources:
- Endpoint Privilege Management
- Privilege Management for Unix & Linux
- BeyondTrust Discovery Scanner
- Password Safe
- Third-party imports
To work with BeyondInsight Clarity, you must configure settings in the BeyondInsight management console.
Configure the analytics calculation
- In the console, click Configuration.
- Under Analytics & Reporting, click Clarity Analytics.
- From the Analytics Calculation section, you can:
- Enable and disable analytics.
- Select the hours and minutes for Time to run at.
- Select the frequency for running analysis.
- Set the Alert Threshold for flagging explicit alerts. The higher the value, the higher the sensitivity and the fewer flagged alerts. The range is from 0 to 1. The default value is 0.65.
- Set the Som Probablity Threshold for flagging pattern alerts. The lower the value, the higher the sensitivity and the fewer flagged alerts. The range is from 0 to 1. The default value is 0.05.
- Enter an email address to send notifications to.
- Set the notification subject.
- Click Update Analytics Calculation Options.
Set alert trigger weighing
From the Alert Trigger Weighing section, you can configure Clarity to prioritize or weigh specific alerts. If an alert with a higher weight is triggered, the alert appears more prominently in the Clarity analysis. This allows you to quickly see and react to critical alerts.
To configure a weight for an alert, click the minus and plus buttons to modify its numeric value, ranging from 0 to 10. When you are satisfied with your selections, click Update Alert Triggering Weighing Options to finalize.
Configure risk analytics
Using the risk analytics values, you can focus the results data on the highest risk assets.
Enabling Normalize scales all values between 0 and 10. When you choose to normalize the data, the asset at the highest risk is assigned the highest rating. All other assets are rated and organized below the highest risk asset. Normalizing the results provides a way to distribute the assets in a more meaningful way to analyze the data.
Threat and exposure properties affect the calculated risk equally by default. Adjust the weighting of these properties on the risk calculation by using the slider. You can change the results to emphasize risk levels based on exposures or threats. For example, if you move the slider to Exposure, asset exposure risk factors are given greater weighting in the final risk calculation and increase an asset's risk score.
Clarity reports
The following reports are available to run against Clarity data:
- Event Review - Endpoint Privilege Management: Breakdown of alert triggers for events by threat level. Includes relevant event details, and is ordered by threat level from largest to smallest.
- Event Review - Password Safe Release Events: Breakdown of alert triggers for Password Safe release events by threat level.
- Event Review - Privilege Management for Unix & Linux Breakdown of alert triggers for Privilege Management for Unix & Linux events by threat level. Includes relevant event details, and is ordered by threat level from largest to smallest.
- Top 10 Assets by Total Threat Level: Displays top 10 assets based on overall threat level.
- Top 10 Users by Threat Level: Displays top 10 users based on overall threat level.
Use the Clarity dashboard
The Clarity Dashboard analyzes information stored in BeyondInsight's centralized database, which contains data gathered from across any or all BeyondInsight supported solutions deployed in the customer environment. These include:
- Endpoint Privilege Management
- Privilege Management for Unix & Linux
- BeyondTrust Discovery Scanner
Triggers
The Triggers list displays the total number of events which are affected by each trigger. The following triggers identify assets that are at risk.
| Trigger | Description |
|---|---|
| Untrusted User | Triggers when potentially untrusted users log into Administrator or local accounts. Can be triggered by events in the following products:
|
| First Password Request |
|
| Outlier | Triggers when an event is determined to be an outlier based on Clarity analysis. Can be triggered by events in the following products:
|
| Unusual Password Release Request |
|
| Concurrent Password Release Request |
|
| Untrusted Application |
|
| First Application Launch | Triggers when an application is launched for the first time. Can be triggered by events in the following products:
|
If a trigger has events, you can click the trigger to view the risk events that make up the count.
Risk events by threat level
Drill into the risk events to learn more about the event, such as the trigger, type of event, or severity. Use the Tab key to navigate through the areas on the page and to view the metrics on the bubbles.
View cluster maps
Note
This feature is deprecated for new installations of BeyondInsight 22.1 and future releases. Cluster Maps and Cluster Analysis are available only for BeyondInsight releases prior to 22.1 and if upgrading to 22.1 from previous releases.
A cluster map is a visual representation of the following cluster types.
- Asset Cluster: Larger clusters indicate more assets sharing similar traits within an organization. Smaller clusters indicate a potential anomaly. Clusters groups include:
- Launched applications
- Vulnerabilities
- Attacks
- User Cluster: Represents Password Safe users that share similar characteristics in an organization.
Cluster map numbering
A cluster map number is randomly generated and does not have any meaning in the context of the actual data. However, the closer the cluster map numbers, the more similar the attributes of the assets to each other.
For example, assets assigned to cluster 14 and cluster 16 would have similar qualities. However, assets assigned to cluster 14 and cluster 68 would have fewer qualities in common.
The cluster map numbers can change at any time, but this does not reflect on the assets or any potential anomalies that might exist.
Cluster shading
Asset
Shading is based on the Asset Risk, Attacks, Vulnerability app value. The Cluster Map uses the highest of the three, and the gradient is based on a range from 0.0 to 1.0.
User
Shading is based on the User Risk attribute for Password Safe users.
Asset cluster attributes
There are eight cluster attributes organized in the following categories:
- Ordering attributes: Attributes are ordered from low to high.
- Pattern attributes: A pattern value maps a set of characteristics to a single value (in the range 0 – 1). The difference in pattern values shows similarities between different sets of the same type characteristics.
| Attribute | Type | Description |
|---|---|---|
| Attacks | Ordering | Number of detected attacks. Greater value means more detected attacks. |
| Vulnerable Apps | Ordering | Number of launches of vulnerable applications. Greater value means more started/running vulnerable applications. |
| Risk | Ordering | Asset risk. Greater value means greater risk. |
| App Set | Ordering | Running or/and elevated (depends on Privilege Management for Windows Servers) applications. |
| Vulnerabilities Set | Pattern | Discovered vulnerabilities. |
| Service Set | Pattern | Services |
| Software Set | Pattern | Installed software packages. |
| Port Set | Pattern | Opened ports. |
User cluster attributes
| Attribute | Type | Description |
|---|---|---|
| SharedSysAssetRisk | Ordering | Number of blocked commands in a Password Safe session, corresponds to block, block+lock, lock, and terminate command triggers. |
| SharedSysDenied | Ordering | Number of denied session requests. |
| SharedUsrRisk | Ordering | Maximum risk on an access policy associated with the user. |
| SharedSysSet | Pattern | Machines a user can access. |
| SharedSysVulnSet | Pattern | Vulnerabilities for machines a user can access. |
| SharedSysSrvSet | Pattern | Services for machines a user can access. |
| SharedSysSoftSet | Pattern | Software installed for machines a user can access. |
| SharedSysPortSet | Pattern | Ports for machines a user can access. |
Analyze cluster maps
You must configure settings in BeyondInsight before any data is collected.
The following procedure shows examples from asset clusters. The procedure and analysis is similar for user clusters.
- From the menu, select Cluster Analysis. By default, the Cluster Map tab is selected.
- Select one of the following tabs to analyze cluster map data:
- Asset Counts: Clusters the assets with similar characteristics. The smaller the cluster tile, the more likely there is an outlier.
- Cluster Risk: Clusters the assets based on the common risk characteristics. The larger tiles in the cluster map have the greater risk.
- Attacks: Clusters assets based on the common attack properties. The larger tiles indicate a greater attack level. Drill down to learn more about the assets and the attack data.
- Vulnerable Apps: Clusters the assets by the similar installed vulnerable applications. The larger tiles indicate a greater threat as a result of installed vulnerable applications on the assets.
- Hover over the tile to display a summary of the event data.
- Double-click a cluster to view more detail, and click the tabs to view more information.
Analyze cluster grids
Some key tips to keep in mind when analyzing threat conditions in your Clarity results data:
- Sort clusters by ordering attributes, such as Vulnerable Apps, Attacks, or Risk.
- Potential outliers could be clusters with a small number of members and greater ordering attributes.
- For outliers, review the pattern attributes to identify if the outliers have a unique or a different set of running applications, vulnerabilities, services, software, or ports.
To view the cluster grid, follow the steps.
- From the menu, select Cluster Analysis.
- Click the Grid View icon.
- To review asset details for a cluster, double-click the row.
Alerts in BeyondInsight clarity analytics
There are two types of alerts:
- Pattern: Determined by correlation of all characteristics of an event.
- Explicit: Determined by selected specific characteristics.
| Alert | Type | Description |
|---|---|---|
| a1 | pattern | Maps all characteristics of an event into a single internal cluster using self-organizing maps clustering. Similar event characteristics lead to the same cluster. Thus, clusters with high share of mapped events represent typical behavior, while clusters with small number of events indicate outliers. Each user, host, or asset's characteristics are tracked independently with independent sets of clusters. Clusters are hidden and are used only for analysis. They do not behave the same as asset clusters. Used characteristics:
|
| a2 | explicit | Untrusted Application Default value: 0.33
|
| a5 | explicit | Event Timing Event time within working hours and weekday Default value: 0.33
|
| a6 | explicit | Untrusted User Default value: 0.33
|
| a7 | explicit | First App Launch The alert is flagged when a user launches an application they have never launched before. |
| a8 | explicit | First request for given managed account and system (Password Safe). The alert is flagged when a user request password for account and system have never requested before. |
| a9 | explicit | Unusual password releases (Password Safe) The alert is flagged when a user does not retrieve the password for approved request or the password is retrieved more than once. |
| a10 | explicit | Concurrent password requests (Password Safe). The alert is flagged when a user tries to acquire more than one password at a time. |
Run reports in BeyondInsight
Using Edge, Firefox, or Chrome browsers, you can view all reports from the Analytics & Reporting page in BeyondInsight. Set your browser's pop-up blocker to allow pop-ups from your BeyondInsight management console.
To run a report in BeyondInsight, take the following steps:
Note
A drill-through action that opens a new report is limited to 10,000 rows of data by design.
- From the left menu, click Menu > Analytics & Reporting.
- From the All Reports pane, expand the report folders to locate your desired report, or search for a report using title or description keywords.
- Click the report to open it.
- From the Configure Report pane, select report parameters, and then click View Report.
Note
While viewing the report, you can save it as a view, add a subscription to it, and download it to a file by clicking the buttons at the top of the report.
Note
Saved Views and Snapshots are available only in BeyondInsight on-premises deployments.
Save a report view in BeyondInsight on-premises
For reports you generate frequently using the same parameters, in a BeyondInsight on-premises deployment, you can save time by creating a saved view. A saved view loads the report automatically using saved parameters. Create a saved view as follows:
- Select a report to open it.
- Select the report parameters.
- Click the Save View button at the top of the report.
- Enter a name and description for the report view, select an Organization from the list, and then click Save Report View. The name must be unique.
- You can now access the saved view from the Configure Report > Saved Views pane, or from the All Reports > Saved Report Views folder.
Save a report snapshot in BeyondInsight on-premises
When generating a report from a saved view, you can save the report data in a snapshot. A snapshot is a capture of the saved report and results as they were at the time the snapshot was created. Time and date information is displayed with the snapshot.
- Open a saved report view.
- Once the report displays, click the Save Snapshot button (camera icon) at the top of the report.
- You can view snapshots from the Saved View > Snapshots panel.
Manage report subscriptions in BeyondInsight
In addition to running reports on demand, you can set up a subscription to reports. For BeyondInsight on-premises deployments, subscribing to reports allows you to set a schedule to automatically run the report and have it delivered through email or saved to a shared folder.
Create a report subscription using BeyondInsight on-premises
Subscribe to a report while viewing a report or a saved report view, as follows:
- From the left menu, click Menu > Analytics & Reporting.
- From the All Reports pane, expand the report folders to locate your desired report or saved report view, or search for a report using title or description keywords.
- Click the report to open it.
- Once the report displays, click the Subscribe to Report button (envelope icon) above the report.
- Select a delivery method: Deliver the report through email or Deliver the report to a shared folder, and set the following parameters:
- For email delivery:
- Enter the email addresses for where to send the report.
- Provide a subject line for the email.
- Select the type of file for the report.
- For delivery to a shared folder:
- Provide the file name for the subscription.
- Enter the UNC path to the share.
- Select the file format for the report.
- Select your desired option for overwriting the file.
- Enter credentials to access the share.
- Click Test Access to verify that files can be copied to the UNC share with the given settings.
- For email delivery:
Note
The email option is not available if SMTP is not configured in the Reporting Services Configuration Manager.
- Click Next.
- Select a delivery schedule frequency from the list, depending if you want the report generated once or on a recurring schedule.
- If you selected a One Time schedule type, specify a start date and time for the report.
- If you selected a Recurring schedule type:
- Optionally specify an end date.
- Specify a start date and time for the report.
- Select Daily, Weekly, or Monthly for the frequency.
- Set the cadence for the selected frequency.
- Click Finish.
- The subscription is listed on the New tab of the Subscriptions pane.
Note
If you choose to deliver the report output to a network share and the SSRS host server resides outside the domain, you must install a reporting services delivery extension file.
- Install the following MSI file on the server hosting the SSRS server:
C:\Program Files (x86)\eEye Digital Security\Retina CS\Support\BeyondInsight-ReportingServicesExtensionsSetup.msi
- Configure Analytics & Reporting with the SSRS server that is hosted on a server that is not a member of the domain.
- Create a subscription that writes to a domain network share using domain credentials. The subscription is saved to the network share.
Manage report subscriptions
For both BeyondInsight on-premises and cloud deployments, you can view, edit, and delete subscriptions from the Subscriptions pane on the Analytics & Reporting homepage and also from the Subscriptions pane while viewing the report where the subscription was created.
For BeyondInsight on-premises only, you can manage your report subscriptions using the following two additional methods:
- From the Subscriptions pane while viewing a Saved View for a report where the subscription was created.
- From Configuration > Analytics & Reporting > Configuration.
Note
Only subscription owners and administrators can edit and delete subscriptions.
Manage subscriptions directly from the Analytics & Reporting page
Manage report subscriptions directly from the Analytics & Reporting homepage, or from a specific report or saved report view (on-premises only), as follows:
- From the left menu in BeyondInsight, click Menu > Analytics & Reporting.
- All subscriptions for all reports are listed on the Subscriptions pane and you can manage them directly from there.
- Alternatively, select a report from the folders or a saved view from the Saved Report Views (on-premises only) under All Reports, and then click Subscriptions from the left pane.
- All subscriptions for the specific report or saved view are listed in the Subscriptions pane and you can manage them from there.
- Whether viewing subscriptions directly from the Analytics & Reporting page, or from a report or saved view, the Subscriptions pane defaults to the All filter. To find a subscription quickly:
- Click Failed or New to filter the subscriptions.
- Search for a specific subscription by typing keywords in the Search box.
- Sort the list of subscriptions using the Sort By dropdown.
- To view details for a subscription:
- Click the vertical ellipsis for the subscription.
- Select View Subscription Status.
- A window displays showing the owner of the subscription, the delivery type, the email recipient if applicable, the date the subscription was last modified, and the date it was last executed.
- To edit a subscription:
- Click the vertical ellipsis for the subscription.
- Select Edit Options. The same wizard displays as does for creating a subscription.
- Change the settings as needed, and then click Finish to complete wizard.
- To delete a subscription:
- Click the vertical ellipsis for the subscription.
- Select Delete.
- Click Delete on the confirmation message.
Manage subscriptions from the Analytics & Reporting Configuration page (BeyondInsight on-premises only)
- From the BeyondInsight home page, click Configuration.
- Under Analytics & Reporting, click Configuration.
- Enter the administrative username and password to log in to the Analytics & Reporting Configuration pages.
- Click Report Subscriptions.
- To edit a subscription:
- Click the report name or saved report view to expand its subscriptions.
- On the subscription, click the Edit button. The same wizard displays as displays when you create a subscription.
- Change the settings as needed, and then click Save Changes.
- To delete a subscription, click the Delete button for the subscription.
Override the owner of a subscription
If the creator of the subscription no longer has a BeyondInsight account, administrators can override a subscription owner, as follows:
- Edit the subscription for which you wish to take ownership.
- An Override check box displays on the first page of the subscription wizard if the administrator is not currently the owner. Check this box to set your user account as the owner of the subscription.
Work with pivot grids in an on-premises BeyondInsight deployment
Using pivot grids, you can interact with multidimensional data from the BeyondInsight cube and can create custom views of the data. Pivot grids use standard analytical cube features:
- Measures: Provide the calculated data values that you want to view.
- Dimensions: Provide the filters, groups, and labels for the view.
Note
Pivot grids are available only for BeyondInsight and Password Safe on-premises deployments.
Create a pivot grid
Using the measures and dimensions provided in the BeyondInsight Analytics & Reporting Pivot Grid feature, you can build comprehensive pivot grid views to analyze your data, as detailed below.
- From the left menu, navigate to Menu > Analytics & Reporting > Pivot Grid.
- From the Configure panel, under Filters, select a View, a Cube, and Measures. You can perform a keyword search to find measures and attributes that contain specific words.
- Drag and drop measures and dimensions on indicated drop zones: Measure Fields, Column Fields, and Row Fields.
- Drag and drop multiple dimensions to enable more options that you can drill down through.
- The available information populates the grid once the fields are selected. Click the Collapse All button in the toolbar above the grid to hide all available data. Click All in the column or row to expand the data.
- To completely clear the pivot grid and start over, click Clear Pivot Grid in the toolbar.
- To pivot your data in the grid, click Pivot in the toolbar. This converts the rows to columns and the columns to rows.
Save pivot grid views
Once you have created a pivot grid, you can save the selected filters, measures, and dimensions as a view for later use.
- In the pivot grid toolbar, click Save, and then select Save as View.
- Enter a Name and Description.
- Select the appropriate group for Allowed Access.
- Choose whether other BeyondInsight users can see the saved pivot grid.
- Click Save As View.
- Your saved view is now listed under Saved Views in the left panel. You can also search to find views that contain the keyword.
- To view most current information for that pivot grid, click the vertical ellipsis for the saved view, and then click Display. The data is retrieved from the cube each time you display the saved view.
- To delete the saved view:
- Click the vertical ellipsis button for the saved view, and then click Delete.
- Click Delete on the confirmation message.
Note
You can collapse and expand the Filters section of the Configure panel using the arrow toggle. Each time you open a saved view, the Filters section is either closed or open, depending on its state when it was saved.
Save data to a file
You can save the pivot grid data in JSON format and reload the data at a later time.
- In the toolbar, click Save, and then select Save as JSON.
- The file automatically saves to the default download location.
Import the JSON file
- In the toolbar, click Import.
- Locate the JSON file from the download location and drag the file into the drop box. Alternatively, click within the drop box to open a file browser to navigate to the JSON file to upload it.
- Click Apply to Pivot Grid.
Display data as a chart
Once you have created a pivot grid, you can display the data as a chart.
- To display the data as a chart, click Display Charts in the toolbar, and then select a chart type from the menu. The following chart types are available:
- Area
- Category
- Line
- Spline
- Spline Area
- Step Area
- Step Line
- Waterfall
- The chart displays showing data that is currently expanded in the pivot grid.
- Chart series data can be enabled or disabled by clicking the corresponding data in the legend above the chart.
Note
If you save a pivot grid as a view while a chart is displayed, the chart is displayed each time the saved view is loaded.
- Click Save above the chart, and then select either Save Chart as PDF, Save Chart as PNG, or Save Chart as SVG.
- The file automatically saves to the default download location.
Create a custom report
Once you have created a pivot grid, you can save your selected filter, measure, and dimension fields to a custom report that you can then execute, subscribe to, or save as snapshots, just as you can with BeyondInsight in-built reports. Custom reports are saved under the Custom folder on the All Reports page.
Note
If you make changes to the pivot grid layout, any saved custom reports will not update automatically.
Click on the custom report in navigation tree to run it or create subscriptions and snapshots.
Once you have created a pivot grid, you can create a report based on the fields selected in the grid.
- In the pivot grid toolbar, click Save > Save as Report.
- Enter a name and description for the report. A name must be unique for the selected category.
- To attach or change the chart type, select one from the Include Chart dropdown.
- Select the appropriate group for Allowed Access.
- Optionally, select a Category. Categories are used to organize reports into folders.
- Click Publish as Report.
Example measures in the Asset cube
You can use the following table as a guide for commonly used measures in the Asset cube.
| To filter on… | Select this measure… |
|---|---|
| Inventory (rolling count) of discovered assets | Measures > Asset Discovery - Snapshot |
| Inventory (rolling count) of open ports on assets. Can be used to find which ports are open on which machines | Measures > Asset Port - Snapshot |
| Inventory (rolling count) of services on assets | Measures > Asset Service - Snapshot |
| Inventory (rolling count) or shares on assets | Measures > Asset Share - Snapshot |
| Inventory (rolling count) of software on assets | Measures > Asset Software - Snapshot |
| Inventory (rolling count) of local user accounts on assets | Measures > Asset User Account - Snapshot |
Sample Usage Scenarios
To see the count of assets:
- In Measure Fields, place Measures > Asset Discovery - Snapshot.
- In Row Fields, place Dimensions > Asset > Asset.Asset.
To see the count of user accounts on an asset:
- In Measure Fields, place Measures > Asset User Account - Snapshot.
- In Row Fields, place Dimensions > Asset User Account.
- In Column Fields, place Dimensions > Asset.Asset.
Configure BeyondInsight Analytics & Reporting in an on-premises deployment
For on-premises deployments of BeyondInsight, you can configure analysis, integration and reporting services, as well as manage agent jobs, report subscriptions and styling, and threshold ranges.
Configure report styles
You can customize the colors of the report, including chart colors, header and description components, and horizontal bar components. You can change the default image to your corporate logo, with a file type of PNG, JPEG, or BMP. The default size is 975x146 pixels.
- In the console, navigate to Configuration > Analytics & Reporting > Configuration.
- Enter administrative credentials.
- Click Report Styling.
- To change the report banner logo, drop an image file onto the box in the Report Logo section. You can also click inside the box to browse to the image.
- To change Report Colors or Chart Colors, click the square you want to change, select the new color, and then click the square again.
- You can click Discard Changes to reverse the most recent change.
- Once satisfied with the color and logo changes, click Save All Styling.
- To reset all changes to the default, click Restore to Default, then click Reset.
Manage SQL server agent jobs
BeyondInsight uses a SQL Server agent job to retrieve data from sources and process the data into the analysis cube.
- In the console, navigate to Configuration > Analytics & Reporting > Configuration.
- Enter administrative credentials.
- Click SQL Server Agent Jobs.
- Select a job type from the left navigation: Process Daily, Process Full, or Process Full (OLAP only).
Note
During normal operation, you do not need to manually start the Process Daily job. The job is designed to run automatically each day during off-peak hours. However, the job can be started from SQL Agent Jobs > Analytics & Reporting.
Note
For SQL Analysis Services, the Server mode must be set to Multidimensional. Please refer to Microsoft documentation on how to set or change the SSAS mode.
Important
Running a Process Full job erases all historical data and refreshes the Analytics & Reporting database with only active data from the management console. This job should not be run under normal circumstances.
- Review the status showing the result of the last run. Expand a job to show the job history and diagnose issues that may prevent the job from running.
- Click Download logs to save diagnostic information and job history details in a zip file.
- Click Refresh to update the view.
Configure clarity analytics
To work with BeyondInsight Clarity, you must configure settings in the BeyondInsight management console.
Configure the analytics calculation
- In the console, click Configuration.
- Under Analytics & Reporting, click Clarity Analytics.
- From the Analytics Calculation section, you can:
- Enable and disable analytics.
- Select the hours and minutes for Time to run at.
- Select the frequency for running analysis.
- Set the Alert Threshold for flagging explicit alerts. The higher the value, the higher the sensitivity and the fewer flagged alerts. The range is from 0 to 1. The default value is 0.65.
- Set the Som Probablity Threshold for flagging pattern alerts. The lower the value, the higher the sensitivity and the fewer flagged alerts. The range is from 0 to 1. The default value is 0.05.
- Enter an email address to send notifications to.
- Set the notification subject.
- Click Update Analytics Calculation Options.
Set alert trigger weighing
From the Alert Trigger Weighing section, you can configure Clarity to prioritize or weigh specific alerts. If an alert with a higher weight is triggered, the alert appears more prominently in the Clarity analysis. This allows you to quickly see and react to critical alerts.
To configure a weight for an alert, click the minus and plus buttons to modify its numeric value, ranging from 0 to 10. When you are satisfied with your selections, click Update Alert Triggering Weighing Options to finalize.
Configure risk analytics
Using the risk analytics values, you can focus the results data on the highest risk assets.
Enabling Normalize scales all values between 0 and 10. When you choose to normalize the data, the asset at the highest risk is assigned the highest rating. All other assets are rated and organized below the highest risk asset. Normalizing the results provides a way to distribute the assets in a more meaningful way to analyze the data.
Threat and exposure properties affect the calculated risk equally by default. Adjust the weighting of these properties on the risk calculation by using the slider. You can change the results to emphasize risk levels based on exposures or threats. For example, if you move the slider to Exposure, asset exposure risk factors are given greater weighting in the final risk calculation and increase an asset's risk score.
Connect Excel to the SQL Analysis Cube in an on-premises BeyondInsight deployment
For on-premises deployments of BeyondInsight, you can connect Microsoft Excel to your BeyondInsight SQL Analysis Services cube to create custom data views, build custom reports, use Excel filtering and graphing features, and use formulas to calculate custom metrics.
On the server hosting the SQL Analysis Services cube, configure the following:
- Create a local user account with the same username and password as their domain account.
- Start SQL Management Studio, and connect to Analysis Services.
- Right-click the server name in the tree and select Properties.
- Click the Security tab.
- Add the new local user created in the first step.
On the computer where Excel is installed, configure the following:
- Start Excel.
- Select the Data tab.
- Select Get Data > From Other Sources > From Analysis Services.
- Enter the server name or IP address, making sure Use Windows Authentication is selected.
- Select the Vulnerabilities cube.
- Keep the default values for the remaining pages of the wizard, and then click Finish.
- On the Import Data dialog, select to create a pivot table or a pivot chart and pivot table.
- Click OK.
- From the Show fields related to list, select Asset Vulnerability.
You can now build reports in Excel based on asset and vulnerability data.
Integrate BeyondInsight and Microsoft SharePoint in an on-premises deployment
Using BeyondInsight subscriptions, you can directly integrate into SharePoint either by emailing reports to a SharePoint SMTP mail daemon or by publishing the reports to a Universal Naming Convention (UNC) share for directory-based and file-based publishing.
Begin by creating a new subscription or editing an existing subscription. Continue by choosing an email integration or a UNC share integration.
Email integration to SharePoint
You can enable the receipt of SMTP email through SharePoint and set the appropriate permissions to receive EML content. To avoid internal spam and misuse, use only security settings that permit postings from BeyondInsight or other security tools.
- For the subscription delivery method, select Deliver the report through email, and click Next.
- Provide the SharePoint email address, subject line for the email, and select the type of file for the report.
- Click Next.
- Select the delivery schedule type and frequency, and click Finish.
- The subscription generates a new report and emails it to SharePoint for publication.
UNC share integration to SharePoint
By default, you can access SharePoint document libraries through a UNC share, assuming the system is properly set up. An important consideration for shares is their visibility. For an additional layer of security, you may want to create shares to be hidden by suffixing the share name with a $.
- For the subscription delivery method, select Deliver the report to a shared folder, and click Next.
- Provide the file name for the subscription, enter the UNC path to the share, select the file format for the report, select a file overwrite option, and enter credentials to access the share.
- Click Test Access to verify that files can be copied to the UNC share with the given settings.
- Click Next.
- Select the delivery schedule type and frequency, and click Finish.
- The subscription automatically writes the report to SharePoint for publication.
Updated 5 days ago