Getting Started
- System Requirements
- Installation
- Registration
- Version Support Policy
- Assign Service Logon As Credentials
Agent-Based Management
Data Providers
- Data Provider Properties
- SQLite Properties
- MySQL Properties
- Microsoft SQL Server Properties
- File System Properties
Directory Services
Event Log Archiving for JSIG and CMMC Compliance
Auditing
- Audit Work Items
- Self-Auditing
- Group Policy Auditing
Hosts
- Adding Hosts
- Host Properties
- Batch Update Hosts
- Agent Properties
- Logon As Properties
- SFTP Properties
- FTP/S Properties
- SNMP Device Connection Properties
- WMI
- Contact
- Exclusions
- Inventory
- Docker
- Host Assignments
Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- File and Directory Monitor Templates
- Windows Monitor Templates
- Windows Management Instrumentation (WMI) Templates
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
Monitors
- Monitor Hierarchy
- Temporarily Suppress Monitors Actions
Reports
- Report Properties
- Artificial Intelligence Reports
  - AI Anomaly Detection Report
    - AI Anomaly Detection Report (Template Triggers)
- Security Reports
- Generic Log Reports
- SIEM Report
- SIEM Chart Report
- Azure Active Directory Audit Log Report
- Event Log Report
- SNMP Trap Report
- Syslog Report
- Databse Log Report
- Event Log Summary Report
File and Permission Reports
- File and Directory Access Permissions Report
- Duplicate Files Report
- File Activity Report
- Largest Files Report
- Sorted Files Report
Summary Reports
- Host Inventory Report
- Summary Report
- Collection Report
- Hash Check Reports
Auto-Configurators
Filters
- Simple Filters
- Complex Filters
Actions
- Database Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
Schedules
- Fixed Schedules
- Range Schedules
- Real-Time Schedules
Environment Variables
Options
- Email Settings
- Security Settings
- Syslog Server Settings
- SNMP Trap Server Settings
- Log Viewer Settings
- Web Proxy Settings
- Miscellaneous Settings
Account Lockout Monitoring and Reporting
Merging Logs
SNMP
- SNMP Browser
SSH Shell
Syslog
Exporting and Importing Configuration Objects
Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
Command Line Interface
Server Configuration
Agent Configuration
Troubleshooting
- Arithmetic Overflow
- Access Denied
- MySQL: Fatal error encountered during command execution
- Invalid Class
- No Such Interface Supported
- Quota Violation
- The File Exists Errors
- The Interface is Unknown
- The RPC Server is Unavailable
- NetBIOS Errors
Terminology

SIEM Reports

A SIEM Report queiries centralized log databases for specific log entries generated from various log types on multiple servers, workstations and network devices, applies log entry filters, applies display options, such as the column order, group by and sort by rules, then lastly, displays, saves or emails the output results.

This report is typically used by network administrators that want to analyze and correlate Security Event Logs and data from various sources within their organization's network infrastructure, such as firewalls, intrusion detection systems, and servers.

Note

To quickly view logs of the same type, see: Merging Logs.

SIEM Reports optionally use Regular Expressions to parse log entries, extract values, validate subject and target accounts in Active Directory (when applicable), then, finally, filter entries using each assigned log type's native filters.

How to create a SIEM Report

From the Menu Bar select File | New. The Create New Object View displays.
From the Create New Object View, expand Reports.
Expand Report | Log Consolidation Reports then select SIEM Report. The Properties View displays.

Note

Unlicensed report types appear in gray text. If you would like to create a report that is not currently licensed, please contact Corner Bowl Software to upgrade your license.

The Properties View contains 6 configuration tabs.
- General
- Explicitly Assigned Logs

Sample Windows Security Log and Linux Audit Log Assignment

- Columns

Sample Windows/Linux Success Logon Report Column Definitions

Note

If you apply regular expressions column definitions in your corresponding log consolidation templates, and the column keys are identical between log types, you do not need to re-apply the regular expressions to the report.

- Options
- Date/Time Range
- Actions

The Options Tab

Use the Filters drop-down to select all of the filters you would like to apply to the report.

Important

Filters are only applied to corresponding log entries types. For example, when you have assigned both an Event Log and a Text Log to the report, Event Log Filters are only applied to Event Log Entries while Text Log Filters are only applied to Text Log Entries.

Sample Regular Expression Driven Success Login Filter Properties View

Sample Regular Expression Driven Windows Success Login Filter Properties View

Sample Regular Expression Driven Red Hat Linux Success Login Filter Properties View

Once a filter is assigned, use the Include entries that pass drop-down to select the filter method.
The following filter options are available:

Option	Description
All	Include each entry that passes all assigned filters.
Any	Include each entry that passes any filter.
None	Include each entry that does not pass any of the filters.
Ignore	Include all entries.

Sample SIEM Success Logon Report Properties View

Use the Select distinct count controls to define a composite key to select a distinct count of entries that match your composite key. For example, generate a report that displays the number of each unique event type, Information, Warning, Critical, Audit Success and Audit Failure or the number of unique entries keyed by Event ID and Source on each assigned host).

Sample Select Distinct Count Properties View

Use the Query by controls to optimize SQL statements. For example, if the column you want to search for was added using a regular expression column defnition, specify the column key and the value to search for. Once executed, only rows that match your search criteria are returned from the database engine.

Sample Select Clause to Optimize SQL Table Scans

Sample Windows/Linux Success Logon Report

Table of Contents

SIEM Reports

How to create a SIEM Report

The Options Tab