Lesson 11: Investigative Reports

New User Quick Start | Web Security Solutions | Version 7.7.x


Learn what investigative reports are and how to drill down to specific information. Generate and modify a detail view report, and create Favorite reports that can be scheduled on a repeating cycle.

Investigative reports let you interact directly with the filtering information stored in the Websense Log Database. Initially, a bar chart showing today's activity by risk class is displayed. Investigate areas of concern by clicking appropriate chart elements to drill down for greater detail.

Make a few selections to view multiple levels of information, such as the top 5 users in the top 5 categories.

A separate detail view gives you a tabular report of related information. You can customize the columns displayed, and create a summary view of this table.

See Investigative reports reference for more information about what can be displayed in investigative reports.

In networks that use delegated administration, Super Administrators control who has access to these features.

Exercise 1: Drilling down to find specific data

You can drill down into the initial data displayed on the Investigative Reports page (today's activity by risk class) to uncover the details that matter most to your organization.

On the Reporting > Investigative Reports page, click Productivity Loss to display a list of drill-down options.

If there is no Productivity Loss entry, clients in your network have not requested any sites in that risk class. In that case, select another risk class.

Click by Category in the list of options.

The chart changes to show today's activity in the categories assigned to the selected risk class.

Click the first category name in the chart (for example, News and Media) to display a new list of drill-down options.

Click User to have the chart show a list of users who have requested sites in the selected category.

You can continue selecting drill-down options to see more detail about any item of interest.

Additionally, you can view a different timeframe by choosing the desired period or entering a specific date range in the View options above the chart, or change the measurement used to quantify activity by selecting a new option from the Measure drop-down list in the View toolbar near the top of the content pane.

Exercise 2: Creating a multi-level report

Starting with a report on the main Investigative Reports page, you can define a second level of information to display. This allows you, for example, to compare the most active users in one category with the most active users in another category.

In the breadcrumbs beside the Internet Use by list, click Category.

The chart displays the categories in the risk class selected in the previous exercise.

In the bar above the chart, enter the following:

Select top 5

by User

and Display 10 Results

Click the Display Results button.

The chart updates to show bars for only the top 5 categories. Below each bar is a list of the 10 users who requested the most sites in that category during the timeframe.

You can create a multi-level report with different combinations of data. Simply modify the bar chart to show the high-level data of interest, then define the second level as described above.

Exercise 3: Using flexible detail reports

Flexible detail reports give a tabular view of data related to a specific item on the bar chart. You can change to a summary view of the same data, and change the information columns displayed.

On the main Investigative Reports page, select Category from the Internet Use by list.

Click the bar or number for any category that shows a significant number of hits.

A detail view appears, showing a tabular report of today's traffic for the selected category. The default report includes columns for User, Date, Time, URL Hostname, and Hits.

Click Modify Report in the toolbar at the top of the content pane. A dialog box opens.

Use the controls in this dialog box to remove the Time column, and add Disposition as a column, between Date and URL Hostname.

You can choose up to 7 columns in this dialog box. Be sure to choose columns that are appropriate for the data being reported, or the column will be blank.

Notice that although the report shows hits, Hits does not appear as an entry in the list. Reports based on hits must include Hits as the rightmost column.

Click Submit to close the dialog box and update the report.

Notice that the new columns are now displayed, in the order you specified.

Click Summary, in the upper right corner of the content pane.

Notice that the updated report combines all hits with the same URL host name and date into a single entry showing the total number of hits.

The Summary report option is available only when the Time column is not displayed. It combines rows that share a common element. The combined element varies according to the information in the report. In this example, it combines those with the same URL host name.

Exercise 4: Saving and scheduling Favorites

Favorites are report definitions that you want to reproduce easily, and may want to schedule on a repeating cycle. You can save reports shown on the main Investigative Reports page, or the flexible detail view.

Generate a report that shows information you want to reproduce easily.

Click Favorite Reports at the top of the content pane.

On the Favorite Reports page, a file name is suggested for the report. Accept that name or enter a different file name, if desired.

Only letters, numbers, and underscore characters (_) are permitted in the file name.

Click Add to save the report as a Favorite.

Select the added report in the list, and then click Schedule to run the report on a repeating cycle.

Fill in the information requested.

To create a recipient list, enter an address in the Additional Email Addresses field, and then click Add. Be sure to highlight one or more email addresses to be recipients.

Click Next after all entries are complete to display a confirmation screen showing your selections.

Click Save to save the scheduled report job and display a list of all scheduled reports.

The job will run according to the schedule you set, and email the report to the selected recipients. At any time, you can review the list of scheduled jobs, edit a job definition, or delete an obsolete job by clicking Job Queue on the main Investigative Reports page.

If you are a reporting administrator in an investigative reporting role, you have completed the tutorial. See Where Do I Go Next? for additional resources.

If you have Real-Time Monitor permissions, continue with Lesson 12: Real-Time Monitor.