Spirion (Identity Finder) - Creating and Using Reports
Guided tutorial on using the Reports feature of the Identity Finder Console.
The Reports feature of the Spirion Console gives users a flexible way to view data about searches, results, endpoints and more. This guide will walk through the steps of creating a new report, editing the report for improvements and exporting the data for secondary analysis.
Note: the screenshots were taken in an old version of Spirion, but the steps have been verified through Spirion 12.5. The appearance of the console with vary with version.
Creating a Report
To create a new report, first navigate to the Reports tab of the Spirion Console.
The Report List may appear to be empty or nearly empty, but in reality it contains many reports that are not visible to your Role. Create a new folder to contain your Role's reports, if a folder for your Role doesn't already exist.
Now that you have a folder to store your reports, you are ready to create a new report. With your folder selected, click on the "Create" button from the "Report" button drop-down.
The Report View now displays the first tab of the Report Wizard. We will create a report that displays endpoint names that had SSN matches that were not ignored with the "Ignore" action. Fill in the Report "Title" and "Description" fields. We can ignore the "Design Notes" field for now, as we haven't designed the report yet. We will also keep the "This report will either be joined to another report or used for secondary reporting" check box unchecked because we won't be joining this report to any others. Clicking "Next" will take us to the "Columns" tab.
The "Columns" tab shows us all of the columns available for our use within the report. Because we want to see endpoint names and action type taken, we will drag those columns over into the "Selected Columns" pane. The "Endpoints: Endpoint Name" column can be found in the "Endpoints" group and the "Matches: Action Most Recent" column can be found in the "Matches" group. Clicking "Next" will take us to the "Filter" tab.
Filters allow us to further filter the data our report shows. They are based on the columns in our report, so we have the ability to filter our endpoint names and most recent action. Since we only want to see matches that were not ignored, we'll create a filter that says "Action Most Recent" "Does Not Contain" "Ignore" using the drop down menus and ellipsis dialog box. Once we have finished defining our filters, we'll click "Next" to get to the "Permissions" tab.
The "Permissions" tab allows us to grant view and edit permissions to other Roles in the Console. We'll keep this report within our Role, so check the appropriate "View" and "Edit" check boxes. Clicking "Finish" will take us to our new report.
Editing a Report
At this point, we notice a few problems with our report. First, we see many results listed, but no indication as to what these results represent. Our intention was to only display data related to SSN matches, but we never specified that in our report. Let's add another column to filter out non-SSN matches. To edit the report, click on the report name in the Report List and then from the "Report" button drop-down, choose "Edit". Alternatively, right-click on the report name in the Report List and choose "Report > Edit".
The Report View has now changed back to the Report Wizard. To add our new column, either click on the "Columns" tab at the top of the Report View or the "Next" button at the bottom. We will add in the column "Matches: Identity Type", which we can use to filter out results based on identity type. Since we have already decided to only show SSN matches, we don't need the "Matches: Identity Type" column visible in our report--we already know what type they are and the extra data will only obscure our view. To prevent this column from being displayed, we will check the "Hidden" box in the "Column Properties" pane.
We still have to implement our filtering rules, and we'll do that again from the "Filter" tab. This time, we will create a rule that says, "Identity Type" "Contains" "Social Security Number". To add our new filter, we must first click on the green branch button next to our existing rule.
This will add another filtering line for us as well as a few more controls above our first filter. The "And" button above our filter tells our report to "only get results that match our first rule's criteria and the second rule's criteria". If the "And" button is clicked it will change the rule to "Or", and results that match either of our two rules (or both) will be reported. The two buttons next to the "And" button can be used to add and remove filters from our combined "And" rule. After adding our new filter, our filters will look like:
Clicking "Finish" will take us to our updated report. While we can't see the match type listed, we are now assured that we are only seeing results that are both SSNs and were not ignored in the client. Looking over our report, we notice it can still be improved. If we want to use this to get a list of files that may require additional follow-up with a user, it would be nice to have those file locations listed as well. We will make one more edit to our report, and use this opportunity to describe our hidden SSN filtering column in the "Design Notes" section of the Report tab. This will help future users of this report understand our intention and design choices if any changes need to be made. Our "Report" tab now looks like the following:
The "Description" and "Design Notes" fields are optional, but it is good practice to include a few brief notes. We will now add our final column to display the file location of the match. In the "Columns" tab, drag over the column "Locations: Location". Columns are displayed on the report in the order they are listed in the "Selected Columns" pane, but our report will probably be easier to read if columns are displayed in the format "Endpoint Name | Location | Action Most Recent". We will move our "Locations: Location" column up so that it is above our "Matches: Identity Type" column, and this is done by right-clicking on the column we want to move and choosing "Move Up". We will do this twice to place our column between the "Endpoints: Endpoint Name" and "Matches: Action Most Recent" columns.
Clicking "Finish" will take us to our finished report, which now shows the machine name first, then the location of the SSN match and finally the most recent action taken. If we now wanted to use this report to quickly see information for a particular endpoint, for example, we could use the "Filter Data" button in the Reports tab ribbon to create a filter for a particular endpoint name. We could do the same if we wanted to only see matches with the "None" action taken or wanted to find all locations that contain the word "sample", which could indicate a false positive. These filters are not saved in the report so they are useful when we want to keep our original report format but still view more specific data.
Exporting a Report
Now that we have a report generating useful data, we will probably want to save it locally for further processing or remediation action. To export the report, select the report from the Report List and choose "Export" from the "Report" button drop down or right-click menu.
We will have to configure a few of the options in the "Export" window. The first option we will fill in is the "Output Name" field. This name can be almost anything, but we will choose a name that describes what our report will show. We will also choose to export this as CSV so we can perform further analysis of our results. We will also keep the default Data Range of "All" selected.
Because we just want a local copy of this report, we will check the box for "Send by E-mail". The window expands and we are presented with another set of controls for configuring the email settings. We have a few options for configuring our recipients. The first option we have is to use the "Users / Roles" menu. The "Users / Roles" menu will allow us to choose specific Console users or roles to send the report to. We don't need to send this report to anyone other than ourselves, so we will just use the "Recipients" text field to enter an email address. The "Subject" and "Body" fields are optional, but we will include a nice subject line so we have something more descriptive than the generic Spirion subject. The "Body" field will be left blank because we really just care about receiving the data at this point. We will also check the "Send as Link" check box because our report could be very large. Our final "Export" window is shown below:
When we click "Save", our report will be emailed out. We could also optionally schedule recurring export jobs for this report with the "Schedule" control but we will not schedule any jobs at this time.