Reports

Overview

The Reports System allows users to schedule or run various reports to view data in the system. This includes various session data, threat data, and signature data. The reports can be run on demand or scheduled to run daily, weekly, or monthly. The report data is stored in the system for a configurable amount of time and can be reviewed at any time.

Creating Reports

https://github.inquest.net/InQuest/inquest-ui-v3/wiki/API:-Reports#creating-reports

Creating a report can be done by going to the Reporting section of the UI and clicking on "Create Report." The user can fill out the form to give it a title, select which report they would like to run, whether or not it is scheduled, what the default format is, and whether or not the report should be emailed. Report data is run in relation to the user's current restrictions when any of the reports other than the User Information reports.

Available report categories and report types for each category are as follows:

• File Information

  • Top file Names
  • Top Hashes
  • Top MIME Types

• Network Information

  • Top Destination Countries
  • Top Destination IP's
  • Top Destination Ports
  • Top Source Countries
  • Top Source IP's

• Session Information

  • HTTP: Top Accept Languages
  • HTTP: Top Files Downloaded
  • HTTP: Top Hosts
  • HTTP: Top Referers
  • HTTP: Top User Agents
  • SMTP: Top Attachment Names
  • SMTP: Top CC Addresses
  • SMTP: Top FROM Addresses
  • SMTP: Top Subject Lines
  • Workflow Status Summary

• Signature Information

  • Top Signature Category Hits
  • Top Signature Hits

• Threat Information

  • Top Threat Scores by File Type
  • Top Threat Scores by Hash
  • Top Threat Scores by Protocol
  • Top Threat Scores by Severity Hash
  • Top Threat Scores by SrcIP/DestIP Pair

• User Information

  • Successful User Logins
  • Users Created
  • Users Deleted

Reports can be configured to be generated as CSV files, JSON files, or XML files. CSV files can be opened in most popular Spreadsheet programs, and all three formats are useful for importing into third-party databases or programs.

Scheduling

https://github.inquest.net/InQuest/inquest-ui-v3/wiki/API:-Reports#scheduling

Reports can be scheduled to run daily, weekly, monthly, or just on demand. All scheduled reports can be run at specific times of the day. Weekly reports can select the day of the week to run on, from 1-7 denoting Sunday - Saturday. Monthly reports can be scheduled to run on a specific day of the month, from 1-31. All times run as UTC times.

E-mailed Reports

https://github.inquest.net/InQuest/inquest-ui-v3/wiki/API:-Reports#e-mailed-reports

Reports, whether scheduled or not, can be e-mailed upon completion. E-mail addresses can be entered as comma separated values. Once a report has finished, it is automatically e-mailed to the addresses as configured on the report settings. E-mail data is attached to the e-mail in the output format that the report is configured to default to.

Running Reports

Reports can be run on demand by clicking on the "Run Report" button for a report. The report will be run immediately, and the UI will return when the report is completed. If the report is configured for e-mail, the report data will be e-mailed. Any report can be run on demand, even if it was scheduled to run at a specific time.

Report Archives

All reports that have been run are listed in the "History" tab or can be viewed for an individual report by clicking the "Show All" button beside that report. This displays the history for only that report. Each report can be viewed directly in the UI and exported to various formats, independent of the default format of the report.

The length of time that the archives are kept are configurable under the "Administration" -> "Globals" -> "Other Options" section. By default, archives are kept for 14 days.