Scheduling and Building Custom Reports

ThreatLocker now offers users the ability to schedule and build custom reports directly from the 'Custom Reports' page. This provides you with a method for custom-generating reports based on information provided by ThreatLocker and within your Unified Audit. With this new feature, you will be able to create custom reports that contain the important information you would like to view within your organization.

Location of the Schedule Reports Feature

Navigate to the 'Custom Reports' page located on the left-hand side of the portal.

From here, you can see the 'Schedule Reports' button in the page's top left corner. Selecting this will open a pop-up window.

The first page in the pop-up window is titled 'Scheduled Reports for Identifier Name'. This window shows you a collection of any existing scheduled reports, including custom reports you have created.

You can toggle between this tab and the 'New Report' tab at the top right corner of the page.

Creating a New Custom Report

To create a new report, navigate to the 'New Report' tab and make sure it is switched to 'Custom Report'.

From here, you can begin to fill out each field:

1. 1. Report Name - This is the name of the report as it will appear in the 'Scheduled Reports' section.
   2. Report Logo—This option allows users to insert a link to an image to include branding in the report once it is generated.
   3. Use Existing Report Switch - This switch allows you to choose between existing reports from ThreatLocker or create a new one. The switch is toggled on by default, but later in the article, it will be explained how to use it to create custom reports.
   4. Report Recipients - Enter the email address of the user(s) you would like to receive this report via email. The 'Pre-Auth Link' checkbox to the left of this field allows you to make it so that the link to view the report requires the recipient to sign into the ThreatLocker Portal (button left unchecked) or that the link has been pre-authorized (button checked).
   5. Add User - The 'Add User' button appears as a '+' sign on the page. Select this to add the user you have entered. You can utilize this button to create multiple recipients to receive this report.

   

   6. Starting Date - Use this field to set the starting date for receiving your first report.
   7. Frequency - The frequency dropdown allows you to choose from various frequencies to receive a report. The options are:
      • Daily
      • Weekly
      • Biweekly
      • Monthly
      • Yearly
   8. Enable Switch - This switch is turned on by default, enabling the report to run using the indicated parameters. If the switch is turned off, the report does not run.
   9. Save Report - Saves the report with the specified settings. The report can then be viewed in the 'Scheduled Reports' tab.
   10. Cancel - Closes out of the report creation window and deletes any input settings.

Making a Custom Report Using Report Parameters

As mentioned above, you can toggle the 'Use Existing Report' switch. When this is toggled off, you can make customized reports outside of what ThreatLocker provides.

Once toggled off, a new section titled 'Report Parameters' will populate on the page with three fields that might change depending on which 'Field' is chosen. The 'Field' section contains the same options that appear when creating Advanced Search parameters in the Unified Audit. For further information regarding those parameters and what they mean/can be used for, navigate to the following article:

How to Use Multiple Parameters in a Single Search Field in the Unified Audit | ThreatLocker Help Center

The 'Report Parameters' section also provides check boxes for including child organizations or simulated denies.

You can add multiple of these parameters depending on what you would like to monitor for within your organization, being sure to enter rules and keywords accordingly. Once you have entered information in one field, select either the '+' button to the right of the field to include the parameters in the report or the 'X' button to remove it from the list of parameters.

A new dropdown menu titled 'Timeframe' will also populate, which allows you to select from a list of specific timeframes for what logs will be shown from the Unified Audit. The following timeframes will be available:

• Last 7 Days
• Last 30 Days
• Last 90 Days
• Current Month
• Previous Month

Note: Logs that display in your report are dependent on which level of storage you have set for your Unified Audit. For example, if you are only paying for the month-long Unified Audit storage, you will not be able to receive all logs from the 'Last 90 Days' option.

Once you have set your preferred parameters, select the 'Preview in the Unified Audit' button.

This button will take you to the Unified Audit page, which matches the parameters you entered while making the Custom Report and displays information based on these. It will allow you to verify that all data shown is what you would like in each report before officially creating it. This will also allow you to add or delete parameters as you see fit.

Once you have determined that all information is correct, you can change the 'Display Columns' section. This is where you can customize the columns that will be visible on your report. Select the checkbox to the left of each column name you wish to add to the display. You can also search for columns using the search bar or selecting the checkbox to the left of the search bar to choose every option at once.

Creating a New Detect Report

To create a Detect Report, navigate to the 'Schedule Reports' window and select 'New Report'. Switch the report window from 'Custom Report' to 'Detect Report'.

From here, you can begin to fill out each field:

1. Report Name - The name of the report as it will appear in the 'Scheduled Reports' page.
2. Report Logo - Allows users to insert a link of an image to include branding in the report once it is generated.
3. Applies To - Which organizations this report will be run on. This can be set to entire organizations, workgroups, or individual computers by using the dropdown arrows that appear to the left of the page.
4. Module - The 'Module' dropdown allows you to select between 3 different options:
   • All - Results for your report will be from both Endpoint Detect and Cloud Detect
   • Endpoint Detect - Results for your report will only be from Endpoint Detect
   • Cloud Detect - Results for your report will only be from Cloud Detect
5. Timeframe - Provides options of how far back the timeline of the report must reach. Please note that this is dependent on which plan you have purchased for your Unified Audit storage (i.e., if you only have storage set to save back to 30 days, you will not receive report information past that by selecting the 'Last 90 Days' option). The 'Timeframe' dropdown provides you with the following options:
   • Last 7 Days
   • Last 30 Days
   • Last 90 Days
   • Current Month
   • Previous Month
6. Include Child Organizations - This checkbox is not selected by default. Selecting this checkbox will include the child organizations of the parent organization picked in the 'Applies To' section within the generated report.
7. Report Recipients - Enter the email address of the user(s) you would like to receive this report via email. The 'Pre-Auth Link' checkbox to the left of this field allows you to make it so that the link to view the report requires the recipient to sign into the ThreatLocker Portal (button left unchecked) or that the link has been pre-authorized (button checked).
8. Add User - The 'Add User' button appears as a '+' sign on the page. Select this to add the user you have entered. You can utilize this button to create multiple recipients to receive this report.

9. Starting Date - Use this field to set the starting date for receiving your first report.
10. Frequency - The frequency dropdown allows you to choose from various frequencies to receive a report. The options are:
    • Daily
    • Weekly
    • Biweekly
    • Monthly
    • Yearly
11. Enable Switch - This switch is turned on by default, enabling the report to run using the indicated parameters. If the switch is turned off, the report does not run.
12. Save Report - Saves the report with the specified settings. The report can then be viewed in the 'Scheduled Reports' tab.
13. Cancel - Closes out of the report creation window and deletes any input settings.

Navigating the Scheduled Reports Tab

Now that you have created your custom report, you can use the 'Scheduled Reports' tab to view it. Select the tab at the top right corner to navigate to the 'Scheduled Reports' page.

Once on this page, you will see a list of all reports in your organization.

1. Applies To - Allows you to select which reports are shown. By default, the 'Entire Organization' will be displayed. Using this dropdown menu, you can also display reports for individual workstations, global groups, or computer groups.
2. Report Type - A dropdown menu allowing you to choose what type of reports appear on this page. By default, 'All Reports' is selected, but you can choose to display only 'Custom Reports' or 'Detect Reports' as well.
3. Include Child Organizations - This checkbox allows you to display parent and child organization reports simultaneously.
4. Report Name - Shows the name you gave the report during its creation.
5. Organization - Shows which organization this report is retrieving its information from.
6. Status - Displays whether the report is active or not. If the report is enabled, users listed as recipients will receive their reports during the specified timeframes. If the status instead says 'Disabled', this means that the report is not being generated at this time.
7. Frequency - The designated recurrence of reports being sent out, which can be set to daily, weekly, biweekly, monthly, or yearly.
8. Last Report Date - The latest instance that a report was sent out to the listed recipients.
9. Actions - The actions section has two buttons: a wrench and a trash can. The 'Wrench' button allows you to edit the associated report, while the 'Trash Can' button allows you to delete the report.

Creating Scheduled Reports Using the Unified Audit

You can now create scheduled reports using the 'Saved Searches' feature in the Unified Audit. The 'Saved Searches' button is located in the Unified Audit to the right of the 'Advanced Search' button.

Select this button to see a list of recent searches alongside your saved searches. Select the 'Calendar' icon as shown below to open the Custom Report window with the saved parameters and add it as a new report.

Selecting the 'Calendar' icon will open the 'Custom Report' page, which will now be auto-populated with parameters that match those of the saved search you chose from the Unified Audit.

You can create the rest of your 'Custom Report' from here.