Managing Reports
You manage reports through the Reports page, which is accessed by clicking the Reports link in the Data Discovery sidebar on the left.
From the Reports page you can:
View all existing reports. See Viewing Reports.
Create a new report. See Creating Reports.
Generate a report. See Generating Reports.
View details of a selected report. See Report Details.
View remediation report for a scan. See Remediation.
Remove a report. See Removing Reports.
Export the data objects associated with a report. See Exporting Report's Data Objects.
Viewing Reports
The Reports page displayed lists available reports. Initially, the page shows no reports. Newly configured reports are shown on this page. Additionally, the page shows the total number of available reports.
By default, reports are listed in ascending alphabetic order of their names. The list view of the Reports page shows the following details:
| Item | Description |
|---|---|
| Name | Name of reports. |
| Type | Type of reports (Scan or Data Store. Scan-based reports are for personal use only. Users can only access the scan-based reports that they create. No user can access the scan-based reports created by others. |
| Analysis | Analysis type (Aggregated or Trend). |
| Last Run | Time when the report was run. |
| Duration | The duration time of the report run. |
| Status | Status of the report. The status could be Not Generated, In Progress, Completed, or Failed. |
| [cogwheel] | Clicking on the cogwheel button in the header of the last column allows you to select which columns to display. |
The overflow icon (
) in each row allows you to select View, Generate, Export D.O., or Remove for the report.
Note
The Export D.O. option is not available for scan Trend reports. For legacy reports only the View option is available.
Use the Search text box to filter reports. Search results display reports that contain specified text in their names.
Reports can be sorted by their name (Name), and the last time that the scan was run (Last Run).
Click the link embedded in the report name to display the details of that report. For more information, see Report Details.
Creating Reports
To create a report you aggregate data from multiple sources. When a report is generated it contains the results of executed scans.
To create a report use the New Report wizard described in the following sections. To launch the wizard, click the + Add Report button in the Reports page on the right.
General Info
Provide the following information in the General Info screen of the New Report wizard:
A unique Name for the report. The name must be longer than two characters and up to 64 characters. This field is mandatory.
An optional Description for the report (up to 250 characters).
Select one of these types of reports:
Aggregated: information is aggregated from the scan/s selected. It is only possible to select one execution per scan (the last one, by default).
Trend: Only one scan or datastore can be selected and the historical information will be presented for it.
See Aggregated Report and Scan Trend Report for more information on these reports.
Click Next to go on to the Configure Content step of the wizard.
Configure Content
The Configure Content screen of the wizard shows available scans with their number and the number of selected scans. Content identified in this step will be merged in a single report. This is called an aggregated report.
Tip
To include the removed scans in the list leave the Show Removed Scans check box selected.
Use the Search text box to filter available scans. Search results display scans that contain specified text in their names.
Select the Scan Name check boxes corresponding to desired scans.
Tip
For the Scan Trend type of report you can only select one scan.
When you are done, switch on the Selected Only toggle to list only the scans that you selected.
In terms of the Scan Execution, you can create two different types of reports:
A report that is based on a scan run on a specific date. For such a report, click "Latest Execution" and select the date of the scan that you wish to use.
A report that can change if the underlying data store or protection profile is modified and a scan is run again. For such a report leave "Scan Execution" as "Latest Execution".
Note
For a Scan Trend report, the report will be generated using the last 15 scan executions until the selected date.
Click Save and a message will appear stating that the report has been created successfully.
To generate the report immediately after creating it, select the Generate Now check box before you click Save.
Aggregated Report
This kind of report displays the aggregated results from the selected scan/s selected which allows the user to analyze the status of the data stores associated to the selected scan/s and to obtain high level information about the executed scans and their main statistics.
The report page displays such information about the report as the report name, the number of scans, data stores, and data objects. The page also shows the total data objects scanned, sensitive data objects found, sensitive data matches, and selected infotypes found.
The upper part of the report details page displays general information about the report, such as the name of the report and the number of scans included in the report.
The Print Preview button in the top right corner of the screen allows you to print the report. For more information, see Printing the Report Details.
The findings of the scan (or scans) are reported on these four cards:
TOTAL DATA OBJECTS SCANNED: All data data objects that were included in the scan.
SENSITIVE DATA OBJECTS FOUND: All data objects that contain sensitive data that were identified by the scan.
SENSITIVE DATA MATCHES: All sensitive pieces of information that were found inside the sensitive data objects.
SELECTED INFOTYPES FOUND: The infotypes found during the scan out of those configured for the scan when it was created (" out of ").
Due to a known limitation, in reports for MongoDB, Azure Table and G-Mail data stores you will see "N/A" for the "Total Data Objects Scanned" values.
Note
- For G-Mail, DDC ignores copies of the email that were received in the same second, from the same sender and with the same subject.
In the lower part of the report details screen, you can view the report information displayed on three different tabs: Scans, Data Stores, and Data Objects.
Scans Tab
The list of scans involved that contributed the information for the report. Here, apart from the list of scans, you can see the report data displayed in graphical form. The diagrams show:
Infotypes Discovered
Sensitive Data Objects by Content
Sensitive Infotype Distribution
Sensitive Data Objects
Data Stores Tab
The list of data stores included in the report, with the information about their risk score, sensitivity level, scan name, last scan time, targets, infotypes, data objects scanned, and sensitive objects found in each data store that was scanned.
Data Objects Tab
The list of data objects scanned. Only the top 1000 data objects are searched and sorted by Risk score (the first 25 of these are displayed but you can view more by clicking "Show more"). Use the Search box, to search for a specific data object. After you type in the search term, you have to click the magnifying glass icon to start the search.
The data object search has the following characteristics:
it is case sensitive,
the search is partial. For example, searching for "bal" will include "baseball" and "balloon" in the search results,
the search looks for the Object Name and Path.
Note
When searching for the first time, the result will take some time (usually between 1 and 3 minutes) to display. During this time you can navigate through the different tabs inside the report, however, if you leave the Reports space you must repeat the search. The results of a successfully completed search are cached and will allow repeating the same search with a response time of a few seconds only. Generating the report after the search is completed will invalidate the cache as it will render the information outdated.
The table in the report details lists the following findings distributed among these columns:
Object Name - The name of the data object scanned and listed in the report details.
Note
For Oracle and IBM DB2 the result will be displayed in uppercase.
In this column you can also view the remediation information for the sensitive data objects found by the scan. For more information, see Remediation.
Risk - Risk score associated with the sensitive object. A risk is the presence of a sensitive item of data. For more details about the risk score, see Risk Score.
Type - The type of the scanned data object listed in the report details, such as "File" or "Folder".
Path - The path to the object that is listed in the report details.
Store - The name of the data store where the object listed in the report details was found.
Infotypes - The number of information types found in the data object that is listed in the report.
If you have remediation enabled, the Data Objects tab will display the remediation information about the sensitive objects found. The icons on the left of the object names indicate the remediation status of the sensitive object found. There, you can expect to see the following remediation statuses:
| Icon | Description |
|---|---|
 | (Disabled, Outstide GuardPoint, No CTE Agent) The object cannot be remediated due to one of these reasons: a) Remediation has not been enabled on that particular target of the scan where the object was found. b) The remediation has been enabled but the object is outside of the guard point so CTE cannot remediate it. c) There is not CTE Agent configured on the data store scanned. |
 | (Unencrypted – Inside GuardPoint) This usually happens when a sensitive object is detected for the first time by a scan. In this case, the scan will remediate it (by encrypting it), however it will report it as “unencrypted” to indicate the status of the object at the time it was found. Running a scan is the next time with this object in it will report it as “encrypted”. |
 | (Encrypted – Inside GuardPoint) Indicates a correctly remediated data object with Access Control List (ACL) + Encryption. |
 | (Not Supported) The data object has been found in an unsupported data store/target and so it could not be remediated. Currently, remediation is only supported on local storage data store types. |
 | (Access Control Only) Indicates a remediated data object with Access Control List Only. No encryption is applied. |
To view more information for the report including the sensitive objects found and the remediation status, click to explode the report row to display the report details. A detailed view of the remediation part of the report displays the full list of sensitive data objects found, the remediation information and a list of Security Rules and Key Rules applied.
The Remediation Information section features these four cards:
REMEDIATION STATUS – for details, see Remediation.
POLICY APPLIED – security policy applied to remediation.
REMEDIATION TIMESTAMP – the time when remediation (i.e. encryption) was applied.
CLASSIFICATION ASSIGNED – the classification profile assigned to remediation.
The Security Rules/Key Rules section of the remediation report details lists the security rules that have been applied in the process of remediating the risk, in the order in which they were applied.
To return to the Reports page, click the All Reports link at the top of the report details page (above the report name).
Information About Scan Filters
You can view the information about any filters that might have been applied in scans. This is achieved in the Scans tab by clicking the arrow icon on the left of the report name to expand it. The section that appears will display the information about the number and types of filters applied. For example, you can expect to see information like this:
1 Scan Filter Exclude locations greater than file size ................................. 14000 MB
As you can glean from this message, one filter was applied on the scan: "Exclude locations greater than file size".
Printing the Report Details
Click the Print Preview button in the top right corner of the screen and then Print. The report will be saved in PDF format to the location that you selected. To return to the report, click the < Exit Print View link in the top left corner of the screen.
For the best experience of exporting reports to PDF use Chrome or Firefox.
Note
Although A4 and portrait settings are supported, it is recommended to use A3 and landscape settings as print settings to avoid printing distorted charts.
Scan Trend Report
This kind of report allows you to see how the scan information evolves over time. You can select the time interval to be presented in the charts, also in some of the charts the KPIs are displayed. You can select the end timestamp and then the last 15 executions will be displayed. The report definition wizard will by default select the "Latest execution" date but you can also select your own date. The report will be generated using the last 15 scan executions until the selected date.
Note
If there are fewer than 15 executions, the chart will auto distribute the horizontal space.
The report information is presented on two different tabs: Trends and Data Objects.
Trends Tab
The trends information is displayed on these four charts:
Data Objects
Presents all types of data objects included in the report, such as Scanned, Sensitive, Remediated data objects, and the Infotypes detected in the scan. Click each data object type link in the chart legent (at the top of the chart) to display it or hide its results. The dates correspond to scan executions (when they occurred). If you have several executions on the same day, they will be numbered (within brackets: (1), (2), and so on). Any scan configuration change will be marked with a star (*) next to the date of the change.Average Risk
Shows the average risk score distribution over the report period. Click the View details link to get more information about the risks found.Remediation
Diplays the number of Sensitive D.O. (data objects), Remediable D.O. (i.e. data objects that are possible to remediate), and Remediated D.O. (in the case if you already have remediated data objects) over the selected report period. You need to have remediation enabled to fully appreciate this graph, otherwise it will only show the number of sensitive data objects found.Infotypes by Families
The color coded distribution of the different infotype families, which infotype families are getting more matches (in %). You can click the name of each infotype family in the chart legend (at the bottom of the chart) to display the results for it or to remove its trend information from the chart. Hover the mouse cursor over the chart to view detailed information on the infotype families on a given date.
Note
The number of Infotype families is fixed (i.e. it does not change over time period of the report).
Click the Print Preview button in the top right corner of the screen and then Print. The report will be saved in PDF format to the location that you selected. To return to the report, click the < Exit Print View link in the top left corner of the screen.
For the best experience of exporting reports to PDF use Chrome or Firefox.
Note
Although A4 and portrait settings are supported, it is recommended to use A3 and landscape settings as print settings to avoid printing distorted charts.
Data Objects Tab
A detailed list of all data objects scanned and included in the trend report over the 15 execution of the scan. From the Execution menu, select the execution date of the scan to view its results. The Data Objects table will display the results distributed in these columns:
Name - The name of the data object scanned and listed in the report.
Protection - The remediation information and the type of protection (if any) that was applied by remediation for the sensitive data objects that were found by the scan: Inside Unencrypted, Inside Encrypted, No CTE Agent, Outside, and Not Supported. For more information on the type of protection applied by remediation, see the table below.
Risk - Risk score associated with the sensitive object. A risk is the presence of a sensitive item of data. For more details about the risk score, see Risk Score
Path - The path to the object that is listed in the report.
Data Store - The name of the data store where the object listed in the report was found.
Profiles - The number of classification profiles involved in the scan.
Infotypes - The number of information types found in the data object that is listed in the report.
Matches - The number of sensitive data objects found.
The table below explains the protection (i.e. remediation) statuses of sensitive data objects, and their corresponding icons:
| Icon | Description |
|---|---|
| (Disabled, Outstide GuardPoint, No CTE Agent) The object cannot be remediated due to one of these reasons: a) Remediation has not been enabled on that particular target of the scan where the object was found. b) The remediation has been enabled but the object is outside of the guard point so CTE cannot remediate it. c) There is no CTE Agent configured on the data store scanned. |
| (Unencrypted – Inside GuardPoint) This usually happens when a sensitive object is detected for the first time by a scan. In this case, the scan will remediate it (by encrypting it), however it will report it as “unencrypted” to indicate the status of the object at the time it was found. Running a scan is the next time with this object in it will report it as “encrypted”. |
| (Encrypted – Inside GuardPoint) Indicates a correctly remediated data object with Access Control List (ACL) + Encryption. |
| (Not Supported) The data object has been found in an unsupported data store/target and so it could not be remediated. Currently, remediation is only supported on local storage data store types. |
| (Access Control List (ACL) Only) (Inside ACL Only) Indicates a remediated data object with Access Control List Only. No encryption is applied. |
For more information on these remediation statuses, see Remediation Status Info.
Generating Reports
After you have configured a report, it can be generated at anytime. There are two different ways of generating reports:
A report that is based on a scan run on a specific date. Such a report shows the scan findings on the selected date. In the case of multiple executions of the scan for the selected day, the report will include the information for the latest execution on that day.
A report that always shows the information found on the latest scan execution. This way, the results will reflect (or update) the changes in the sensitive data discovered if the underlying data in the Data Store or the Classification Profile is modified. Still, the report will actually get generated when the user chooses to generate it.
- In order to see an updated report it must be generated again (manually) to see the results of the last scan execution.
Note
- The data stores and scans a user can select will depend on which data stores it has permission to access. If the user selects a scan with data store/s it does not have access, the scan information will be shown without that data store/s.
- In order to see an updated report it must be generated again (manually) to see the results of the last scan execution.
To generate a report:
In the Reports page, search for the report that you want to generate.
Use the Search text box to filter reports. Search results display reports that contain specified text in their names. By default, reports are listed in ascending alphabetic order of their names.
Tip
Reports can be sorted by their name, type (Scans), analysis (Aggregated), last run time, schedule, and status.
Click the overflow icon (
) corresponding to the desired report. A shortcut menu appears.Click Generate.
As soon as the report starts to run, its status becomes Pending. The status of the report changes in the sequence: Not Generated > In Progress > Completed / Failed.
Note
Permissions to access the data stores accessed by the scans included in a scan-based report are checked every time the report is run. If the current user no longer has the correct permission for any of them, an error is displayed.
Remediation
Remediation is the feature of DDC that allows it to mark and neutralize the vulnerabilities (security risks) found during scans. Remediation information in reports show the remediation status of these security risks.
Remediation Status Info
Here are all possible remediation statuses:
- Not Supported: This will appear for data objects that belong to a Data Store that does not support remediation. Currently only LOCAL STORAGE data stores support remediation.
The following statuses are applicable to data objects that belong to a local storage type data store:
No CTE Agent: This will appear for data objects that belong to a Data Store that does not have a CTE agent installed.
Outside GuardPoint: This will appear for data objects that even though they have a CTE agent installed, the path that contains this data object is not behind a GuardPoint.
The following statuses are for targers that have a CTE agent running in the DataStore and data objects are behind a GuardPoint:
Disabled: This will appear for data objects that belong to a path that was not remediated intentionally.
Unencrypted - Inside GuardPoint: This will appear for data objects that belong to a path that was remediated but the data object was not encrypted at the moment the scan was run (this could be for several reasons).
Note
On the first scan, the sensitive data objects found that are being remediated are shown as “Unencrypted – Inside GuardPoint”, as the report reflects the status of the object at the time of the scan run. To refresh the Remediation status, you can use one of these two options:
1) Run a complete scan. Running a scan the second time on the same data objects will report that they were remediated and encrypted (“Encrypted – Inside GuardPoint”).
2) Run “Reclassify”. The Reclassify operation is recommended instead running a full scan, because it is less expensive.Encrypted - Inside GuardPoint: This will appear for data objects that belong to a path that was remediated and the data object is now encrypted.
Inside ACL Only: This will appear when Access Control List (ACL) Only policy has been defined in the CTE configuration. Data objects are not encrypted, only access control is managed according to CTE Policies.
Risk Score
The risk score reflects the level of the risk to the business that would result from the exposure of the sensitive data objects (i.e. sensitive information) found by a scan. The lower the risk score number the lower the risk. The risk score will depend on the type of sensitive data object found and the number of such objects found. For example, a risk score for a single email address found by a scan will be 10, before remediation. Obviously, for a document containing thousands of email addresses found during a scan, the reported risk score will be many times that.
When remediation kicks in, it lowers the risk score associated with a data object. Remediation with Access Control List (ACL) + Encryption halves the risk score for a sensitive data object, and Access Control List Only reduces the risk by 25%, however it is not reduced to zero. This is to indicate that additional action is required on the part of the owner of the sensitive data object to comply with the data/sensitive information protection policy.
Note
Only a complete removal/deletion of a sensitive data object would reduce the risk score to zero.
Removing Reports
You can remove a report in the Reports screen. Since reports have no dependencies (i.e. do not affect other resources) you can remove them without problems.
Note
Only users with the right permissions can remove reports, that is Admin, DDC Admin, DDC Report Admin, and DDC Full Report Admin.
To remove a report follow these steps:
Click the overflow icon (
) corresponding to the desired report.In the shortcut menu that is displayed, select the Remove option.
A warning message "Remove Report? Are you sure you want to remove this report? This cannot be undone." is displayed.
Confirm the report removal by clicking the Remove button in the warning message dialogue box. To cancel the report removal, click the Cancel button.
After deleting a report, you can create another report with the same name as the one that you deleted.
Note
Reports are not deleted in HDFS, which means that if you have the URL of the removed report, with the report ID, you can still view the report after you removed it.
Exporting Report's Data Objects
You can export all the data objects of a report as newline-delimited JSON (NDJSON) format. You can then view the exported ndjson file in any editor supporting this format.
There are two ways of exporting those data objects:
directly through the Reports page, using the Export D.O. in the report's contextual menu,
through the Report Details page, Data Objects tab, using the Export Data Objects button.
To export the data objects associated with a report from the Reports page:
Click the overflow icon (
) corresponding to the desired report.Click Export D.O. in the contextual menu that is displayed.
Choose the target location for the exported file.
To export data objects associated with a report from its Report Details page:
Click the overflow icon (
) corresponding to the desired report.Click View in the contextual menu that is displayed.
In the report details page, click the Data Objects tab.
In the Data Objects tab, click the Export Data Objects button to export the data objects.
Choose the target location for the exported file.
Tip
Please check the ELK Reference to see how to use the exported data.
