With FIM, you can create a variety of reports to gain insight into the events and incidents occurring in your file system. You can either leverage QQLs from Qualys Query Library or make use of the saved searches, or even enter your own custom queries, based on which change event data is filtered and included in the FIM reports.
After a report is generated, you can download the report in PDF, CSV, or HTML format.
Important: As per PCI DSS guidelines, event data is retained for 13 months on the Qualys platform. Hence, the on-demand reports can be generated for data collected in the past one year. Once generated, reports are purged from the Qualys platform after seven days from the day of generation.
1. In the FIM UI, navigate to the Reports > Report Rules tab and click Create Report Rule.
2. In the Report Details page, provide the report rule name, a brief description, and specify the format for the report.
3. In the Query text box, enter your rule query for the report by using QQL tokens.
For example, use the following rule to create automated incidents or alerts for unauthorized deletion of log files:
file.name:'*.log' and action:Delete
Alternatively, do one of the following:
Click Saved Searches and select from the displayed list of searches
Click Queries and select a query from the displayed list of queries
4. You have the following two options for report generation:
Run Now: Lets you run the report immediately.
Schedule: Lets you run the report later at a specified date and time.
By default, the current date and current time+20 minutes are selected in the Start Date and Start Time boxes respectively. You can manually change the time if required.
5. In the Consider events from <day> drop-down box, specify the duration to consider for the events to be included in the report. By default, the value selected is Today.
6. Perform the following steps if you want to set up a recurring schedule:
Repeats: Select how frequently you want the report to be executed. The default value selected is Daily.
Start Time: Specify the time when you want the report to be executed.
The default value is the current time+20 minutes. You can manually change the time if required.
End Date: Select the last date for the recurring schedule of the report. The default value is the 10th day from the current date.
7. Click Notification if you want to send notifications to users when a report is generated and then provide the following and then click Next:
In the To text box, enter the email IDs of the users who you want to notify. You can enter a maximum of 50 recipients.
In the Message Body text box, enter the email message that will be sent along with the report.
The notification email will include the link to download the report from the Qualys platform. You must provide your Qualys platform user ID and password to download the report.
Note: The report link is valid for seven days. You must download the report before the link expires.
After the report rule is created, it is listed in the Report Rules tab.
Note: The event record limit for CSV reports is 1 million and for HTML and PDF, the limit is 100,000. Records beyond this limit will be truncated.