Skip to content Skip to main navigation Skip to footer

Reporting

Reporting Issue

Issue

Report returns with zero visits

Resolution

  • Repair and download the latest list
    • Screen Path (‘Categorization – URL list – Repair’ and click the ‘Submit’ button)
  • Delete imported data with issue
    • Screen Path (‘Data Management – Report Database – Delete – Manual’) 
  • Re-import data with issue
    • Screen Path (‘Data Management – Report Database – Import – Manual’)

If this didn’t resolve the issue please call or email support

  • 321-953-5351 ext. 4
  • support@wavecrest.net

Microsoft Defender Data Source Settings

To configure access for Cyfin to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API

The procedure to create an application is found on the below link:

Create a new Azure Application

When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain.

After the application has been created, it should contain 3 values that you need to apply to the module configuration.

These values are:

  • Client ID
  • Tenant ID
  • Client Secret

In Cyfin go to Data Management -> Setup and select Microsoft Defender

Now input the 3 values gathered from the previous steps

Microsoft 365 Reporting Prerequisites

To use Cyfin 365 reporting you need to enable Audit Log Search and register an application in Azure AD.

Once this application is registered note the Application (client) ID and the Directory (tenant) ID. Then configure the authentication in the Certificates & Secrets section from the link provided above.

Configure Cyfin

  1. Navigate to ‘Data Management – Log Data Source – Setup’
  2. Select ‘Create New’ from the configuration dropdown and click ‘Next’
  3. Click Office365 from the listed options
  4. Fill in the appropriate fields with information gathered from the prerequisites. See below image.
  5. Once completed continue to the next screen and name your configuration then click next once more to save.
Microsoft 365 Reporting
Microsoft 365 Cyfin Configuration

What information do you require in your Cyfin reports?

If you want all Web traffic detail, enable SSL inspection on your firewall to create raw logs containing full URLs, content type, user agent, and more. Then when your logs are imported into or transferred via syslog to Cyfin, you can take full advantage of Cyfin’s high precision algorithms that increase report accuracy and detail.

Configuring Data Sources

In Cyfin version 9.3.1, the Log Data Source Setup wizard has been redesigned to improve the configuration of the product to locate and read your Web-use data when it is syslog data, log files, or database logs. The system will analyze your data to detect the data source format and present the most suitable data types. This allows you to select the best data type from the list and ensures that you get the best match available.

You will be able to select from the following data sources: syslog, directory-based, and database.

For syslog data, select the Internet protocol you want to use, and enter the listening port number. Click Test to start collecting data. If this is successful, you will see the number of messages received incrementing. Click Stop and then Next to continue.

For directory-based or log file data, specify the directory location of your data files. You can also enter a file name with an asterisk to filter your log files, e.g., proxy*.txt. Click Test to display the number of files found. Click Next.

The Data Source Type page is displayed.

The Type of Data drop-down field will display multiple matches. As you select a data type, the data format will be shown in the Data Preview box. Look closely at the data fields to ensure that they are correct or complete.

  • You may see incomplete data, for example, if you were expecting a user name and it is missing. Click Reanalyze to see another record sample.
  • If you need to refresh the data for any reason or are still in the process of receiving syslog messages, click Reanalyze and then select the data source type again.
  • If your firewall is not in the drop-down field, but the data of another completely matches and is in the correct columns, you may select that firewall even though it has a different name. Some firewalls share common data formats.
  • If no matches are found, all syslog and directory data types will become available in the drop-down field. You can select a different data type from the field to complete the configuration process and return at a later time to change it.
  • It is easy to add new data sources to our extensive library. If you have a new data source, need assistance with multiple matches, or have no matching files, just contact Technical Support.

Also for Syslog, you can specify a location in which to keep a local copy of your data.

For database data, the system loads and populates the Type field with database data types. The “More info” link provides setup information on your specific database. Select the type of database and complete the remaining fields. Some fields will be populated with default values.

The last step is to give the data source configuration a name. This is helpful for identification purposes, especially if you add more data source configurations later.

If you have any questions, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Changing the Interactive Reports password

When an Interactive report is sent via e-mail to a user, the user will receive a link (or two links depending on server settings) to the report. The user must enter a password to access the report.

  • The default password is password.
  • This password should be changed on the Settings – Reports – Interactive Reports screen.
  • The password must be used by anyone trying to access an Interactive report.

Cyfin VM syslog port

In Cyfin VM, when configuring the Cyfin Syslog Server port, the port number must be greater than 1000. Port numbers 1000 and below are blocked on the VM. Follow the steps below to change the port number if it is below 1000.

The steps below apply to version 9.3.0. However, follow the same guidelines for version 9.3.1 and later.

  1. In Cyfin VM, go to Data Management – Log Data Source – Setup.
  2. Select your existing syslog log file configuration and click Next.
  3. On the Modify confirmation screen, select the check box to indicate that you understand the statements on the screen. Click Next.
  4. On the Select Log File Type screen, your log file type is already selected. Click Next.
  5. If an Information screen appears, click Next.

  1. On the Select Log File Directory screen, change the number in the Listening Port field to one that is greater than 1000. Click Next.
  2. Click Next on the following screens to complete the validation process.

Note: Steps for v943 and older are shown in video below

Additional Resources:

Configuring log forwarding from Palo Alto Panorama to Cyfin Syslog Server

With your firewalls already forwarding logs to Panorama, the high-level steps to forward Palo Alto Panorama logs to Cyfin Syslog Server include the following:

  • Configure the server profile that defines how Panorama and Log Collectors connect to the external service, that is, Cyfin Syslog Server.
  • Assign the server profile to the log settings of Panorama and to Collector Groups.

STEP 1: Configure a server profile for Cyfin Syslog Server that will receive log information.

  1. Select Panorama – Server Profiles and select Syslog.
  2. Configure the syslog server profile.

STEP 2: Configure destinations for:

  • Logs that the Panorama management server and Log Collectors generate.
  • Firewall logs that a Panorama virtual appliance in Legacy mode collects.
  1. Select Panorama – Log Settings.
  2. Add one or more match list profiles for each log type.

The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:

    1. Enter a Name to identify the profile.
    2. Select the Log Type.
    3. In the Filter drop-down field, select Filter Builder. Specify the following and then Add each query:
      • Connector logic (and/or)
      • Log Attribute
      • Operator to define inclusion or exclusion logic
      • Attribute Value for the query to match
    4. Add the server profile you configured for Cyfin Syslog Server.
    5. Click OK to save the profile.

STEP 3: Configure destinations for firewall logs that Log Collectors receive.

  1. Select Panorama – Collector Groups and edit the Collector Group that receives the firewall logs.
  2. Select Collector Log Forwarding and see step Add one or more match list profiles for each log type above.
  3. Click OK to save your changes to the Collector Group.

STEP 4: Commit and verify your configuration changes.

  1. Select Commit – Commit and Push to commit your changes to Panorama and push the changes to device groups, templates, and Collector Groups.
  2. Verify that Cyfin Syslog Server is receiving the log information in one of the following ways:
    • In the log folder, check for the syslog.txt file.
    • In Cyfin, go to Data Management – Log Data Source – Viewer to check for syslog.txt.

Additional Resources:

E-mailing reports with an Office 365 account

If the administrator’s e-mail address is an Office 365 account and you are experiencing an issue when e-mailing a report from Reports – Manager, Option 2 in the following article may resolve the issue:

How to set up a multifunction device or application to send email using Office 365

In the Step-by-step instructions for direct send section of the article, note the MX record POINTS TO ADDRESS value, and enter it in the Server Name field on the Settings – E-Mail screen in the product. Run the report again with the E-Mail Report Delivery option.

If you have any questions, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Excluding Office 365 URLs from reports

If Office 365 URLs are showing in the Personal E-Mail category in reports and you want to exclude them from the reports, run a Category Audit Summary report to identify the specific Office 365 URLs. Use these URLs in one of the following ways to exclude them from reports.

Add URLs to a custom category

  • Go to Categorization – Customize – URLs to create a custom category.
  • Add the Office 365 URLs to be excluded to the custom category and submit your change.
  • Go to Categorization – Customize – Categories and set the custom category to “Off.”
  • Submit your change. The URLs should no longer appear on reports for new log files.

Note:  Imported data is not affected, that is, the URLs will still show from previously imported data. You may delete and reimport the data to exclude these URLs.

 

Add URLs to PAC file exceptions (CyBlock)

  • Go to Settings – Proxy – PAC File.
  • Under IP/Domain Exceptions, add the Office 365 URLs that you want to exclude from going through the proxy.
  • The URLs will be excluded from Web traffic and hence, not appear on reports.

 

Add URLs to browser exceptions

  • Internet Explorer
    • Go to Tools – Internet options – Connections – LAN settings.
    • If Internet Explorer is configured to go through the proxy, the Use a proxy server for your LAN check box may already be selected.
    • Click Advanced.
    • In the Exceptions box, enter the URLs to exclude.
  • Chrome (uses system settings by default)
    • At the top-right of the browser, click the Customize and control Google Chrome icon and select Settings.
    • At the bottom, click Show advanced settings…
    • Scroll down to Network and click Change proxy settings…
    • Click LAN settings and follow the instructions for Internet Explorer above.
  • Firefox
    • At the top-right of the browser, click the Open menu icon and select Options.
    • Go to Advanced – Network – Connection and click Settings.
    • If Firefox is configured to go through the proxy, the Manual proxy configuration option may already be selected.
    • In the No Proxy for box, enter the URLs to exclude.
    • Alternately, if you already have proxy settings configured in Internet Explorer, you can select Use system proxy settings.