SecurityCoach offers a range of reports that provide insight into your organization’s security risks, detection rules, and real-time coaching campaigns. These reports can help you understand where you may need to improve your security awareness program. You can also use these reports to track trends in your users' risky activity over time.
To view SecurityCoach reports in your KSAT console, navigate to SecurityCoach > Reports. To view a SecurityCoach: Behaviors and Coaching report, click the Report button for the specific report. To view a Risk Overview for Vendor Type report, click the name of the report.
In the SecurityCoach: Behaviors and Coaching section, you can view an overview of your real-time coaching campaign, an overview of your detection rules, or an overview of your vendor events. To learn more about each report type, see the sections below.
Real-Time Coaching Report
The Real-Time Coaching Report provides an overview of your real-time coaching campaigns.
To learn more about the data in this overview, see below:
-
Real-Time Coaching Overview: This section provides information about your real-time coaching campaigns.
- Total Users Coached: This number displays the number of users that received SecurityTips during the selected date range.
- Users Coached Multiple Times: This number displays the number of users that received more than one SecurityTip during the selected date range.
- New Users Coached: This number displays the number of users that received a SecurityTip during the selected date range that had never received a SecurityTip before.
- SecurityTips Delivered: This number displays the total number of SecurityTips delivered to users during the selected date range.
- Top Real-Time Coaching Campaigns by SecurityTips Delivered: This chart displays your real-time coaching campaigns with the most detections of risky activity during the selected date range. This report will include up to ten real-time coaching campaigns.
- Top 10 Coached Groups: This table displays a list of your Smart Groups that received the most SecurityTips during the selected date range.
- SecurityTips Delivered Over Time: This graph displays the changes in the number of SecurityTips delivered during the selected date range.
- Top 10 Coached Users: This table displays a list of your users that received the most SecurityTips during the selected date range. This report will include up to ten users.
Detection Rules Report
The Detection Rules Report provides an overview of your active detection rules.
To learn more about the data in this overview, see below:
-
Detections Rule Overview: This section provides information about your detection rules.
- Total Events: This number displays the total number of events during the selected date range.
- Rule Detections: This number displays the number of events that triggered a detection rule during the selected date range.
- Users Involved: This number displays the number of mapped users that triggered a detection rule during the selected date range.
- Users with Multiple Rule Detections: This number displays the number of users that triggered two or more detection rules during the selected date range.
- Top Detection Rules: This graph displays the number of users that had detections for your organization’s most detected rules during the selected date range. This graph will show up to ten detection rules.
- Top Users by Rule Detections: This table displays the number of rule detections that your organization’s riskiest users had during the selected date range. This table will show up to ten users.
Vendor Events Report
The Vendor Events Report displays the events from your integrated vendors that are linked to detection rules. You can use this information to ensure that you have real-time coaching campaigns set up for your most common events. To include more events in your report, visit the Creating a Custom Detection Rule section of our Detection Rules Guide to create and link detection rules to the events.
To generate the report, select one or more vendors from the Vendor drop-down menu at the top-left corner of the report and then click Show Report. You can select additional filter options as needed, too.
Once you generate the report, the Event Field Summary displays a count of events for your selected Event Field. You can view events by Vendor, Threat Type, Threat Category, Threat Severity, or Event Source.
Below the Event Field Summary, you can view a table that displays information about each event. You can customize the table by selecting which columns to display.
You can turn on the Live View toggle to view the latest events detected by your integrated vendors.
To learn more information about each event, click the arrow icon.
In the Risk Overview for Vendor Type section, you can view an overview of your organization's events related to endpoint security, email security, or web security. For more information about these reports, see the sections below.
Risk Report for Endpoint Security Vendors
The Risk Report for Endpoint Security Vendors provides an overview of your organization’s events related to endpoint security.
To learn more about the data in this report, see below:
-
Endpoint Risk Overview: This section provides information about your organization’s events related to endpoint security.
- Total Users with Events: This number displays the total number of users with at least one endpoint event.
- Total Events: This number displays the total number of endpoint events.
- Threat Categories Found: This number displays the total number of threat categories for your endpoint events.
- Average Number of Threats per User: This number displays the average number of threat categories per user.
- Endpoint Threat Categories: This chart displays the threat categories for your endpoint events. You can also view the event count and users involved for each threat category.
- Users with Endpoint Events: This graph displays the number of users that had one endpoint event, more than one endpoint event, and more than five endpoint events.
- Endpoint Events Over Time: This graph displays the change in the number of endpoint events and the number of users involved during the selected date range.
- Endpoint Threat Distribution: This chart displays the percentage of endpoint events that a selected percentage of users are responsible for. For example, if you select 5%, the chart will display the percentage of your organization’s endpoint events that the top five percent of your riskiest users are responsible for.
- Endpoint Threat Severity: This chart displays the breakdown of threat severities for your endpoint events.
- Endpoint Operating System (OS) Distribution: This table displays each operating system (OS) that had an endpoint event. You can also view the computer count for each OS.
Risk Report for Email Security Vendors
The Risk Report for Email Security Vendors provides an overview of your organization’s events related to email security.
To learn more about the data in this report, see below:
-
Email Risk Overview: This section provides information about your organization’s events related to email security.
- Total Users with Events: This number displays the total number of users with at least one email event.
- Total Events: This number displays the total number of email events.
- Threat Categories Found: This number displays the total number of threat categories for your email events.
- Average Number of Threats per User: This number displays the average number of threat categories per user.
- Email Threat Categories: This chart displays the threat categories for your email events. You can also view the event count and users involved for each threat category.
- Users with Email Threat Events: This graph displays the number of users that had one email event, more than one email event, and more than five email events.
- Email Threat Count: This graph displays the number of email events during the selected date range.
- Email Threats Distribution: This chart displays the percentage of email events that a selected percentage of users are responsible for. For example, if you select 5%, the chart will display the percentage of your organization’s email events that the top five percent of your riskiest users are responsible for.
Risk Report for Web Security Vendors
The Risk Report for Web Security Vendors provides an overview of your organization’s events related to web security.
To learn more about the data in this report, see below:
-
Web Risk Overview: This section provides information about your organization’s events related to web security.
- Total Users with Events: This number displays the total number of users with at least one web event.
- Total Events: This number displays the total number of web events.
- Threat Categories Found: This number displays the total number of threat categories for your web events.
- Average Number of Threats per User: This number displays the average number of threat categories per user.
- Web Threat Categories: This chart displays the threat categories for your web events. You can also view the event count and users involved for each threat category.
- Users with Web Events: This graph displays the number of users that had one web event, more than one web event, and more than five web events.
- Web Events Over Time: This graph displays the change in the number of web events and the number of users involved during the selected date range.
- Web Threat Distribution: This chart displays the percentage of web events that a selected percentage of users are responsible for. For example, if you select 5%, the chart will display the percentage of your organization’s web events that the top five percent of your riskiest users are responsible for.