Working with Pivot Tables and Charts in IT Analytics Data Loss Prevention Content Pack

This article provides a hands-on overview of browsing cubes in IT Analytics Solution 7.1 and the Symantec Data Loss Prevention Content Pack.  You will learn how to browse cubes and configure Pivot Tables using a number of common usage scenarios.  Using the ad-hoc data mining capabilities of IT Analytics we will perform some forensic analysis of DLP incidents in the environment by severity, type and policy.

To complete this exercise, you should have IT Analytics with the Symantec Data Loss Prevention Content Pack already installed. For more information, please refer to the Connect article for installing IT Analytics.

1. Launch the Symantec Management Console 7.1.
2. Click the Reports menu item and select All Reports.
3. Expand the Reports folder.
4. Expand the IT Analytics folder.
5. Expand the Cubes folder.
6. Select the DLP Incident Summary Cube.
7. Click anywhere in the PivotTable window to display the Field List.  Clicking on this icon   in the toolbar will also cause the field list to be displayed.
8. Drag and drop the Incident Count measure into the Totals pane:

9. Drag and drop the Incident - Type attribute into the Rows pane:

10. Drag and drop the Incident - Severity attribute into the Columns pane:

Now that we have built our initial incidents view which showcases the severity by type, we will expand upon this view by bringing in more information and adding filtering capabilities.

11. Drag the Incident – Severity attribute up to the Filter Fields area, just under the toolbar. Click on the dropdown arrow for the Incident - Severity attribute, uncheck All and check High, then click OK.

12. Drag the Policy - Name attribute into the Rows pane, in front of the Incident –Type attribute. Expand a few of the policies to see a breakdown of incident count and type, for the specific policy.

13. Right click on the Policy – Name attribute and select Collapse Items to hide the incident type information.

14. Click the Chart icon  in the toolbar to switch the view to chart format.

15. Select the Incident – Severity filter and change it to display All severity levels.

16. Select the Commands and Options button  on the toolbar, then click on the Type tab.
17. Select Bar chart and the orientation depicted in the screenshot below:

18. Click the 3D View tab and select the Orthographic projection mode:

19. Drag the Incident – Severity attribute from the filters field to the Series Fields on the right of the chart.
20. Select the Show/Hide Legend button  from the toolbar.
21. You should see the new pivot chart depicted as follows:

Note that based on the incidents in your environment, the chart data will look different.

22. Drag the Policy – Name attribute completely off the chart to leave only Incident – Type remaining.

23. We can easily turn this into a trend report by changing the chart type. To do so, open the Commands and Options button  on the toolbar, then click on the Type tab.
24. Select Area chart and the orientation depicted in the screenshot below:

25. Add additional fields by clicking on the Field Lists button in the toolbar  then select the Detection Date - Year attribute and drag it to the Filter Field area, then filter on 2012 only.
26. Drag the Incident – Type attribute already on the chart up to the Filter Field area, just after Detection Date – Year.
27. Drag Detection Date – Quarter into the Category Fields area. You now should have a trending graph that looks similar to the following:

Note that based on the incidents in your environment, the chart data will look different.

28. Finally you can save this report by clicking the Save icon   in the toolbar.
29. Select the “Save as new view” radio button and name it appropriately.
30. You may also check the “Available to all users” checkbox in the event that you would like this report to be available to all users.  Leaving this unchecked will make this a private view only available to you.

31. Refresh the SMP Console and navigate back to the DLP Incident Summary Cube (Reports > IT Analytics > Cubes).
32. To open the view you just saved click this icon  in the toolbar and select the report you just created in the dropdown list.  Note that the report is loaded exactly as you left it.

The ad-hoc nature of browsing the pivot tables and charts provides a simple and efficient way of creating custom reports on the fly, without previous knowledge of the DLP database schema or any query languages. Depending on your reporting requirements, you will want to experiment with the different cubes and fields to discover how IT Analytics can best meet your needs.