Reporting Module
Provide an overview of user activities, including session invalidation and brute-force attacks.Help administrators track user behaviour and identify unauthorised activities.
Last updated
Provide an overview of user activities, including session invalidation and brute-force attacks.Help administrators track user behaviour and identify unauthorised activities.
Last updated
Report tracks all actions performed by users within the system, where user sessions are invalidated for security reasons and if the user is attacked by brute-force attacks on user accounts .
Purpose and Benefits:
Increased Security: By tracking user activities, administrators can quickly identify suspicious behaviour and take appropriate action.
Admin Awareness: Admin will get to know if any unusual activities linked to their accounts, promoting proactive security practices.
Detailed Records: Maintaining detailed logs of user actions assists in compliance and auditing processes.
Enable Events
To enable user activity tracking in the reports section, follow these steps:
Go to Realm Settings in Admin UI and Navigate to the Events section
After navigating to the Events click on Save events to track the user records.
Data Stored in Reports:
To effectively monitor and analyze user’s activities, the following data points are collected and stored for each report type:
User Activity Report:
Username: The name of the user performing the action.
User ID: A unique identifier for the user within the system.
Action Performed: Action taken by the user (e.g., login, logout, data access).
Time and Date: Timestamp indicating when the action occurred.
IP Address: The IP address from which the user accessed the system.
Geolocation: The geographical location providing context for the user’s activity.
Session Invalidation Report:
Username: The name of the user whose session was invalidated.
User ID: Unique identifier for the user whose session is affected.
Time and Date: Timestamp of when the session was invalidated.
Reason: Details regarding the session invalidation event.
IP Address: The IP address associated with the invalidated session.
Geolocation: Location information related to the invalidated session.
BruteForce Detection Report:
Username: The name of the user targeted by the brute-force attack.
User ID: Unique identifier for the user whose account is under attack.
Time and Date: Timestamps for each failed login attempt.
No of Failed Attempts: Track of failed attempts of a user can be performed.
Action Taken: The action taken by the user after exceeding the number of failed login attempts (e.g., account lockout).
IP Address: The IP address from which the brute-force attempts originated.
Geolocation: Geographical information associated with the IP address of the attacker.
Report Formats:
To facilitate easy tracking and analysis of user’s activities, reports are generated in multiple formats, including:
PDF: Provides a printable format that is suitable for sharing and archiving.
Excel: Allows for easy manipulation and analysis of data using spreadsheet tools.
CSV: Offers a simple, text-based format that can be imported into various applications for further processing.
Create a Tab in Realm Settings: Add a new tab under Realm Settings to create a dedicated section for reports managing specific settings within the realm.
Create a Report Component: Develop a new Report.tsx file that defines the Report component.
Add a Tab Link: In PageNav.tsx, add a new tab link to navigate to the Report component.
Define Report Routing: In route.tsx, create a constant route. Import the new Report component and define the route for it.
Connect Report Tab: Ensure that the Report component connects with other tabs using RoutableTabs.
We need to create sections to store relevant data in reports, so that when any respective events occur, the corresponding field data is stored in the appropriate sections:
User Activity Report: In the User Activity Report, we store user activity data, including the username, user ID, IP address, time and date, action type, and geolocation.
Session invalidation Report: The Session Invalidation Report captures information related to session invalidations. This includes the username, user ID, IP address, time and date, action type, and reason for invalidation.
BruteForce Attack Report: In the Brute Force Attack Report, we document details about detected attacks, such as the username, user ID, IP address, time and date, action type, and action taken.
This ensures that when a user event occurs, the corresponding user data is stored in these sections.
When an event occurs, ZTrust stores the IP address from the user's location, allowing the admin to easily identify where the event took place.
Previously, it was using the server's IP address; however, after making these changes, we are now able to capture the actual IP address from which the event originated.
Update Ingress Annotations: If ZTrust is deployed on Kubernetes and is reachable via an ingress endpoint, add the following annotation to the ingress:
“nginx.ingress.kubernetes.io/real-ip-header: X-Forwarded-For”
Modify Ingress Controller Service: Edit the ingress controller service for the same ingress and include the following under the "Spec:" section:
“externalTrafficPolicy: Local”
By implementing these changes, the actual IP address will be forwarded to ZTrust, allowing for accurate tracking of user locations.
Reports can be downloaded in three formats: PDF, Excel, and CSV. We utilize JasperReports to generate these formats, ensuring that the data is accurately formatted and saved in the chosen option.
“Note: When storing the geolocation, ensure that your device has location services turned on so that it can be saved in the geolocation section.Additionally, remember to enable the "Save Events" under Realm Settings option to track user data effectively in reports.”
