Working with reports

View results

Select Reports from the Comply menu to view the results for All reports, Configuration Compliance reports, or Vulnerability reports that have been run and the next scheduled run, if applicable.

By default, users with the Comply Report Reviewer role can see all reports, even reports that target computer groups for which the user does not have management rights.

If the report_mr_enabled setting is set to true, users can only see reports that target computer groups for which they have management rights. With this setting enabled, users can only see reports when they have management rights to all computer groups that the report targets. If a report targets multiple computer groups, but the user does not have management rights to one or more of the targeted computer groups, the user cannot see the report.

Click View Online Endpoints next to Endpoints to go to Interact to view any endpoints reported on that are currently online.

Expand a report to see details about that report. Click on the report name to see results associated with that report and details about the policies included in configuration compliance reports and questions included in vulnerability reports.

Click on a rule to see a detailed description of that rule. In configuration compliance reports, you can click Advanced Filter to filter the rules by group, such as Account Policies.

If you see a Scan Error next to a report , click the icon to see details about the errors. In the error window, click Go to Interact to see details about the endpoint(s).

Vulnerability report results

When you view Vulnerability report results, you will see icons to the left of each CVE indicating the severity of that vulnerability.

Icon Severity
High
Medium
Low
Unscored

Expand a CVE to get more details including Remediation Instructions and a Solution.


Integration with Patch

The scan engine in Comply scans for both vulnerability and operating system patch definitions. If you have Tanium Patch installed and the scan engine finds a vulnerability definition and a patch definition that are associated with the same CVE, Comply checks Patch for the necessary patch. If the patch is available in Patch, a Patch icon displays next to vulnerability.




Click the Patch icon to open the corresponding page in Patch. From there, you can click Install to create an install deployment.

For more information, see Patch User Guide: Deploying patches.

Use Patch to deploy operating system patches and software updates to proactively remediate and eliminate software and operating system vulnerabilities before they are found by vulnerability reports.

Comply-related sensors

Get Comply - Report Age

Use this sensor in Interact to see which Comply reports exist and when they were run.

Comply - Vulnerability CVE Search

Use this sensor in Interact to find endpoints with specific CVEs and see details. The sensor extracts multiple CVE numbers as a parameter; you can then enter them one line at a time in the input field in Interact. Add Computer Name to your parameters to get more specific results.

Comply - Vulnerability Discovery Dates

This sensor will show the date on which a vulnerability was first encountered on an endpoint and the date of the last discovery of that vulnerability on an endpoint. This data is also available from the Comply – [engine] Vulnerabilities Full sensor. Add Computer Name to your parameters to get more specific results.

Upgrade Report Question

When you upgrade to Comply 2.0.0 and later, you will need to upgrade your saved questions to the newest format. You will see a warning next to reports requiring an upgrade.

  1. On the Reports page, select the report(s) requiring an upgrade.
  2. Click Upgrade Report Question.
  3. Enter your credentials and click OK.

Filter reports

Use the Filter Results fields at the top of the Reports page to filter the list of reports.

Update vulnerability reports

When vulnerability sources are updated and contain new definitions that match a report's vulnerability content, Comply automatically marks the reports as having new content available and displays a notification banner. If a service account is configured, then Comply automatically redeploys reports that are scheduled to run again as part of the service account background process. If you need the update sooner, you can manually update and deploy vulnerability reports that Comply has identified as outdated before the service account deploys them.

  • If reports are configured only for CVEs from a previous year, then a source update will not generate the message because updates to the CVEs for that year are unlikely. If reports are configured to include CVEs for the current year, then a source update generates the message.
  • This workflow does not apply to configuration compliance reports, which require a new report to use updated configuration compliance benchmarks. See Delete a report.
  1. Click Update Now in the notification message to see the list of affected reports.
  2. Click Update Reports.
  3. Select the reports you want to update.
  4. Click Update Report. You can view the status of the update in the Status column.

View scheduled report actions

You can view reports that are scheduled to run on the Tanium Comply action group in the Tanium Console.

  1. Select Scheduled Actions under Actions from the main menu.
  2. On the Actions page, enter Comply in the Filter by text field at the top right to see the reports scheduled to run on the Tanium Comply action group.

Selecting the Tanium Comply action group in the left navigation pane shows all scheduled actions for Comply, including engine/JRE scheduled actions as well as those created for report execution.

Run a report again

On the Reports page, select a report and click Deploy Now to run the report.

Export report results

  1. From the Reports menu, select All, Configuration Compliance, or Vulnerability.
  2. Select a report.
  3. Select Manage Report > Export Report.
  4. In the Export Report window, provide a Title and Description for the report.
  5. Choose either HTML or CSV from the Format drop-down list for the exported data.
  6. For Configuration Compliance reports, the pass, fail, and error report types are selected by default. Click in the Report Types field to select additional types or to remove any of the default types.
  7. For Configuration Compliance reports, select options for Results Display and Rule Details.

    Use Results Display to turn off the summary values for each result so that the endpoint list is the complete list of computer names and IP addresses.

  8. Click Export. Enter your credentials and click OK.
  9. You can close the Export Report window and let the report export process run in the background. Go to the Report Export page to view the progress of any report export jobs currently running. The last column in the results table on indicates the status of the report export job.

  10. When the export report is complete, click View report export to go to the Report Exports page or click Download to download the report in the format you selected. On the Report Exports page, you can also select a report and click Download.
  11. Use the Filter Results fields to filter the list of reports.

Refresh individual report results

  1. On the Reports page for All, Configuration Compliance, or Vulnerability, select a report.
  2. Under the Manage Report drop-down list, click Refresh Results. Comply will retrieve the results from the Tanium Server for the selected report.

Reissue Question

  1. On the Reports page for All, Configuration Compliance, or Vulnerability, select a report.
  2. Under the Manage Report drop-down list, click Reissue Question. Comply will re-ask the report questions.
  3. Use Refresh Results to retrieve new results from the Tanium Server for the selected report.

View Saved Question

  1. On the Reports page for All, Configuration Compliance, or Vulnerability, select a report.
  2. Under the Manage Report drop-down list, click View Saved Question to see the questions in Interact that retrieved the results for the selected report.

Edit a report

  1. On the Reports page, select Edit Report from the Manage Report drop-down list next to the report for which you want to edit the schedule or title.
  2. Edit the Title if needed.
  3. Add labels in the Labels field. Click the X next to a label to remove it.
  4. Change the Engine if needed.
  5. Change the Execution Priority if needed.
  6. Select Start at and End at and complete the date and time values to limit the report to run only during a specific time period.
  7. Select the Distribute over and enter values to run the report over minutes or hours. This value cannot be over four hours.
  8. Select None, Interval, or Report Result Age for the Repeat report execution by field.
    • If you choose None, the report will run once if the Start At field is specified for a date and time in the future. Otherwise, the report will not run again.
    • If you choose Interval, the Reissue every field will appear, and you can specify how often the report is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the report will run immediately. If you choose Interval and do not enter a value for End At, the report will run at the specified interval forever.
    • If you choose Report Result Age, then the Run when results are older than field will appear, and you can specify how old you want the results to be before the report is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the report will run immediately. If a targeted endpoint comes online that has never run the report, the report will be run as soon as the next age-check occurs. The age of results is checked either every hour or every 3 hours. If you specify an age less than 3 hours, the age of results will be checked every hour. If do not enter a value for End At, the report will continue to run forever.
  9. Click Save, enter your credentials, and click OK.

Delete a report

When an updated version of a new configuration compliance benchmark is released, you must delete the configuration compliance report that used the old benchmark and create a new report with the updated benchmark.

  • This workflow does not apply to vulnerability reports, which are updated automatically if a service account is configured. See Update vulnerability reports.
  • You cannot edit the content of a report once it has been created, and you cannot delete a benchmark, custom check, or custom ID mapping if they are associated with a report. You can only change when a report runs. See Edit a report.

On the Reports page, select a report and click Delete to delete it. See Deleting stale reports from endpoints to remove the report from the endpoints.

Deleting stale reports from endpoints

If you delete a report using the procedure described in Delete a report, you still need to delete it from the endpoints.

  1. On the Comply Home page, click Help .
  2. On the Troubleshooting tab, in the Manage Stale Reports section, click Update Reports.
  3. The Stale Reports window will appear and provide a list of reports that are no longer known to comply. Select the report you want to remove.
  4. Edit the following scheduling fields to schedule the removal action:
    • Select Start at and End at and complete the date and time values to limit the removal to occur only during a specific time period.
    • Select the Distribute over and enter values to run the removal over minutes, hours, or days.
    • Select the Reissue every and define the interval in minutes, hours, or days in which the removal will run.
  5. Click Remove Selected.