We recently migrated from SM to Sentinel 7.1. We have yet to configure a
WECS server, so we are just piping data from SM into Sentinel. We also
leverage Change Guardian for Windows (we are in the process of upgrading
to v4, but are still on version 2.

In any event I am attempting to create a report so I can send the
resulting PDF to management. I am able to search for and find the data I
want with the following syntax:
(((sev:[0 TO 5])) AND (pn:"Change Guardian for Windows")) AND

Issue is I cannot create a report with this syntax. I realize report
templates are set and I have tried to use the basic Sentinel Core Events
Detail which just uses the base severity 0 to 5 and then add my other
criteria, but my reports always fail. I am missing something plain on
how to setup a report? I am guessing it is failing as I am not able to
add the additional parens for nesting around sev:[0 TO 5]

psmcgovern's Profile: https://forums.netiq.com/member.php?userid=5730
View this thread: https://forums.netiq.com/showthread.php?t=48669