Category filter
Hexnode XDR Reports: Overview and Functional Guide
The Reports section in Hexnode XDR provides a centralized, structured view of activity across devices, policies, threats, and system operations. This tab converts raw telemetry into actionable data tables to support day-to-day monitoring, long-term security analysis, auditing, and technician tracking.
Overview of Built-in Reports
The left pane of the Reports tab displays the following built-in report categories:
- Device Reports
- Action Reports
- Audit Reports
- Policy Reports
- Threat Reports
- Alerts Reports
Selecting a category opens a list of specific reports and descriptions. Each report generates a detailed data table containing relevant security or operational information.
Global Report Table Options
The following controls appear across all report tables within every category:
- Export: Download selected rows as a PDF or CSV file.
- Customize Table: Select which specific data columns are displayed.
- Search Bar: Quickly locate specific rows using keyword queries.
- Filter By: Apply specific parameters (e.g., status, severity, created time) to narrow results.
- Reset Filters: Restore the report table to its default, unfiltered state.
1. Device Reports
Device Reports provide complete visibility into all endpoints enrolled in Hexnode XDR, detailing health posture, connectivity, OS versions, agent presence, and onboarding status.
Key Questions Answered:
- Which devices are active/inactive?
- Which devices recently joined the organization?
- Are any devices operating without proper policies?
- Has the Hexnode XDR agent been removed from any device?
Available Device Reports
| Report Name | Description |
|---|---|
| All Devices | Lists every device currently enrolled and visible in Hexnode XDR. |
| Windows Devices | Displays only Windows-based endpoints managed through the agent. |
| Online Devices | Devices actively connected to the Hexnode XDR portal. |
| Offline Devices | Devices not currently connected to the Hexnode XDR portal. |
| Inactive Devices | Devices that have not checked in with the Hexnode XDR portal for an extended period. |
| Migrated Devices | Endpoints migrated to Hexnode XDR from other platforms. |
| Recently Onboarded | Devices added to the portal within the past 30 days. |
| Policy-Free Devices | Devices with only the default policy applied. |
| Agent Deleted | Devices where the Hexnode XDR agent has been removed. |
Data Columns: All Devices Report
- Device Name: The designated name of the device.
- Device Group: The specific device groups associated with the endpoint.
- Device Model: The specific hardware model of the device.
- Ownership: Classification indicating if the device is Corporate or Personal.
- Platform: The operating system running on the device.
- OS Version: The currently installed OS version.
- Manufacturer: The hardware manufacturer of the device.
- Supervision: Indicates whether the device is in a supervised state.
- Device ID: The unique identifier assigned by Hexnode XDR.
- Battery Level: The current battery percentage.
- Device Health: The overall security health status of the device.
- Status: The connectivity state (Online, Offline, or Inactive).
- Deployed Via: The deployment method used for the agent.
- Endpoint ID: The unique identifier for the Hexnode XDR agent.
- UDID: The Unique Device Identifier.
- Serial Number: The hardware serial number of the device.
- Deployed At: The exact timestamp of agent deployment.
- Build Version: The installed version of the Hexnode XDR agent.
- Last Logged-In User: The user account active prior to the latest check-in.
- Internal Storage: The available space and/or total capacity reported by the device.
- Installed RAM: The total installed system memory.
- Process Name: The specific process name associated with the reported event.
- IP Address: The currently assigned IP address of the device.
2. Action Reports
Action Reports provide a comprehensive audit trail of all remote actions initiated through Hexnode XDR, ensuring operational transparency.
Key Questions Answered:
- What remote actions were executed across devices?
- Did the action succeed, fail, or remain pending?
- Which devices or users were impacted by a specific action?
Available Action Reports
| Report Name | Description |
|---|---|
| Action History | Full log of all remote actions performed. |
Data Columns: Action History Report
- Device Name: Identifies the target endpoint, validating command execution location.
- Action Name: Specifies the exact type of remote administrative action triggered.
- Created Time: The initiation timestamp, used for timeline tracing.
- Completed Time: The completion timestamp, used for evaluating execution time or delays.
- Action Status: The current state of the action (succeeded, failed, or pending).
- No. of Devices: Total count of devices targeted by a bulk multi-device action.
- No. of Users: Total count of users impacted by a user-level operation.
3. Audit Reports
Audit Reports maintain a detailed record of technician actions, configuration changes, remote terminal operations, and critical internal system events.
Key Questions Answered:
- What events occurred within the Hexnode XDR portal?
- Which technician performed a specific action, and when?
- Were remote terminal sessions initiated, restarted, or closed?
- Did critical or high-severity system events occur?
Available Audit Reports
| Report Name | Description |
|---|---|
| Audit History | Logs all portal events for tracking internal administrative activity. |
| Remote Terminal | Tracks all remote shell session activity. |
| Critical Events | Highlights high-severity or significant system events. |
Data Columns: Audit History Report
- Subject: Identifies the specific item or entity associated with the recorded event.
- Event: A description of the specific action or occurrence.
- Created Time: The exact timestamp of the event.
- Event Module: Identifies which console module generated the event (e.g., Policies, Devices, Threats, Actions).
- Technician: Identifies the specific user account that triggered the event.
4. Policy Reports
Policy Reports allow administrators to monitor the lifecycle of all security configurations, assess deployment states, and verify endpoint adherence.
Key Questions Answered:
- What policies exist in the organization?
- Which devices are associated with each policy?
- When was a policy last created or modified?
Available Policy Reports
| Report Name | Description |
|---|---|
| All Policies | Displays all configured policies and their details. |
Data Columns: All Policies Report
- Policy Name: The designated name of the configuration profile.
- Version: The policy version number, indicating historical updates.
- No. of Devices: Total count of endpoints the policy is applied to.
- Created Time: The exact timestamp of policy creation.
- Last Modified: The timestamp of the most recent update/change.
5. Threat Reports
Threat Reports log all detected threats across endpoints, including malware, ransomware, and trojans.
Key Questions Answered:
- What threats are detected across the environment?
- Which devices are affected by specific malware types?
- What is the severity and status of the threat?
- Which process triggered the detection, and who is assigned to it?
- What remediation steps occurred?
Available Threat Reports
| Report Name | Description |
|---|---|
| All threats | Complete list of all detected threats. |
| Malware | Malware-related detections. |
| Ransomware | Devices where ransomware was found. |
| Trojan | Trojan events that were detected. |
Data Columns: All Threats Report
- Threat ID: The unique identifier assigned to the specific threat.
- Severity: The impact classification level (Low, Medium, or Critical).
- Description: A brief explanation of the threat’s nature and behavior.
- Detection Time: The timestamp of initial threat identification.
- Target: Identifies the specific device affected by the threat.
- Status: The current resolution state (detected, resolved, or pending).
- Remediation: Lists recommended or executed remediation actions.
- Assignee: The specific technician assigned to handle the threat.
- Process ID: The identifier of the process that triggered the malicious detection.
- Verdict: The classification conclusion (malicious, suspicious, or clean).
6. Alerts Reports
Alerts Reports aggregate notifications generated by configured profiles, detecting unusual activity, threshold breaches, or suspicious behavior.
Key Questions Answered:
- Which alerts were triggered across the environment?
- What specific event generated the alert?
- Which device/user was impacted?
- When did the alert occur, and how frequently?
- Which alert profile caused the notification?
Available Alerts Reports
| Report Name | Description |
|---|---|
| All Alerts | Shows all alerts generated in the console. |
Data Columns: Alerts Report
- Profile Name: The specific alert profile (and its ruleset) responsible for triggering the alert.
- Event: The exact condition or occurrence that generated the alert.
- Message: A descriptive explanation of the alert.
- Target: The specific device affected by the alert condition.
- Time: The timestamp of alert creation.
Summary Table of Reports
| Category | Reports Included | Purpose |
|---|---|---|
| Device Reports | All Devices, Windows, Online, Offline, Inactive, Migrated, Recently Onboarded, Policy-Free, Agent Deleted | Endpoint posture, health, and connectivity tracking. |
| Action Reports | Action History | Remote action tracking and accountability. |
| Audit Reports | Audit History, Remote Terminal, Critical Events | Compliance, governance, and event analysis. |
| Policy Reports | All Policies | Configuration and policy coverage tracking. |
| Threat Reports | All Threats, Malware, Ransomware, Trojan | Threat analysis and incident response. |
| Alerts Reports | All Alerts | Detection of anomalies and behavior monitoring. |
Frequently Asked Questions (FAQ’s)
Can technicians edit or customize the data shown in report tables?
Yes. Technicians can utilize the Customize Table option to select specific columns, filtering the view to display only the data most relevant to their current workflow.
Can reports be exported for audits or offline analysis?
Yes. All reports support PDF and CSV formats. Administrators can choose to export either selected rows or the complete dataset for compliance, offline investigation, or archival purposes.
How often does report data refresh?
Report data generally updates whenever a device syncs with the Hexnode XDR agent. However, certain state-based reports (e.g., inactivity-based or onboarding-based views) refresh based on scheduled, periodic device check-ins.
Why do some reports show limited or no data?
Data may be restricted or missing due to the following conditions:
- Devices have not synced recently.
- A prerequisite module is disabled (e.g., threat engine, agent update, remote terminal).
- The selected report applies to an OS platform that is not currently supported.
