# Campaign Report Once a campaign has been created and executed, EFI provides a **detailed report** that summarizes its results, including delivery success, user interaction, and endpoint behavior (if telemetry is enabled). ## **How to Access the Report** 1. In the EFI Campaign Table, locate the row of the campaign you want to analyze. 2. Click the three-dot menu (⋮) located at the far right of the row. 3. Select "Generate Report" from the dropdown menu. 4. You will be automatically redirected to the campaign report view. {% hint style="info" %} Note: This option becomes available only after the campaign has been published. {% endhint %} ## **Campaign Report** Once a campaign is complete, EFI generates a comprehensive report with visualizations and telemetry data to assess how the emulation unfolded across the delivery chain. The report includes real-time statistics, endpoint activity, and delivery summaries. Here’s what you’ll find in the report: ## **Campaign Summary** Displays essential metadata: * Campaign Name * Status (Expired, Active, Pending, Building) * Type of Operation (Controlled or Unattended) * Delivery Type (Inside or Outside) * Distribution Method (Email, QR Code, Link) * Platform (Windows/Linux) * Start & End Timestamps This panel serves as the high-level summary of the campaign’s configuration and lifecycle. ## **Clicked Count** Shows how many users interacted with the campaign, this information is obtained based on the times the link is accessed. ## **History Graph (Spider/Radar Chart)** Visualizes the **full progression of the emulated attack** across multiple phases: * **Emitted** – Emails or links sent * **Register** – Payload registered on endpoint * **Download** – Payload successfully downloaded * **Validated** – Control validation triggered * **Execution** – File executed * **Survived** – No detection/interruption * **Finished** – Campaign completed This gives a breakdown of how far each payload made it in the attack chain. ## **Distribution Days** Bar chart showing the day-by-day distribution volume, helping teams identify which day had more engagement or delivery attempts. ## **Categories** * **Agents Registered**: Number of endpoints that received and ran the payload with the EVE agent. * **Malware Download Count**: Number of successful payload downloads from attacker URLs. ## **Details for Agents Registered** A table listing endpoint details for registered agents: | Column | Description | | --------------- | -------------------------------------------------------- | | **Device Name** | Hostname or asset ID | | **User** | Username of the device owner | | **Details** | Access to full endpoint execution logs (via icon button) | This allows for detailed analysis of each device's behavior and telemetry during the campaign. ## **Campaign Success and Fail Gauge** A bar graph that summarizes overall campaign execution results: * **Success**: Number of payloads that reached the final execution phase as designed. * **Fail**: Payloads that failed to complete execution, possibly due to user inaction or security control intervention. * **Total Emulation Scripts**: Number of payloads or scripts included in the campaign. * **Endpoints**: Number of unique devices that participated in the campaign. ## **Percent of Success (Donut Chart)** * Displays the **total campaign success rate** as a percentage. * A 100% success rate indicates that all configured steps (e.g., click, download, execution) were completed on the participating endpoints. ## **Metadata Insights** These pie charts break down environmental data collected from the endpoints: | **Chart** | **Description** | | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | | **Percent Browser** | Shows the distribution of browsers used to access the payload. Useful to detect browser-based bypass techniques or user preferences. | | **Percent OS** | Displays the operating system of target endpoints. | | **Percent Device** | Identifies the type of device used (e.g., PC, mobile, tablet). | ## **Endpoint Metadata Table** A comprehensive table displays device-level metadata for each endpoint that interacted with the campaign. | **Colum** | **Description** | | -------------------- | -------------------------------------------------------------------------------- | | **Browser Family** | The browser used to access the link or execute the payload (e.g., Chrome, Edge). | | **Browser Version** | Specific version of the browser, useful for detecting unpatched software. | | **Device** | Device type as recognized (e.g., PC, mobile, unknown). | | **Device Brand** | Manufacturer (if known) of the endpoint device. | | **Device Model** | Model identifier (if known). | | **Operating System** | The OS that ran the payload (e.g., Windows). | | **OS Version** | Specific version of the OS (e.g., Windows 10). | | **Type** | Classification of the endpoint (e.g., PC, Other). | ## **Network Distribution Map** A geographic heat map displays the approximate locations of the endpoints that interacted with the campaign. Each dot on the map represents an interaction: * Colored based on intensity or interaction type (e.g., click, download). * Helps visualize campaign reach, impact, or regional concentration. Use this view to correlate emulation activity with specific offices, regions, or geofenced policy zones.
## **Detailed Execution Timeline** This section provides a **step-by-step breakdown** of what occurred on each endpoint for each payload sent as part of the campaign. It's one of the most powerful and granular parts of the report, allowing teams to analyze how the threat progressed across the entire attack chain. | **Column** | **Description** | | -------------- | ------------------------------------------------------------------------------- | | **Device** | The name of the endpoint that received the payload. | | **Malware** | The specific file or synthetic sample delivered to the device. | | **Register** | Indicates whether the payload was successfully registered on the endpoint. | | **Download** | Confirms the payload was downloaded from the attacker link or QR code. | | **Validation** | Shows if the security validation process was triggered successfully. | | **Execution** | Indicates that the payload was executed. | | **Survived** | The payload ran without being blocked by security controls. | | **Finished** | The payload completed its execution lifecycle. | | **Error** | Displays any error messages encountered during execution (e.g., access denied). | | **Actions** | Opens a detailed telemetry report (eye icon) for the specific payload instance. | ## **Detailed Execution Timeline** Clicking on the eye icon in the "Details for Malware Sending" table opens a Malware Details Panel, which provides a visual and time-aligned breakdown of what occurred with a specific payload on a specific endpoint. At the center of this view is a circular timeline showing the full execution lifecycle of the synthetic threat. Each segment corresponds to a specific stage of the attack chain: | **Stage** | **Description** | | -------------- | ------------------------------------------------------------------------- | | **Issued** | The payload was dispatched as part of the campaign. | | **Registered** | The file was acknowledged on the endpoint, confirming contact. | | **Downloaded** | The payload was successfully downloaded from the attacker infrastructure. | | **Validated** | EFI began validating the threat and tracking controls on the endpoint. | | **Executed** | The payload was run on the system. | | **Survived** | The payload remained active without being interrupted or blocked. | | **Finalized** | The payload completed its cycle; telemetry collection was closed. |