Security team dashboards
Security team dashboards provide summaries for analysts and administrators.
Security Admin Data Ingestion dashboard
The Security Admin Data Ingestion dashboard displays indicators that are related to data ingestion. SOC administrators who are setting up all their systems can use it to make sure that data ingestion is working as expected. For example, the Recent data sources chart might show only 10 ingested data sources, but you expect it to be a higher count. Drill down through the chart to the Ingestion data sources page to investigate further.
| Chart | Desciption |
|---|---|
| Events associated to a Data Source | A drilldown chart that displays the percentage of events that are not associated to a data source. Review and create the appropriate data source. |
| Percentage of Parsed Events | A drilldown chart that displays the percentage of events that were parsed. For example, 95% of events were parsed. For the 5% unparsed events, a parser might not be available for the log and the corresponding mapping doesn't exist in the data source type. |
| Recent Data Sources | A drilldown chart that displays the number of data sources 'seen' in the selected timerange; for example, the last 60 minutes. |
| Total Gigabytes Ingested | The number chart displays the gigabytes ingested in the selected timerange; for example, the last 60 minutes. The Total Gigabytes Ingested time series chart displays the same data as the Total Gigabytes Ingested number chart, but aggregated over time. |
| Total Events Ingested | The number of events ingested in the selected timerange; for example, the last 60 minutes. |
| Number of EPS Ingested | The number of EPS ingested, aggregated over time. |
| Top 10 Data Sources by Volume in MB | A drilldown chart that displays the data sent in size per data source. For example, a switch log payload is small, while a Windows or proxy log is large. The device can only send a small amount of events but the amount of data is large; bar and Top 10 Data Sources Volume Distribution pie chart displays. |
| Top 10 Data Sources by Events | A drilldown chart that show the same information as the Top 10 Data Sources by Volume in MB but by event. |
| Unparsed Events per Data Sources | A drilldown chart that displays the number of unparsed events, displaying what wasn't parsed from the Percentage of Parsed Events big number chart . |
- Monitor ingested data sources and events
- Monitor parsed and unparsed events per data source
- Track the volume of ingested data sources
Security Analyst Threat Analytics dashboard
The Security Analyst Threat Analytics dashboard displays indicators that are related to security events. For example, as a security analyst, you ingested all your data, performed some threat hunting, and now you're looking for anomolies. You notice on the Most Severe Events by Username chart that one of your users has many severe events. Drill down through the chart into Data Explorer to see the query. You can investigate further and create a case if needed.
| Chart | Description |
|---|---|
| Most Severe Events over Time | The evolution of events over time by severity. |
| Most Common Events | A drilldown chart that displays the most common types of events. For example, if there is a storm of events, like a Denial of Service. |
| Most Rare and Severe Events | A drilldown chart that displays the top 5 severe and rare events |
| Top Active Users | A drilldown chart that displays suspicious use by internal users. |
| Most Severe Events by Username | Potentially malicious internal users that require further investigation. |
| Most Severe Events by User over Time | Potentially malicious internal users, aggregated over time, that require further investigation. |
| Top 10 Source IPs by Number of Destinations | A drilldown chart that displays the IP addresses that reached out to a target destination that require further investigation. |
| Most Severe Events by Source IP | A drilldown chart that displays the source IP addresses that are suspicious and require further investigation. |
| Most Severe Events over Time by Source IP | Displays the information in the Most Severe Events by Source IP chart, aggregated over time. |
- Monitor user activity related to security events
- Track the severity of events over time