Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

NW: Managing the Springboard

Document created by RSA Information Design and Development Employee on Sep 8, 2020
Version 1Show Document
  • View in full screen mode
 

(From 11.5 and later) RSA NetWitness Platform Springboard presents platform-wide detections and signals in this view so analysts hunt and investigate faster than ever before.

The Springboard congregates the following information for analysts to view:

  • Critical incidents and high severity alerts that require attention.
  • Hosts and files with high risk scores that may be potential threats.
  • Risky users that are potential leads for investigation.

Springboard

The Springboard displays important information for the last 24 hours in the following out-of-the-box panels:

  • Top Incidents
  • Top Alerts
  • Top Risky Hosts
  • Top Risky Files
  • Top Risky Users

For example, the Top Risky Hosts displays the top 25 risky hosts based on the highest risk score and Operating system (Windows, Linux, and Mac). The result displays hosts of all Endpoint Servers if the Endpoint Broker is available. Otherwise, it displays the result of the first Endpoint Server.

You can perform the following actions on the Springboard:

  • Change the time range for some panels namely Incidents and Alerts panels. To change the time range, select the time range selection box from the drop-down menu in the top left corner of the Springboard view.

  • Increase the display of the results in the table to view more than 25 results. Click Edit Panel on the panel, the Edit Panel dialog is displayed. Edit the number of results field and click Save Panel.

  • Click a row in the table to view details or to investigate.
  • Click View incidents at the top of the panel to view all the results. For example, in the Top Incidents panel, click View incidents to view all incidents in the Respond > Incidents list view.

  • Scroll to view the different panels using the Navigate bar scroll bar available below the panels.

Administrators can customize the Springboard by performing the following:

  • Edit the out-of-the-box panels. For more information, see Edit a Panel.
  • Refresh the out-of-the-box panels. For more information, see Refresh a Panel.
  • Create new panels with important system indicators. For example, a new panel showing focused event metadata based on pre-defined query conditions can be created. For more information, see Add a Panel.

Working with the Springboard

Note: An administrator must provide the appropriate permissions to allow users to edit the springboard panels. For more information see the the Springboard section in the "Role Permissions" topic in the System Security and User Management Guide.

You can customize the information on the out-of-the-box Springboard by adding, editing, copying, moving, and deleting panels.

Add a Panel

You can add a panel to the Springboard according to the analyst preferences. For example, an analyst can watch top risky users or top risky hosts for a particular region in a panel.

Note: The maximum number of panels on the Springboard should not exceed 20 panels.

To add a panel:

  1. Click Manage Board.
  2. Click Add Panel either on the top or on the right side of the view or click Add Panel at the bottom of the view to add a panel.

    The Create New Panel dialog is displayed. The following figure is an example of the events panel configuration.

    Adding New Events Panel

  3. In the Input Settings section:
    • Name: Enter a unique name for the panel. The name can include letters, numbers, spaces, and special characters, such as _ - ( ) [ ].

    • Number of Results: By default, the number of results is 25. Specify the number of results that range from 25 to 100.

    • Data Type: Select the type of data to use for the panel:
      • Alerts
      • Incidents
      • Events
      • Files
      • Hosts
      • Users
    • Data Source: Select the source of the data to use for the panel. This field is enabled when the data type is Events, Files, or Hosts.
      • Events: Select either Broker or Concentrator.
      • Files: Select either Endpoint Broker Server or Endpoint Server.
      • Hosts: Select either Endpoint Broker Server or Endpoint Server.
    • (Optional) Filter : Filter the data as required for each data type from the saved filters list.
  4. In the Output Settings section, select the appropriate settings based on the data type.

  5. Click Add Panel.
  6. Click Save Board once you have added all the panels.

Edit a Panel

You can edit the out-of-the-box or newly added panels on the Springboard.

To edit a panel:

  1. Click Edit Panel on the panel that you want to edit.
    The Edit Panel dialog is displayed.

  2. Edit and click Save Panel.

Rearrange Panels

You can arrange the panels by dragging and dropping them into a different order on the Springboard.

To rearrange panels:

  1. Click Manage Board.
  2. To move a panel, click anywhere on the panel, drag and drop the panel to the desired location.

  3. Click Save Board.

Delete Panels

You can delete panels permanently in the following situations:

  • Services are not installed. For example, if you do not have Endpoint Log Hybrid installed, then you can delete the panels for Top Risky Hosts and Files.

  • The maximum number of panels have exceeded the limit, that is 20, and you want to add a new panel.

To delete existing panels:

  1. Click Manage Board.
  2. Select the panels that you want to delete.
  3. Click Remove Panel.
  4. Click Save Board.

Restore System Default Settings

Note: This is enabled only if any changes are made to the out-of-the-box Springboard panels.

To restore the out-of-the-box panels:

  1. Click Manage Board.

  2. Click Restore System Default.

    A confirmation pop-up is displayed to confirm if you want to restore the out-of-the-box panels or not.

  3. Click Restore System Default.

Refresh a Panel

To refresh a panel:

Click Refresh Panel on the panel that you want to refresh, it loads the latest data in the panel.

You are here
Table of Contents > Managing the Springboard

Attachments

    Outcomes