Investigation: Filter Dashlet Data in the Summary of Events View

Document created by RSA Information Design and Development on Jul 24, 2016
Version 1Show Document
  • View in full screen mode
 

This topic provides instructions for analysts to filter data in the dashlets viewed in the Security Analytics Malware view Summary of Events.

The Summary of Events provides a summary of the scan being investigated with selectable dashlets. The Summary of Events is fixed, but Analysts can configure each dashlet to filter out information and drill into the data.

104MWSumEvents2.png

The rest of this topic provides instructions for managing and configuring dashlets.

Configure the Score Wheel Dashlet

The Score Wheel is a high-level visualization of analyzed sessions that scored high, medium, or low in each of the scoring categories: Static, Network, Community, and Sandbox. The Score Wheel is a quick way to drill into sessions to review them. Each ring represents a different scoring category so that you can visually compare results by category.

104ScrWheel.png

You can change the order of the rings to highlight indicators of compromise that were flagged in one category but not in another category. Comparing the same results in a different sequence of the rings provides visibility into additional vulnerabilities in a session, and you can drill into sessions of interest. The following examples show two possible use cases.

Zero-Day Candidates Example

This example shows how to drill into sessions that the Community did not flag as malicious, but all other scoring categories did. The resulting list of sessions highlights zero-day candidates.

  1. Configure the Score Wheel rings in the following sequence:
    Community (innermost) > Static > Network > Sandbox (outermost)
  2. Click the red slice in the outermost (Sandbox) ring that aligns with a green slice on the innermost ring (Community): green (innermost) -> Static: red -> Network: red -> Sandbox: red (outermost). 
    ScoreWheelLabelExample.png

Malicious Sessions Example

This example shows how to drill into sessions in which all scoring categories identify the resulting list of sessions as malicious, indicating Malware Analysis has the most confidence that they are malware.

  1. Configure the Score Wheel rings in the following sequence:
    Community (innermost) > Static > Network > Sandbox (outermost)
  2. Click the red slice of the outermost (Sandbox) ring that aligns within a red slice on the innermost ring (Community): red (innermost) -> Static: red -> Network: red -> Sandbox: red (outermost). 

Arrange the Ring Sequence by Scoring Module

In the Score Wheel, you can arrange the sequence of the rings by scoring module. Initially, the sequence of rings from inside to outside is Static, Network, Community, and Sandbox.

To change the ring sequence:

  1. Do one of the following:
    1. Click and drag each scoring module up or down.
    2. Select each scoring module and use the Up and Down buttons to move it. 
  2. When the ring sequence is the way you want it, click the Update button.
    The Score Wheel is refreshed with the new sequence.
    ScoreWheelViewEvents.png

Configure the Meta Treemap Dashlet

In the Meta Treemap chart, you can visualize and filter meta breakdowns by meta type, count, and analysis type. Use the three selection lists to set the filter, and the Meta Treemap chart is refreshed immediately.

104MetTreMap.png

Configure the Meta Breakdowns Dashlet

The Meta Breakdowns dashlet is a visualization of values for a specific meta key in a pie chart. In the Meta Breakdowns chart, you can filter meta breakdowns by meta type and count. Use the two selection lists to set the filter, and the Meta Breakdowns chart is refreshed immediately.

104MetaBDDshlt.png

Configure the Events Timeline Dashlet

The Events Timeline dashlet is a visualization of the events along a timeline. No additional filters are available for the Event Timeline.

104EvTimeln.png

Open All Events in the Events List

From within the Event Timeline, you can open the entire list of events in the Events List. To do so, click 104ViewEventsIc.png. This option is not the same as clicking the count next to Events, which is the same for all visualization charts and opens the current drill point in the Events List.

Configure the Top Listing of Highly Suspicious Malware Dashlet

The Top Listing of Highly Suspicious Malware Dashlet presents the Top 10 most suspicious events in the Events List or the Files List. This dashlet is also available in the Unified dashboard, and the configuration options are described in the Getting Started with Security Analytics Guide.


Configure the Malware with High Confidence IOCs and High Scores Dashlet

The Malware with High Confidence IOCs and High Scores dashlet presents Indicators of Compromise that have both high scores and high confidence that the events are likely to contain malware. The dashlet is also available in the Unified dashboard, and the configuration options are described in Malware with High Confidence IOCs and High Scores Dashlet in the Getting Started with Security Analytics Guide.

Configure the Top Listing of Possible Zero Day Malware Dashlet

The Top Listing of Possible Zero Day Malware dashlet presents potential zero day events in the Events List or the Files List. The dashlet is also available in the Unified dashboard, and the configuration options are described in the Getting Started with Security Analytics Guide.

You are here: Conduct Malware Analysis > Filter Dashlet Data in the Summary of Events View

Attachments

    Outcomes