Dashboards Catalog

Document created by RSA Information Design and Development on Dec 2, 2016Last modified by RSA Information Design and Development on Dec 15, 2017
Version 89Show Document
  • View in full screen mode
  

There are several Preconfigured dashboards available upon installation. These dashboards provide a high-level overview of network traffic and logs. They help provide immediate value to SOC Managers, Analysts and System Admins in gaining quick overall status of the network.

The Overview dashboard provides a sampling of information that can be viewed in more detail in the dashlets of the other dashboards. It provides high-level trends and state-of-the-business view of network traffic and logs status. From its dashlets, links are provided to drill down to view more information about individual dashboards. For example, when you drill down from the Top Services dashlet on the Overview dashboard, it will lead to the Operations—Network dashboard, which shows further details on Operations—Network Top Source Countries and Destination Countries.

All these dashboards are available upon installation. However, they are disabled by default except the Default dashboard. Every dashboard consists of dashlets that are built based on a chart supported by a Report Rule. So, each dashlet is dependent on a Report Rule and a Report Chart. These Preconfigured dashboards are read-only dashboards with no option to edit them. If their Refresh Interval or Past Hours are edited for any reason, they may get overridden during upgrades. RSA recommends that you make a copy of the Preconfigured dashboards before you make any modifications.

For detailed information on Dashlets, see Dashlets.

Available Preconfigured Dashboards

The following table describes each Preconfigured dashboard.

                                           
NameDescription

Identity Dashboard

Shows users and services that may potentially have malicious activities. The trends help compare them against daily logs to find abnormal behavior.

Overview Dashboard

Provides a trending view of traffic flow within the customer's environment over a 24 hour period.

Operations—Logs Dashboard

Shows top trends and distribution of logs from different classes and categories, for a quick view of log categories and event classes. Use this view to adjust devices that are producing more logs than expected.

Operations—Network Dashboard

Shows top trends of source and destination traffic, including geographic locations, in order to easily monitor network traffic.

SecurID Dashboard

Allows analysts to monitor specific identities and their behaviors. It empowers organizations to monitor two-factor environments that utilize RSA's SecurID for authenticating to protected resources.

Threat—Hunting Dashboard

Displays a summary of the events that have been categorized according to the Hunting meta keys.

Threat—Indicators Dashboard

Shows top Threat and Risk trends that help monitor any changes to the normal categories or sources of risk. If there are abnormal amount of threats from an uncommon source, it needs further investigation.

Threat—Intrusion Dashboard

Provides a view into firewall events and actions as well as IDS signatures over the last 24 hours.

General Dependencies

Each Dashlet is dependent upon one report rule and one report chart. Also, dashlets may be dependent on other content. In that case, those dependencies are listed.

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

Dashboard-Related Procedures

Occasionally, you may want to perform the following tasks:

  • Add or Change a Reporting Engine data source
  • Enable some charts

Add a Data Source to a Reporting Engine

In most cases, for customers that have other reports running, the Data Source is already defined. If so, you can skip this section.

Perform the following steps to associate a data source with a Reporting Engine:

  1. Depending on your version:

    • For NetWitness 11.x: Navigate to ADMIN > Services.
    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
  2. In the Services Grid, select a Reporting Engine service.
  3. Click View > Config.

    The Services Config View of Reporting Engine is displayed.

  4. Click the Sources tab, and select the appropriate Concentrator service as the Data source.

Enable Charts

To enable the charts, do the following:

  1. Depending on your version:

    • For NetWitness 11.x: Navigate to MONITOR > Reports.
    • For Security Analytics 10.x: In the Security Analytics menu, select Reports.
  2. Click Charts.
  3. Click Identity Group.

    The RSA SecureID folder appears.

  4. Select the RSA SecureID folder.

    All charts related to RSA SecureID are listed under the Charts list panel.

  5. In the Charts list panel, select a chart or several charts that display unselected in the Enabled column.

  6. Click selected.

A confirmation message indicates that the state of the selected charts is changed successfully.

Identity Dashboard

The Identity dashboard shows users and services that may potentially have malicious activities. The trends help compare them against daily logs to find abnormal behavior.

Sample dashboard screen:

Dependencies

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

The following table describes the dependencies for each dashlet, as well as other details.

                                                      
DashletMediumDependencies
Report RuleReport Chart

Top Log Event Users Trend

log

Log Event Users

Log Event Users

Top Logon Failures Summary

log

Logon Failures Summary

Logon Failures Summary

Top Logon Success Summary

log

Logon Success Summary

Logon Success Summary

Top Cleartext Authentications by Service Trend

packet

Cleartext Authentications by Service

Cleartext Authentications by Service

Top Cleartext Passwords by Service

packet

Cleartext Passwords by Service

Cleartext Passwords by Service

Top Email Sender Trends

packet

Email Senders

Email Senders

Note: All of the dashlets are also dependent upon the Hunting Pack and the Identity Feed.

Dashlets Contained in this Dashboard

The Identity dashboard contains the following dashlets:

  • Top Log Event Users Trend: Displays the top 10 users as populated by log event traffic.
  • Top Logo Failures Summary: Displays the top 10 logon failures as populated by log event traffic.
  • Top Logon Success Summary: Displays the top 10 logon success as populated by log event traffic.
  • Top Cleartext Authentications by Service Trend: Displays the top authentications detected in clear text by service through packet traffic.
  • Top Cleartext Passwords by Service: Displays the top passwords detected in clear text by service through packet traffic.
  • Top Email Sender Trends: Displays the top email senders from packet traffic.

Operations—Logs Dashboard

The Operations—Logs dashboard shows top trends and distribution of logs from different classes and categories, for a quick view of log categories and event classes. Use this view to adjust devices that are producing more logs than expected.

Sample dashboard screen:

Dependencies

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

The following table describes the dependencies for each dashlet, as well as other details.

                                          
DashletMediumDependencies
Report RuleReport Chart

Top Log Event Classes Trend

log

Log Event Classes

Log Event Classes

Top Log Event Types Trend

log

Log Event Types

Log Event Types

Top Log Event Categories

log

Log Event Categories

Log Event Categories

Top Log Destination Ports

log

Log Destination Ports

Log Destination Ports

Dashlets Contained in this Dashboard

The Operations—Logs dashboard contains the following dashlets:

  • Top Log Event Classes Trend: Displays the top 10 log event classes as populated by log event source traffic.
  • Top Log Event Types Trend: Displays the top 10 log event types as populated by the log event traffic.
  • Top Log Event Categories: Displays the top 10 log event categories as populated by log event traffic.
  • Top Log Destination Ports: Displays the top 10 log destinations ports as populated by log event traffic.

Operations—Network Dashboard

The Operations—Network dashboard shows top trends of source and destination traffic, including geographic locations, in order to easily monitor network traffic.

Sample dashboard screen:

Dependencies

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

The following table describes the dependencies for each dashlet, as well as other details.

                                                              
DashletMediumDependencies
Report RuleReport ChartOther

Top Services Trend

packet

Top 10 Services

Top Services

 

Top TCP Destination Ports

packet

Top TCP Destination Ports

Top TCP Destination Ports

 

Top Source IP Addresses

log, packet

Top Source IP Addresses

Top Source IP Addresses

 

Top Destination IP Addresses

log, packet

Top 10 Destination IP Addresses

Top Destination IP Addresses

 

Top Destination Countries

log, packet

Top 10 Destination Countries

Top Destination Countries

GeoIP parser

Top Source Countries

log, packet

Top Source Countries

Top Source Countries

GeoIP parser

Dashlets Contained in this Dashboard

The Operations—Network dashboard contains the following dashlets:

  • Top Services Trend: Displays the top 10 services (protocols), based on the network traffic.
  • Top TCP Destination Ports: displays the top 10 TCP destination ports based on the network traffic.
  • Top Source IP Addresses: displays the top 10 source IP addresses based on the network traffic.
  • Top Destination IP addresses: displays the top 10 destination IP addresses based on the network traffic.
  • Top Destination Countries: displays the top 10 destination countries based on the network traffic.
  • Top Source Countries: displays the top 10 source countries based on the network traffic.

Overview Dashboard

The Overview dashboard provides a trending view of traffic flow within the customer's environment over a 24 hour period.

Sample dashboard screen:

Dependencies

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

The following table describes the dependencies for each dashlet, as well as other details.

                                                               
DashletMediumDependencies 
Report RuleReport ChartOther

Top Services

packet

Top 10 Services

Top Services

 

Top Log Event Classes

log

Log Event Classes

Log Event Classes

 

Traffic Flow Direction

log, packet

Traffic Flow Direction

Traffic Flow Direction

Traffic Flow Lua parser

Top Firewall Systems

log

Firewall Systems

Firewall Systems

 

Top Threat Sources

log, packet

Threat Sources

Threat Sources

RSA Research Feed

Top Cleartext Passwords by Service

packet

Cleartext Passwords by Service

Cleartext Passwords by Service

 

Dashlets Contained in this Dashboard

The Overview dashboard contains the following dashlets:

  • Top Services: Displays the top 10 services (protocols) based on the network traffic trends.
  • Top Log Event Classes: Displays the top 10 log event classes as populated by log event source traffic.
  • Traffic Flow Direction: Displays traffic flow as populated with the Traffic Flow Lua parser or as parsed from a log event source.
  • Top Firewall Systems: Displays firewall systems based on the ip.addr meta key from a Firewall log event source.
  • Top Threat Sources: Displays threat sources based on the threat.source meta key populated by feeds.
  • Top Cleartext Passwords by Service: Displays the top passwords detected in clear text by service through packet traffic.

RSA SecurID Dashboard

The RSA SecurID dashboard allows analysts to monitor specific identities and their behaviors. It empowers organizations to monitor two-factor environments that utilize RSA's SecurID for authenticating to protected resources. Users can run reports using the NetWitness Report Engine, either ad-hoc or on a recurring schedule.

Sample dashboard screen:

Dependencies

The RSA SecurID Dashboard only applies to customers collecting from logs. Thus, All the dashlets for this dashboard have a medium of Log.

The following table describes the dependencies for each dashlet, as well as other details.

                                                                   
 Dependencies
DashletReport RuleReport ChartOther
RSA SecurIDBadPIN Good Token CodeRSA SecurIDBadPIN Good Token CodeRSA SecurIDBadPIN Good Token CodeThe RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) is required.
RSA SecurIDBadPIN Previous Token CodeRSA SecurIDBadPIN Previous Token CodeRSA SecurIDBadPIN Previous Token Code 
RSA SecurIDBadToken Code Bad PINRSA SecurIDBadToken Code Bad PINRSA SecurIDBadToken Code Bad PIN 
RSA SecurIDBadToken Code Good PINRSA SecurIDBadToken Code Good PINRSA SecurIDBadToken Code Good PIN 
RSA SecurIDStatic Passcode AuthenticationRSA SecurIDStatic Passcode AuthenticationRSA SecurIDStatic Passcode Authentication 
RSA SecurIDToken Code ReuseRSA SecurIDToken Code ReuseRSA SecurIDToken Code Reuse 
RSA SecurIDUnknownUser Failed LoginRSA SecurIDUnknownUser Failed LoginRSA SecurIDUnknownUser Failed Login 
RSA SecurIDAccount LockoutsRSA SecurIDAccount LockoutsRSA SecurIDAccount Lockouts 

Dashlets Contained in this Dashboard

The SecurID dashboard contains the following dashlets:

  • RSA SecurID-Account Lockouts: A user has attempted to login too many times without successfully logging in and has locked their SecurID account.
  • RSA SecurID-Bad PIN Good Token Code: A user had a valid SecurID Token Code for the user account but entered a bad PIN.
  • RSA SecurID-Bad PIN Previous Token Code: A user entered a previous token code but the token code had reached the end of its valid period of time (usually 60 seconds) and rolled out of the system before authentication was completed.
  • RSA SecurID-Bad Token Code Bad PIN: A user has attempted to login with a valid username but has entered the SecurID Token Code and PIN incorrectly.
  • RSA SecurID-Bad Token Code Good PIN: A user had a valid PIN for their user account but had typed the SecurID Token Code incorrectly.
  • RSA SecurID-Static Passcode Authentication: A user has authenticated with a static passcode and not a SecurID token.
  • RSA SecurID-Token Code Reuse: A user had a valid token code but used it in a prior attempt to login. The user did not allow the token code to change before attempting another login.
  • RSA SecurID-Unknown User Failed Login: A user has attempted to login with a username that does not exist on the SecurID Server database. (invalid username)

Threat—Hunting Dashboard

The Threat—Hunting dashboard displays a summary of the events that have been categorized according to the meta keys described below.

The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the RSA NetWitness Hunting Guide and the Investigation Feed for more details about the contents of the pack and the suggested investigation techniques.

Sample dashboard screen:

Dependencies

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

The following table describes the dependencies for each dashlet, as well as other details.

                                                      
DashletMediumDependencies
Report RuleReport Chart

Behaviors of Compromise

packet

Behaviors of Compromise

Behaviors of Compromise

Enablers of Compromise

packet

Enablers of Compromise

Enablers of Compromise

File Analysis

packet

File Analysis

File Analysis

Indicators of Compromise

packet

Indicators of Compromise

Indicators of Compromise

Service Analysis

packet

Service Analysis

Service Analysis

Session Analysis

packet

Session Analysis

Session Analysis

Note: All of the dashlets are also dependent upon the Hunting Pack.

Dashlets Contained in this Dashboard

The Threat—Hunting dashboard contains the following dashlets:

  • Behaviors of Compromise: Designated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated.
  • Enablers of Compromise: Instances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated.
  • File Analysis: A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated.
  • Indicators of Compromise: Possible intrusions into the network that can be identified through malware signatures or IPs and domains associated with command and control campaigns. This rule displays output when the meta key, Indicators of Compromise, is populated.
  • Service Analysis: Core application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated.
  • Session Analysis: A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, Session Analysis, is populated.

Threat—Indicators Dashboard

The Threat—Malware Indicators dashboard displays web-based packet and web logs traffic going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate that an infected host on your network is making requests.

Sample dashboard screen:

Dependencies

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

The following table describes the dependencies for each dashlet, as well as other details.

                                                        
DashletMediumDependencies 
Report RuleReport ChartOther

Threat Sources

log, packet

Threat Sources

Threat Sources

 

Threat Categories

log, packet

Threat Categories

Threat Categories

 

Malware Activity DNS

packet

Malware Activity DNS

Malware Activity DNS

You will also need to have at least one of the following feeds deployed.

  • Investigation
  • RSA FirstWatch C2 Domains
  • RSA FirstWatch C2 IPs
  • RSA FirstWatch APT Domains
  • RSA FirstWatch APT IPs

If deploying the Investigation feed, you will need at least one of the related Lua parsers:

  • DNS_verbose_lua, or
  • DynDNS

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See the Investigation Feed for more details.

Malware Activity Web

log, packet

Malware Activity web

Malware Activity web

You will also need to have at least one of the following feeds deployed.

  • Investigation
  • RSA FirstWatch C2 Domains
  • RSA FirstWatch C2 IPs
  • RSA FirstWatch APT Domains
  • RSA FirstWatch APT IPs

If deploying the Investigation feed, you will need at least one of the related Lua parsers:

  • HTTP_lua, or
  • TLS_lua

If collecting logs you will need at least one event source with device class of web logs. This includes web proxy and security products such as Cisco WSA and SQUID.

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See the Investigation Feed for more details:

Malware Activity Unidentified

log, packet

Malware Activity Unidentified

Malware Activity web Unidentified

You will also need to have at least one of the following feeds deployed.

  • Investigation
  • RSA FirstWatch C2 Domains
  • RSA FirstWatch C2 IPs
  • RSA FirstWatch APT Domains
  • RSA FirstWatch APT IPs

If collecting logs, you need at least one of the following event source types:

  • Firewall
  • IDS
  • IPS
  • Netflow (rsaflow)

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See the Investigation Feed for more details:

Note: All of the dashlets are also dependent upon the Hunting Pack.

Dashlets Contained in this Dashboard

The Threat—Hunting dashboard contains the following dashlets:

  • Threat Sources: Displays threat sources based on network traffic. The threat.source meta key is populated by feeds and Lua parsers.
  • Threat Categories: Displays threat categories based on network traffic. The threat.category meta key is populated by feeds and Lua parsers.
  • Malware Activity DNS: Displays DNS packet traffic that is going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making DNS queries. The native NETWORK packet parser must be enabled in order to identify the DNS service. This parser is enabled by default.

  • Malware Activity Web: Displays web-based packet and web logs traffic that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making web requests. The native NETWORK packet parser must be enabled in order to identify the web service. This parser is enabled by default.
  • Malware Activity Unidentified: Displays packet and log traffic other than DNS and Web that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network. The native NETWORK packet parser must be enabled. This parser is enabled by default.

Threat—Intrusion Dashboard

The Threat—Intrusion dashboard provides a view into firewall events and actions as well as IDS signatures over the last 24 hours.

Sample dashboard screen:

Dependencies

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

The following table describes the dependencies for each dashlet, as well as other details.

                                                                  
DashletMediumDependencies
Report RuleReport Chart

Top Firewall Destination IP Addresses Trend

log

Firewall Destination IP Addresses

Firewall Destination IP Addresses

Top Firewall Denied Connections

log

Firewall Denied Connections

Firewall Denied Connections

Top Firewall Users

log

Firewall Users

Firewall Users

Top Firewall Events

log

Firewall Events

Firewall Events

Top IDS Signature Trend

log

IDS Signatures

IDS Signatures

Top IDS Signatures

log

IDS Signatures

IDS Signatures

Top Firewall Systems Trend

log

Firewall Systems

Firewall Systems

Top Virus Detection Trend

log

Virus Detection

Virus Detection

Dashlets Contained in this Dashboard

The Threat—Intrusion dashboard contains the following dashlets:

  • Top Firewall Destination IP Addresses Trend: Displays the top 10 destination IP addresses as populated by device class of Firewall.
  • Top Firewall Denied Connections: Displays the top 10 destination IP addresses with an action showing a denied connection, as populated by device class of Firewall.
  • Top Firewall Users: Displays the top 10 destination users, as populated by device class of Firewall.
  • Top Firewall Events: Displays the top 10 firewall events, using the action meta key, as populated by device class of Firewall.
  • Top IDS Signature Trend: Displays the top 10 IDS signatures as a trend over a 24 hour period, through the meta key policy.name, as populated by device class of IDS.
  • Top IDS Signatures: Displays the top 10 IDS signatures totals over a 24 hour period, through the meta key policy.name, as populated by device class of IDS.
  • Top Firewall Systems Trend: Displays the top 10 firewall systems by device IP, using the ip.addr meta key, as populated by device class of Firewall.
  • Top Virus Detection Trend: Displays the top 10 virus names by using the virusname meta key, as populated by device class of Antivirus.

SecurID Dashboard

The RSA SecurID dashboard allows analysts to monitor specific identities and their behaviors. It empowers organizations to monitor two-factor environments that utilize RSA's SecurID for authenticating to protected resources. Users can run reports using the NetWitness Report Engine, either ad-hoc or on a recurring schedule.

Sample dashboard screen:

Dependencies

The RSA SecurID Dashboard only applies to customers collecting from logs. Thus, All the dashlets for this dashboard have a medium of Log.

The following table describes the dependencies for each dashlet, as well as other details.

                                                                   
 Dependencies
DashletReport RuleReport ChartOther
RSA SecurIDBadPIN Good Token CodeRSA SecurIDBadPIN Good Token CodeRSA SecurIDBadPIN Good Token CodeThe RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) is required.
RSA SecurIDBadPIN Previous Token CodeRSA SecurIDBadPIN Previous Token CodeRSA SecurIDBadPIN Previous Token Code 
RSA SecurIDBadToken Code Bad PINRSA SecurIDBadToken Code Bad PINRSA SecurIDBadToken Code Bad PIN 
RSA SecurIDBadToken Code Good PINRSA SecurIDBadToken Code Good PINRSA SecurIDBadToken Code Good PIN 
RSA SecurIDStatic Passcode AuthenticationRSA SecurIDStatic Passcode AuthenticationRSA SecurIDStatic Passcode Authentication 
RSA SecurIDToken Code ReuseRSA SecurIDToken Code ReuseRSA SecurIDToken Code Reuse 
RSA SecurIDUnknownUser Failed LoginRSA SecurIDUnknownUser Failed LoginRSA SecurIDUnknownUser Failed Login 
RSA SecurIDAccount LockoutsRSA SecurIDAccount LockoutsRSA SecurIDAccount Lockouts 

Dashlets Contained in this Dashboard

The SecurID dashboard contains the following dashlets:

  • RSA SecurID-Account Lockouts: A user has attempted to login too many times without successfully logging in and has locked their SecurID account.
  • RSA SecurID-Bad PIN Good Token Code: A user had a valid SecurID Token Code for the user account but entered a bad PIN.
  • RSA SecurID-Bad PIN Previous Token Code: A user entered a previous token code but the token code had reached the end of its valid period of time (usually 60 seconds) and rolled out of the system before authentication was completed.
  • RSA SecurID-Bad Token Code Bad PIN: A user has attempted to login with a valid username but has entered the SecurID Token Code and PIN incorrectly.
  • RSA SecurID-Bad Token Code Good PIN: A user had a valid PIN for their user account but had typed the SecurID Token Code incorrectly.
  • RSA SecurID-Static Passcode Authentication: A user has authenticated with a static passcode and not a SecurID token.
  • RSA SecurID-Token Code Reuse: A user had a valid token code but used it in a prior attempt to login. The user did not allow the token code to change before attempting another login.
  • RSA SecurID-Unknown User Failed Login: A user has attempted to login with a username that does not exist on the SecurID Server database. (invalid username)

Operations—File Analysis Dashboard

The Operations—File Analysis dashboard displays a summary of the events that have been categorized according to the File Analysis meta key or applicable application rules.

The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the RSA NetWitness Hunting Guide and the Investigation Feed for more details about the contents of the pack and the suggested investigation techniques.

Sample dashboard screen:

Dependencies

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

The following table describes the dependencies for each dashlet, as well as other details.

                                                      
DashletMediumDependencies
Report RuleReport Chart

Windows Executable

packet

Windows Executable Anomalies

Windows Executable

XOR Encrypted Executable

packet

XOR Encrypted Executable

XOR Encrypted Executable

Java File Analysis

packet

Java File Analysis

Java File Analysis

PDF File Analysis

packet

PDF File Analysis

PDF File Analysis

ZIP File Analysis

packet

ZIP File Analysis

ZIP File Analysis

RTF File Analysis

packet

RTF File Analysis

RTF File Analysis

Note: All of the dashlets are also dependent upon the Hunting Pack.

Dashlets Contained in this Dashboard

The Operations—File Analysis dashboard contains the following dashlets:

  • Windows Executable: Displays different Windows-compatible files grouped by file types running on the system. Analyst can prioritize investigation according to file type and perform a deep dive into investigating more about a particular file.
  • XOR Encrypted Executable: Displays source IPs of the host on which XOR executables are detected. Analyst can prioritize investigation based on host IP.
  • Java File Analysis: Displays file analysis for java, and java script files. Analyst can look for particular alerts related to java, or js files.
  • PDF File Analysis: Displays file analysis for PDF files. Analyst can look for particular alert related to PDF files.
  • ZIP File Analysis: Displays file analysis for ZIP files. Analyst can look for particular alert related to ZIP files.
  • RTF File Analysis: Displays file analysis for RTF files. Analyst can look for particular alert related to RTF files.

Operations—Protocol Analysis Dashboard

The Operations—Protocol Analysis dashboard displays a summary of the events that have been categorized according to the Service Analysis meta key for web-based protocols of HTTP, DNS and SSL.

The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the RSA NetWitness Hunting Guide and the Investigation Feed for more details about the contents of the pack and the suggested investigation techniques.

Note: To generate meta values for the HTTP - Non Standard dashlets, you need to set the advanced option to true in the HTTP_lua_options file. For details, see Edit the HTTP_lua Options File below.

Sample dashboard screen:

Dependencies

Dashboards support various mediums: each individual dashlet supports a medium:

  • Log: content parsed from events generated from logged data.
  • Packet: content parsed from events generated from network packet data
  • Log and packet: content that correlates across log and packet events

Additionally, some dashlets contain content that is parsed from either log or packet data.

The following table describes the dependencies for each dashlet, as well as other details.

                                                                  
DashletMediumDependencies
Report RuleReport Chart

HTTP Headers Non Standard

packet

HTTP Headers Non Standard

HTTP Headers Non Standard

HTTP User Agents Non Standard

packet

HTTP User Agents Non Standard

HTTP User Agents Non Standard

HTTP Webshells

packet

HTTP Webshells

HTTP Webshells

Hostnames Non Standard

packet

Hostnames Non Standard

Hostnames Non Standard

DNS Non Standard

packet

DNS Non Standard

DNS Non Standard

HTTP Methods Non Standard

packet

HTTP Methods Non Standard

HTTP Methods Non Standard

SSL Non Standard

packet

SSL Non Standard

SSL Non Standard

SSL Self-Signed Certificates

packet

SSL Self-Signed Certificates

SSL Self-Signed Certificates

Note: All of the dashlets are also dependent upon the Hunting Pack.

Dashlets Contained in this Dashboard

The Operations—Protocol Analysis dashboard contains the following dashlets:

  • HTTP Headers Non Standard: Indicators of outbound traffic with HTTP headers that show a suspicious, low amount of headers. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
  • HTTP User Agents Non Standard: Indicators of outbound traffic with HTTP user agents that seem forged for malicious activity such as max or short lengths. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
  • HTTP Webshells: Inbound traffic with indicators of executable code on a web server for attacker remote code execution. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
  • HTTP Methods Non Standard: Displays sessions with HTTP without GET as well as suspicious CONNECT methods. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
  • Hostnames Non Standard: Indicators of outbound traffic with non standard hostnames that may indicate command and control behavior, port calculation or signaling an action. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
  • DNS Non Standard: Indicators of outbound traffic with indicators of suspicious DNS servers, ports or large sessions. This enables a drill point into interesting sessions to investigate for additional signs of data ex-filtration or evasion of reputable services.
  • SSL Self-Signed Certificates: This dashlet displays identified SSL sessions where the certificate authority is the same as the SSL subject. These sessions combined with traffic flow metadata can be used to discover beaconing behaviors on a network.
  • SSL Non-Standard: Identified service of SSL utilizing a port other than the 443. Non standard protocol indicators can be used as atomic indicators paired with additional ones to hunt for malicious software.

Edit the HTTP_lua Options File

To generate the meta values needed to populate this dashboard, you need to edit the HTTP_lua_options.lua file as follows:

  1. Go to Live and deploy the HTTP_lua Options file to the decoder.
  2. In the Security Analytics menu, select Administration > Services.
  3. In the Services grid, select a Decoder.
  4. From the Actions menu, select View > Config, then select the Files tab.
  5. From the drop-down menu, select the HTTP_lua_options.lua file.
  6. Scroll to the end of the file, to the function advanced () section, and change return false to return true. The updated section should look like the following:

    function advanced() --[=[ "Advanced Analysis" : default FALSE Perform advanced analysis of HTTP characteristics. Analysis includes only the first request and first response. Meta is registered to the key "proto.analysis". --]=] return true end
Previous Topic:Appendix: Meta Keys
Next Topic:Dashlets
You are here
Table of Contents > Dashboards and Dashlets > Dashboards

Attachments

    Outcomes