Document toolboxDocument toolbox

Dashboard

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Jul 06, 2023
6 min read

The Dashboard is the first area you see when you access the Security Operations application and lets users monitor the current situation of the system at a glance. It provides a robust, searchable, set of widgets that both inform and enable action and pivot. Some of the widgets are interactive, so users can click specific elements and define filters based on those parameters.

The widgets in the Dashboard are divided into three different areas:

Click the ellipsis icon next to each area name and select Show/Hide widgets to decide the widgets you want to display in each area. The widgets that appear in blue are the ones that are displayed on the dashboard. Select the required ones and click OK to save the changes.

You can also hide a widget by clicking the eye icon that appears in the top right corner. By default, all the available widgets are shown. 

Alerts

This section displays the number of alerts detected in SecOps during the last 24h, distributed by criticality, triaged/not triaged and ATT&CK MITRE techniques.

Widget

Description

Widget

Description

Most critical and uninvestigated alerts

This widget displays the total number of alerts and the amount of not investigated alerts with High and Critical priority. The first number indicates the alerts not triaged, and the second one shows the total number of alerts with that priority.

You can click the priority buttons to filter only alerts of the selected priority, or access the Triage area and work with alerts of that priority.

Alert types stacked by ATT&CK MITRE techniques

This widget indicates the number of alerts of each type through a column chart, and also the percentage of MITRE ATT&CK techniques in each type. Hover over each column section to see the count of alerts with that specific technique assigned.

Total alerts funnel chart

This widget shows the total number of alerts in a funnel chart and compares its size with alerts belonging to a specific type and enriched/triaged alerts. You will see all the alerts and the alerts of the type selected at the top of the funnel. Then you have the alerts that have been enriched with MITRE ATT&CK information, and the alerts that have been triaged at the bottom.

Select the type of alerts you want to display in the Alert type drop-down selector.

Top alerts by MITRE ATT&CK

This table shows the top triggered alerts by MITRE ATT&CK tactic. Use the controls at the bottom of the widget to navigate through the different pages and select the number of rows in each one.

Top Entities by alert

This column chart shows the top number of entities (IP addresses, hostnames , users...) related to alerts. Click a column to add a filter in the Triage area using that entity.

Top alert tags used

This table shows the top 10 alert tags used in your SecOps environment. Find the number of tags of each type next to their names.

Analytics

The widgets in this area show global analytics related to the system and display data that may cause a high impact.

Widget

Description

Widget

Description

Pew Pew map of firewall traffic

This chart shows geolocated firewall traffic (taking into account public IPs) during the last hour in a dynamic Pew Pew map.

Entities graph map

 

This chart shows the most important entities involved in alerts and investigations geolocated by countries.

Click the nodes icon to see all the associations related to the entities clearly, and organize them visually using the options in the Layout drop-down menu that appears. Click this the globe icon to go back to the default world map view.

The power of this graph lies in simplicity and each bubble offers a lot of information:

  • The size of each bubble depends on the impact.

  • The number at the top of the bubble shows the number of alerts in which this entity is involved, and the color represents the maximum priority we could find in all those alerts.

  • The number at the bottom of the bubble shows the number of investigations this entity is involved in, and the color represents the maximum importance we could find in any of these investigations.

Top entities by impact

This table displays the top 10 entities with the highest impact. Use the controls at the bottom of the widget to navigate through the different pages and select the number of rows in each one.

Closed investigations by user

 

This column graph shows users that closed investigations for the last 7 days, and the total time they spent to close all their investigations (in hours). The graph shows investigations with High, Medium, and Low priority grouped by users. The discontinuous line indicates the average time that all the users take to close investigations.

  • Click a priority on the legend at the bottom of the window to hide it from the graph.

  • Click a column or user name to see all the investigations they closed. The number at the top of each column indicates the time spent before they closed it. Also, you can check the average time that the user took to close all the investigations at the bottom of the widget. In this view, click the name of an investigation or its column to be taken to its details window. Click Return to go back to the general view.

Investigation

This group of widgets shows information about the investigations created in the application.

Widget

Description

Widget

Description

Open investigations by date

 

List of all open investigations in SecOps ordered by date of creation. It is possible to order all columns by clicking their titles.

Click the name of any investigation to access it in the Investigations area.

Alerts conversion by type

 

Shows the total number of alerts per type, and also the number of alerts added and not added to an investigation.

Investigations labels word cloud

 

This widget shows the most used labels in investigations. Click any of them to access the Investigations area and see only investigations with that label.

Â