Introduction
Dashboarding is an important part of RSA Netwitness Orchestrator(NWO). It is important to create a dashboard as it allows an an analyst to view data in one centralized location, and when customized effectively, displays the relevant and important data that analysts need for them to make quick decisions.
In this guide, it shows how to create a dashboard card and recommends some potential useful cards that analysts should have on their dashboard relating to case management.
How to create a dashboard
On NWO, create a new dashboard by navigating to the top tab. Under the dashboards drop down, press the option new dashboard
Enter a name for the dashboard, like Case Management.
You will be greeted with a blank dashboard. To add a new card, navigate to the top right and press the plus button.(Next to the Padlock Icon)
Dashboard Cards are used for populating the dashboards, which is explained in the next section.
Dashboard Cards Configuration
1. Case count by resolution
Explanation of Dashboard Card
This dashboard card displays statistics of the resolution of cases . Examples of resolutions are: “In progress/Investigating”, ”Containment achieved”.. etc
Sample Dashboard output:
To achieve the dashboard card shown above, refer to the following:
| Configuration Options |
Sample Image of Configuration |
|
Card type: New Query
Card Name: Incident Count by Resolution
Display type: Chart
Query by: Cases
Grouping: Resolution |
|
Table of selectable resolutions in cases:
2. Open Cases by Status
Explanation of Dashboard Card
This dashboard card displays the statistics of the current status of NWO cases.
Sample Dashboard Output:
To achieve the dashboard card shown above, refer to the following:
| Configuration Options | Sample Image of Configuration |
|
Card type: New Query
Card Name: Open Cases by Status
Display type: Chart
Query by: Cases
Grouping: Status
Chart type: Advanced Pie Chart |
|
3. Closed Case within last 24 hours
Note: Only available on NWO v6.3.1
Explanation of Dashboard Card
This dashboard card displays the usernames of the analysts who have closed cases within the last 24 hours.
Sample Dashboard Output:
To achieve the dashboard card shown above, refer to the following:
| Configuration Options | Sample Image of Configuration |
|
Card type: New Query
Card Name: Closed Case within last 24 hours
Display Type: Chart
Query by: Cases
Advanced query: caseCloseTime>="TODAY()" && caseCloseTime<"TODAY()+24 HOURS"
Grouping: Case close user Other Charts: Number Cards |
|
4. Open Cases by Severity
Explanation of Dashboard Card
The purpose of this dashboard card is to display statistics of the number of open cases in NWO based on their severity.
Sample Dashboard Output:
To achieve the dashboard card shown above, refer to the following:
| Configuration Options | Sample Image of Configuration |
|
Card type: New Query
Card Name: Open Cases by Severity
Display type: Chart
Query by: Cases
Advanced query: status=”Open”
Grouping: severity |
|
5. Mean time to resolution
Note: Only available in NWO v6.3.1
Explanation of Dashboard Card
The purpose of this dashboard card is to provide a mean calculation of how long analysts took to close cases.
Sample Dashboard Result:
To achieve the dashboard card shown above, refer to the following:
| Configuration Options | Sample Image of Configuration |
|
When creating a new dashboard card, there is a metric section. MTTR option is selected. Card type: Metric, MTTR
Card Name: Mean time to Resolution
Important Note: A case must first be closed for this option to pop up. |
|
6. Open Case Assignments
Explanation of Dashboard Card
All Open cases : All Open Cases in NWO will be displayed. The data that will be displayed are the name of the cases, assignee, severity and created date of the cases.
My Open Cases: Cases that are only assigned to you(current user logged in) will be displayed. The data that will be displayed are the name of the cases, severity and created date of the cases.
Sample Dashboard Result:
All open cases:
My Open cases:
To achieve the dashboard card shown above, refer to the following:
| Configuration Options | Sample Image of Configuration |
|
Card type: Widget, All Open Cases |
|
|
Card type: Widget, All Open Cases |
|
7. Incidents by Category
Explanation of Dashboard Card
This dashboard card provides an overview of the case count against the categories that they were assigned.
Sample Dashboard Result:
To achieve the dashboard card shown above, refer to the following:
| Configuration Options | Sample Image of Configuration |
|
Card type: New Query
Card Name: Incidents by Category
Display Type: Chart
Query by: Cases
Grouping: Tag
Optional Advanced query: tag!=”Netwitness”(If you are using the playbooks included in the starter pack, it will automatically assign the tag Netwitness so it is best to omit it) |
|
Conclusion
NWO features easily customizable dashboards to fit an individual analyst’s needs. There are many configuration options that Netwitness Orchestrator offers in terms of dashboarding, this only shows some examples to help you get started. I hope this blog post gives you some insight and was informative, and gives you some inspiration on how to populate your own dashboards with data that interests you.
