New Health and Wellness Dashboards

This topic provides the list of default New Health and Wellness dashboards and associated visualizations and metrics.

Deployment Health Overview Dashboard

This dashboard provides the overall health of the NetWitness Platform hosts and services. The following table provides the information on default visualizations available on this dashboard.

Note: The parameters and metrics listed below are the default values. You can customize the parameters and metrics of any visualization based on your requirement. For example, you can customize a visualization to view the CPU utilization for all the core services or any particular service.

Visualization Parameters and Metrics Objective Description
Alarms Summary

• Count of active alert

• Alert severity

Provides the summary of active health alarms based on the severity.

Displays the active alarms grouped by severity (Critical, High, Medium, Low).
Offline Services

• Service name

• Status Time

• Refresh time 15 minutes

Identifies the list of unavailable services. Displays the list of offline services.
Stopped Archiver Aggregation

• Count of archivers where aggregation is stopped

• Refresh time 15 minutes

Identifies the number of Archivers where aggregation is stopped.

Displays the number of Archivers where aggregation is stopped. For more information, see Notifications.
Stopped Broker Aggregation

• Count of Brokers where aggregation is stopped

• Refresh time 15 minutes

Identifies the number of Brokers where aggregation is stopped. Displays the number of Brokers where aggregation is stopped. For more information, see Notifications.
Stopped Concentrator Aggregation

• Count of Concentrators where aggregation is stopped

• Refresh time 15 minutes

Identifies the number of Concentrators where aggregation is stopped.

Displays the number of Concentrators where aggregation is stopped. For more information, see Notifications.
Stopped Decoder/Log Decoder Capture

• Count of Decoders or Log Decoders where capture is stopped

• Refresh time 15 minutes

Identifies the number of Decoders or Log Decoders where capture is stopped. Displays the number of Decoder or Log Decoder where capture is stopped. For more information, see Notifications.
Total vs Offline Services

• Total number of services

• Count of offline services

• Refresh time 15 minutes

Identifies the number of offline services versus total number of services.

Displays the total number of services and the number of services that are offline.
Stopped State Aggregation & Capture

• Services name

• Host name

• Service version

Provides the list of services where aggregation and capture are stopped. Displays the list of services where aggregation and capture are stopped.

NetWitness Services Version Status

• Service version

Provides the status of NetWitness Platform service versions.

Displays the status of NetWitness Platform service versions.

NetWitness Services – Uptime Summary

• Service name

• Host name

• Running since

Provides an overview on the uptime of the services in the deployment. Displays the list of services and their uptime.

Memory Utilization Trend

• Service name

• Memory usage

Provides the memory utilization trend to detect any high utilizations and take necessary action.

Displays the memory utilization trend of the hosts.

Current CPU Usage

• Services name

• CPU usage

Provides the CPU usage trend of the hosts to identify any high utilizations and take necessary action. Displays the current CPU usage of the services.

Current Disk Usage

• Services name

• Disk usage

Provides the disk utilization in the real time to identify any high utilizations and take necessary action.

Displays the current disk usage of the hosts.

Capture Rate for Log Decoders

• Service name

• Capture rate

Provides the capture rate trend to identify any high values and take necessary action. Displays the trend of Log Decoders capture rate.

Capture Rate for Network Decoders

• Service name

• Capture rate

Provides the capture rate trend to identify any high values and take necessary action.

Displays the trend of Network Decoders capture rate.

Session Aggregation Rate and Trend for Concentrators

• Service name

• Session aggregation rate

Provides an overview on the session rate of the Concentrators to identify any high values and take necessary action. Displays the session aggregation rate and trend of Concentrator.

Retention Summary

• Service id

• Service name

• Running on host

• Oldest meta file time

• Oldest packet file time

• Oldest session file time

Provides a quick view on the current retention of the Decoders, Concentrators and Archivers to check if the retention is lower than the configured retention.

Displays the oldest date for meta, session, packet present in decoders, logdecoders and concentrators

Total CPU Usage Trend for Services

• CPU usage

• Service name

Provides the CPU usage trend of the services to detect the high utilization and take necessary action. Displays the top 20 services where CPU usage is high.

Total Memory Usage Summary for Services

• Service name

• Memory usage

Provides the memory usage summary of NetWitness Platform services to detect any high usage and take necessary actions.

Displays the top services that are utilizing the resident memories.

Hosts Dashboard

This dashboard provides the resource utilization and health of NetWitness hosts in your deployment. The following table provides information on default Visualizations available on this dashboard.

Visualization Metrics Objective Description
Disk Used

• Disk usage

Provides the current disk usage of the hosts to detect the high utilization and take immediate action.

Displays the current disk usage of the host.
Current Memory Usage vs Total Available

• Current memory usage

• Total available memory

Provides the current memory usage versus total available memory to identify high usage and take necessary action. Displays the current memory usage and total available memory of the host.
Current Disk Usage vs Total Available Disk

• Current disk usage

• Total available disk

Provides the current disk usage versus total available disk to identify high usage and take necessary action.

Displays the current disk usage versus total available disk.
Disk Usage by Partitions

• Disk partition

• Disk usage

Provides the disk usage by different partitions to identify high usage and take necessary action. List of partitions and associated disk percentage.
Resident Memory Usage by Services

• Service name

• Resident memory usage

Provides the resident memory usage per service to identify high usage and take necessary action.

Displays the resident memory usage of the service.
Memory Usage Memory usage Provides the current memory usage percentage of the hosts to identify high memory usage and take necessary action. Displays the memory usage of the host.
CPU Usage

CPU usage

Provides the CPU usage percentage to identify high usage and take necessary action.

Displays the CPU usage of the host.
CPU Usage by Services

• Service name

• CPU usage

Provides the CPU Percentage per service to detect high usage and take necessary action. Displays the CPU usage of the service.

Interfaces by Incoming Traffic

Incoming traffic on interfaces

Provides the trend on interfaces incoming traffic to detect any deviation on time.

Display the incoming traffic interfaces.

Interfaces by Outgoing Traffic Outgoing traffic on interfaces Provides the trend on interfaces outgoing traffic to detect any deviation on time. Display the interfaces outgoing traffic.

Services by Open File Descriptors

• Services

• Open file descriptor

Provides the list of open file descriptor associate with a service.

Displays the list of open file descriptor associated with a service.

TOP APPLIANCES BY DISK IO READ (Line) Vs WRITE (Bar)

• Service name

• Disk IO Read

• Disk IO Write

Provides the list of top appliances by disk IO read and write to detect any high usage and take necessary action. Displays top appliances based on disk IO read and write usage.

Total Inbound Traffic for All Interfaces

• Count of inbound traffic on Interfaces

• Total transferred traffic

Provides the total inbound traffic to detect any deviation on time.

Displays the current inbound traffic and total transferred traffic.

Total Outbound Traffic for All Interfaces

• Count of outbound traffic on Interfaces

• Total transferred traffic

Provides the total outbound traffic to detect any deviation on time. Display the current outbound traffic and total transferred traffic.

Logs Dashboard

This dashboard provides information on various NetWitness Platform logs. The following table provides information on default Visualizations available on this dashboard.

Visualization Metrics Objective Description
Log Decoders by Capture Rate

• Service name

• Capture Rate

Provides the capture rate of Log Decoders to detect high capture rate on time and take necessary action. Displays the Log Decoders by capture rate.
Log Decoders by Capture Packet Rate

• Service name

• Capture Packet Rate

Provides the capture packet rate of Log Decoder to detect high capture packet rate on time and take necessary action. Displays the Log Decoders by capture packet rate.
Log Decoders by CPU Percentage

• Service name

• CPU usage

Identifies the Log Decoders by CPU usage to detect high usage and take necessary action. Display the Log Decoders by CPU usage..
Log Decoders by Resident Memory Usage

• Service name

• Resident Memory Usage

Identifies the Log Decoders by resident memory usage to detect high usage and take necessary action. Display Log decoder by resident memory usage.
SDK Active Queries on Concentrators

• Service name

• Count of active queries

Identifies the concentrators by SDK active queries. Display concentrators by SDK active queries.
Concentrators Status

• Service running on host

• Service type

• Service version

• Aggregation status

• Average session rate

• Max session rate

• Active queries

Provides the concentrator status. Display the list of concentrators and its status.
Concentrator Session Aggregation Rate [Trend]

• Service name

• Session rate

Provides the trend of Concentrator session aggregation rates to detect high session rates and take necessary action. Displays Concentrator session aggregation rate.
SDK Active Queries on Brokers

• Service name

• Count of Active Queries

Identifies the Brokers by SDK active queries. Lists Brokers by SDK active queries.
Brokers Status

• Service running on host

• Service type

• Service version

• Aggregation status

• Average session rate

• Max session rate

• Active queries

Provides the Broker status. Displays the list of Brokers and their status.

Packet Overview Dashboard

This dashboard provides information on NetWitness Platform network data. The following table provides information on default Visualizations available on this dashboard.

Visualization Metrics Objective Description
Network Decoders by Capture Rate

• Service name

• Capture rate

Identifies the capture rate of Network Decoder to detect high value and take necessary action. Displays Network Decoders by capture rate.
Network Decoders by Capture Drop

• Service name

• Capture drop percentage

Identifies the capture drop rate of Network Decoders to detect drop rate and take necessary action. Displays Network Decoders by capture drop.
Network Decoders by CPU Percentage

• Service name

• CPU usage

Identifies the Network Decoders by CPU usage to detect high usage and take necessary action. Displays Network Decoder by CPU used.
Network Decoders by Resident Memory Usage

• Service name

• Resident memory usage

Identifies the Network Decoders by resident memory usage to detect high usage and take necessary action. Displays Network Decoder by resident memory usage.
SDK Active Queries on Concentrators

• Service name

• Count of active queries

Identifies the concentrators by SDK active queries. Displays Concentrators by SDK active queries.
Concentrators Status

• Service running on host

• Service type

• Service version

• Aggregation status

• Average session rate

• Max session rate

• Active queries

Provides the Concentrator status. Displays the list of Concentrators and their status.
Concentrator Session Aggregation Rate [Trend]

• Service name

• Session rate

Provides the trend of Concentrator session aggregation rate to detect high value and take necessary action. Displays the trend of concentrator session aggregation rate.
SDK Active Queries on Brokers

• Service name

• Count of active queries

Identifies the Brokers by SDK active queries. Display the Broker by SDK active queries.
Brokers Status

• Service running on host

• Service type

• Service version

• Aggregation status

• Average session rate

• Max session rate

• Active queries

Provides the Broker status. Displays the list of brokers and its status.

Analysis Dashboard 

This dashboard provides details about Reporting Engines on Primary UI or Analyst UI. The following table provides the information on default Visualizations available on this dashboard.

Visualization Metrics Objective Description
Reporting Engine Rule Query Executions

• Hostname

• Failed rule executions

• Cancelled rule execution

• Active rule execution

• Total rule execution

Provides the status of the queries executed by Reporting Engine to detect any deviations on time. Displays the queries executed by Reporting Engine.
Reporting Engine Reports Executions

• Hostname

• Failed in last hour

• Running more than one hour

• Cancelled in last hour

• Output actions failed in last hour

Provides the status of the reports executed by Reporting Engine to detect any deviations on time. Displays the Reporting Engine reports.
Reporting Engine Alerts Execution

• Enabled alerts

• Execution failed

• Execution skipped in las 10 minutes

• Running alerts

• Output actions failed in last 10 minutes

Provides the status of the alerts generated by Reporting Engine to detect any deviations on time. Displays the Reporting Engine alerts.
Reporting Engine Charts Executions

• Hostname

• Enabled charts

• Execution failed

• Execution cancelled in last 10 minutes

Provides the status of the charts executed by Reporting Engine to detect deviations on time. Displays Reporting Engine charts.
Reporting Engine Disk Usage

• Disk Used

• Total disk space

Provides the disk usage by Reporting Engine to detect any deviations high usage and take necessary action. Displays the disk used by Reporting Engine.
Unassigned Open Incidents Count of unassigned open incidents Identifies unassigned incidents to assist Administrator to take necessary action. Displays the unassigned incidents.
Incidents Sent to Archer Count of incidents sent to archer Provides statistics on the incidents sent to Archer to assist Administrator to take necessary action. Displays the incidents sent Archers.

Endpoint Dashboard

This dashboard provides information on NetWitness Endpoints and agents installed on Endpoints. The following table provides information on default Visualizations available on this dashboard.

Visualization Metrics Objective Description
Endpoint Server to Agent Communication Queued

• Service name

• Count of queued request to Agent

Provides an overview of the queued agent communication to the Endpoint Server to identify any issues around the queued communication. Displays the queued request to agent.
Endpoint Server to Agent Communication Rejected Count

• Service name

• Count of rejected request to agent

Provides an overview of rejected agent communication to the Endpoint Server to identify any issues related to the rejected count. Displays the rejected request to agent.
Endpoint Agent Overview

• Hostname

• Total active agents

• Active advanced

• Active insights agents

• Active advanced windows agents

• Active advanced linux agents

• Active advanced mac agents

Provides an overview of Endpoint Agents. Displays list of agents and its details.
Relay Servers Overview

• Hosts

• Total relay servers

• Agents communicated via relay server

• Agents communicated in last two days via relay server

Provides an overview of the Relay Servers. Displays the Relay server details.
Files Count by File Status

• Count of blacklisted files

• Count of graylisted files

• Count of netural file

• Count of whitelisted files

Provides an overview of file status by count to assist an Administrator on the overall statistics of Endpoint actions on files. Displays the file count of file statuses.
Files Count by Certificate Status

• Count of blacklisted certificates

• Count of gray listed certificates

• Count of neutral certificates

• Count of whitelisted certificates

Provides an overview on certificate status to assist an Administrator to take necessary action. Displays the count of certificate statuses.
File Count by Reputation Status

• Count of unknown status

• Count of suspicious status

• Count of malicious status

• Count of known good status

• Count of known status

• Count of invalid status

Provides an overview on the reputation status to assist an Administrator to take necessary action. Displays the count of files reputation status.
Endpoint Hosts with Risk Score Greater than 90 Count of hosts with risk score greater than 90 Identifies the number of hosts with risk score higher than 90 for immediate attention. Displays the count of hosts with risk score greater than 90.
Endpoint Files with Risk Score Greater than 90 Count of files with risk score greater than 90 Identifies the number of files with risk score higher than 90 for immediate attention. Displays the count of files with risk score greater than 90.

ESA Correlation Overview Dashboard

This dashboard provides health statistics and trends on the ESA deployment. The following table provides the information on default Visualizations available on this dashboard.

You can choose the ESA host and Deployment name for the Dashboard view source using the filter.

Visualization Metrics Objective Description
Sessions Behind by Sources Count of sessions behind by sources. Provides the session behind trend for the sources to take necessary actions when the session behind goes higher. Displays the count of sessions behind by sources.
Sessions Rate by Sources Count of sessions rate by sources. Provides the session rate trend for the sources to take necessary actions when the session rate goes higher. Displays the count of sessions rate by sources.
Top Rules by Memory Memory used by rules. Provides the memory usage per rule to identify the rule with high memory usage and take necessary action. Displays the top rules based on memory usage.
Top Rules by CPU CPU used by rules. Provides the CPU usage per rule to identify the rule with high CPU usage and take necessary action. Displays the top rules based on CPU usage.
ESA Correlation Resident Memory Usage Resident memory usage. Provides resident memory usage trend to be able to detect high usage and take necessary action. Displays the trend of ESA correlation resident memory usage.
ESA Correlation CPU Usage CPU usage. Provides CPU usage trend to detect high usage and take necessary action. Displays the trend of ESA correlation CPU usage.
ESA CR - Event Rate by Deployments Event rate of each ESA correlation deployment. Identify the event rate by each deployment under ESA Correlation to detect high usage and take necessary action. Displays the trend of ESA correlation event rate of each deployment.

Logstash Input Plugin DashboardLogstash Input Plugin Dashboard

The Logstash Input Plugin dashboard provides insight on Logstash event source and the NetWitness Input Plugin.

Prerequisites

  • You must install the New Health and Wellness. For more information, see New Health and Wellness

  • You must ensure to download the Logstash Input Plugin Dashboard from NetWitness Live. For more information, see Advanced Configurations

The following table provides the information on default Visualizations available on this dashboard.

Visualization Metrics Objective Description
Logstash Inactive Pipelines
  • Inactive pipeline
  • Total number of Pipeline
Provides the summary of inactive pipeline. Displays the total number of inactive pipeline.
Logstash Inactive Sources
  • Inactive sources
  • Total number of sources
Provides the summary of inactive sources. Displays the total number of inactive sources.
Logstash Incoming Rate
  • Incoming rate of Logstash event sources.

 

Provides the trend of incoming rate for Logstash event source. Displays the trend of Logstash incoming rate.
Logstash Outgoing Rate Outgoing rate of Logstash event sources. Provides the trend of outgoing rate for Logstash event sources. Displays the trend of Logstash outgoing rate.
Logstash Data Persistence Count of persisted Logstash event source. Provides the trend of persisted Logstash event source to take necessary actions when the persisted data count goes higher. Displays the trend of Logstash persisted data.
Logstash Pipelines status
  • Inactive pipelines
  • Active pieplines
  • Total number of pipelines
Provides the status of Logstash pipeline. Displays the status of Logstash pipeline.
Sources by Input event rate
  • Input rate of sources
Provides the trend of source input rate to identify any high values and take necessary action. Displays the trend of source input event rate.
Sources by Sessions behind Logstash session behind Provides the trend of Logstash session behind to identify any high values and take necessary action.. Displays the trend of Logstash session behind.
Events to consumer (Output Plugin) Output event rate Provides the trend of output event rate to identify any high values and take necessary action. Displays the trend of Logstash output event rate.
Logstash Service Uptime
  • Service start time
  • Host name
  • Service name
Provides the time when the service is active. Displays the time when the service is running.
Source Status
  • Stream status
  • Source host
  • Service type
  • Service version
  • Logstash host
  • Average input event rate
  • Average source session rate
  • Average session behind
Provides overall status of the services. For example, stream status of the Decoder connected with the Logstash. Displays the list of all services and its status.
Logstash Services by CPU Usage
  • CPU usage
  • Service name

Provides the CPU usage trend of the Logstash services to identify any high utilizations and take necessary action.

Displays the CPU utilization trend of the Logstash services.

Logstash Service by Resident Memory Usage

  • Resident memory usage
  • Service name

Provides the resident memory usage trend of the Logstash services to identify any high utilizations and take necessary action.

Displays the resident memory utilization trend of the Logstash services.

License Usage Dashboard

The License Usage Dashboard provides License usage statistics and trends on the Log Decoder, Packet Decoder, Endpoint, UEBA, and Malware services and at aggregated levels under throughput license. It provides an overview of the usage of all types of Throughput licenses in your deployment.

It helps you:

  • Track daily license usage for individual hosts

  • Track daily usage of Throughput licenses for all the hosts in your deployment

  • Download license usage reports

Prerequisites

IMPORTANT: The date shown in the user interface is set by the browser’s time zone. The user’s browser may be different from the time zone of the Admin server host. To make a date shown in the user interface to match the Admin server, change the time zone setting under Stack Management > Advanced Settings. If you update the time zone under Advanced settings, it affects other DateTime displays throughout the user interface.

The following table provides the information on default Visualizations available on this dashboard. You can choose any host and Deployment name for the Dashboard view source using the filter.

Visualization Metrics Objective Description
Packets Analyzed
  • Usage in bytes

  • Per day

 

 

Provides the packet data analyzed in bytes for Packet Decoder. Helps to track daily usage. Displays the packet data analyzed daily in bytes.
Packets on Disk
  • Usage in bytes
  • Per day

Provides the amount of data stored on the disk daily in bytes for the Packet Decoder.

Helps to track daily usage.

Displays the amount of packet data usage on the disk daily in bytes.
Logs Processed
  • Usage in bytes
  • Per day
Provides the Log data processed in bytes for Log Decoders. Helps to track daily usage. Displays the Log data processed daily in bytes.
Users Analyzed
  • Users Analyzed
  • Per day
Provides the number of users analyzed. Helps to track daily usage. Displays the number of users analyzed daily.

Files Analyzed

  • Usage in bytes
  • Per day

Provides the files analyzed in bytes. Helps to track daily usage.

Displays the files analyzed daily in bytes.

Hosts Analyzed
  • Hosts Analyzed
  • Per day
Provides the number of hosts analyzed. Helps to track daily usage. Displays the number of hosts analyzed daily.

Aggregate Usage - Logs Processed

  • Usage in bytes
  • Per day

Provides an aggregated log of data from all the log services under the throughput license. Helps to track daily usage, detect high value, and take necessary action.

Displays an aggregated log of data from all the log services daily.

Aggregate Usage - Packet Analyzed
  • Usage in bytes
  • Per day
Provides an aggregated packet of data from all the packet services under the throughput license. Helps to track daily usage, detect high value, and take necessary action. Displays an aggregated packet of data from all the packet services daily.

Aggregate Usage - Packets on Disk

  • Usage in bytes
  • Per day

Provides an aggregated packet data stored on the disk from all the packet services under the throughput license. Helps to track daily usage, detect high value, and take necessary action.

Displays an aggregated packet data stored on the disk from all the packet services daily.

Aggregate Usage - File Analyzed
  • Usage in bytes
  • Per day
Provides an aggregated file usage in bytes from all the Malware services under throughput license. Helps to track daily usage, detect high value, and take necessary action. Displays an aggregated file usage in bytes from all the Malware services daily.

Aggregate Usage - Host Analyzed

  • Hosts analyzed
  • Per day

Provides an aggregated list of hosts from all the endpoint servers under the throughput license. Helps to track daily usage, detect high value, and take necessary action.

Displays an aggregated list of hosts from all the hosts daily.

Aggregate Usage - User Analyzed
  • Users analyzed
  • Per day
Provides an aggregated users from all the UEBA servers under the throughput license. Helps to track daily usage, detect high value, and take necessary action. Displays an aggregated users from all the UEBA servers daily.