Configure the Malware Analysis Summary of Events View

The Summary of Events provides a summary of the scan being investigated, and below the summary are configurable dashlets such as visualization charts and listings. By default, the Summary of Events for a scan opens with the default dashlets displayed. You can customize the view by adding, modifying, and deleting default dashlets. The configured customization of dashlets persists through different scan investigations, and you can restore default dashlets at any time. The default dashlets are:

  • Summary of Events (Fixed)
  • Event Timeline
  • Top Listing of Highly Suspicious Malware
  • Meta Treemap
  • Score Wheel
  • Meta Breakdowns

The following figure is an example of the default Summary of Events.

netwitness_mwavw.png

The rest of this topic provides instructions for managing and configuring dashlets.

Add a Dashlet

You can add multiple copies of dashlets in the Malware Analysis Summary of Events. To add a dashlet:

  1. In the toolbar, select Add.
    The drop-down list of dashlets is displayed. There are four visualization options: Score Wheel, Meta Treemap, Meta Breakdowns, and Event Timeline. The other three dashlets are the same dashlets available in the NetWitness dashboard: Malware with high Confidence IOCs and High Scores, Top Listing of Highly Suspicious Malware, Top Listing of Possible Zero Day Malware. Details for these common dashlets are provided in "Dashlets" in NetWitness Content.
  2. Select a dashlet.
    The new dashlet is added as the last dashlet below the existing dashlets.
  3. If the dashlet is a duplicate of an existing dashlet, change the name of the new dashlet so that it is unique.

Modify or Delete a Dashlet Using Toolbar Options

Each dashlet has a toolbar that offers options for modifying the dashlet. The visualization charts have the same configuration settings, while some of the other dashlets have different additional settings.

netwitness_dashlettb_750x22.png

To use the toolbar options:

  • To close a dashlet so that only the title bar is displayed, click netwitness_dashclose.png.
  • To open a dashlet that is closed, click netwitness_dashopen.png.
  • To display the configurable settings for a dashlet, click netwitness_dashsettings.png.
    The settings dialog for the dashlet is displayed.
  • To delete a dashlet, click netwitness_dashremove.png.

Apply Threshold Filter to Multiple Dashlets

Within dashlets, you can set a threshold to show only events equal to, above, or below a certain score in the four categories (Static, Network, Community, and Sandbox). This procedure sets the thresholds by dashlet type for these dashlets: Event Timeline, Score Wheel, and Meta Treemap. You can also set the threshold for individual dashlets.

  1. In the toolbar, select netwitness_actiondd.png > Apply Threshold Filter.
    The Apply Threshold Filter dialog is displayed.
    netwitness_thresfiltdg.png
  2. Select one or more dashlet types: Event Timeline, Score Wheel, and Meta Treemap.
  3. Drag the corresponding slider or enter a numeric value, then select an operator in the drop-down list: =, >=, or <=.
  4. Click Apply.
    The threshold filters are applied to the selected dashlet types in the Summary of Events.

Set Title and Category Options for a Dashlet

  1. To display the configurable settings for a dashlet, click netwitness_dashsettings.png.
    The Options dialog for the dashlet is displayed.
    netwitness_evtloptions.png
  2. Type a new title for the dashlet in the Title field.
  3. If you want to see only events that are influenced by a High Confidence tag, which means there is high confidence that the event contains harmful code, check the Influenced By High Confidence Only option.
  4. If you want to see only events that were given a score above a certain score in the four categories (Static, Network, Community, and Sandbox), drag the corresponding slider or enter a numeric value, then select an operator in the drop-down list: =, >=, or <=.
  5. Click Apply.
    The title and filters are applied to the dashlet.

Order Dashlets

To change the order of dashlets as they appear beneath the Summary of Events:

  1. In the toolbar, select netwitness_actiondd.png > Order Dashlets.
    The Order Dashlets dialog is displayed.
    netwitness_orderdashdg.png
  2. Select a dashlet that you want to move up or down, and click netwitness_moveup.png or netwitness_movedown.png.
  3. When you are satisfied with the order, click Apply.
    The dialog closes and the order of dashlets below the Summary of Events is changed to match your choices.

Restore Default Dashlets

After you have added, modified, and arranged dashlets, you can revert to the default settings for dashlet display. To restore the default dashlets:

  1. In the toolbar, select netwitness_actiondd.png > Restore Default Configuration.
    A dialog requests confirmation that you want to restore the configuration.
  2. Do one of the following:
    1. If you decide to keep the dashlet arrangement you have configured, click No.
    2. If you are sure that you want to restore the defaults, click Yes,
      The dashlet display reverts to the default display.