Filter Dashlet Data in the Summary of Events ViewFilter Dashlet Data in the Summary of Events View
The Summary of Events provides a summary of the scan being investigated with selectable dashlets. The Summary of Events is fixed, but Analysts can configure each dashlet to filter out information and drill into the data.
The rest of this topic provides instructions for managing and configuring dashlets.
Configure the Score Wheel DashletConfigure the Score Wheel Dashlet
The Score Wheel is a high-level visualization of analyzed sessions that scored high, medium, or low in each of the scoring categories: Static, Network, Community, and Sandbox. The Score Wheel is a quick way to drill into sessions to review them. Each ring represents a different scoring category so that you can visually compare results by category.
You can change the order of the rings to highlight indicators of compromise that were flagged in one category but not in another category. Comparing the same results in a different sequence of the rings provides visibility into additional vulnerabilities in a session, and you can drill into sessions of interest. The following examples show two possible use cases.
Zero-Day Candidates ExampleZero-Day Candidates Example
This example shows how to drill into sessions that the Community did not flag as malicious, but all other scoring categories did. The resulting list of sessions highlights zero-day candidates.
- Configure the Score Wheel rings in the following sequence:
Community (innermost) > Static > Network > Sandbox (outermost) - Click the red slice in the outermost (Sandbox) ring that aligns with a green slice on the innermost ring (Community): green (innermost) -> Static: red -> Network: red -> Sandbox: red (outermost).
Malicious Sessions ExampleMalicious Sessions Example
This example shows how to drill into sessions in which all scoring categories identify the resulting list of sessions as malicious, indicating Malware Analysis has the most confidence that they are malware.
- Configure the Score Wheel rings in the following sequence:
Community (innermost) > Static > Network > Sandbox (outermost) - Click the red slice of the outermost (Sandbox) ring that aligns within a red slice on the innermost ring (Community): red (innermost) -> Static: red -> Network: red -> Sandbox: red (outermost).
Arrange the Ring Sequence by Scoring ModuleArrange the Ring Sequence by Scoring Module
In the Score Wheel, you can arrange the sequence of the rings by scoring module. Initially, the sequence of rings from inside to outside is Static, Network, Community, and Sandbox.
To change the ring sequence:
- Do one of the following:
- Click and drag each scoring module up or down.
- Select each scoring module and use the Up and Down buttons to move it.
- When the ring sequence is the way you want it, click the Update button.
The Score Wheel is refreshed with the new sequence.
Configure the Meta Treemap DashletConfigure the Meta Treemap Dashlet
In the Meta Treemap chart, you can visualize and filter meta breakdowns by meta type, count, and analysis type. Use the three selection lists to set the filter, and the Meta Treemap chart is refreshed immediately.
Configure the Meta Breakdowns DashletConfigure the Meta Breakdowns Dashlet
The Meta Breakdowns dashlet is a visualization of values for a specific meta key in a pie chart. In the Meta Breakdowns chart, you can filter meta breakdowns by meta type and count. Use the two selection lists to set the filter, and the Meta Breakdowns chart is refreshed immediately.
Configure the Events Timeline DashletConfigure the Events Timeline Dashlet
The Events Timeline dashlet is a visualization of the events along a timeline. No additional filters are available for the Event Timeline.
Open All Events in the Events ListOpen All Events in the Events List
From within the Event Timeline, you can open the entire list of events in the Events List. To do so, click . This option is not the same as clicking the count next to Events, which is the same for all visualization charts and opens the current drill point in the Events List.
Configure the Top Listing of Highly Suspicious Malware DashletConfigure the Top Listing of Highly Suspicious Malware Dashlet
The Top Listing of Highly Suspicious Malware Dashlet presents the Top 10 most suspicious events in the Events List or the Files List. This dashlet is also available in the Monitor dashboard, and the configuration options are described as part of the NetWitness Content in Dashlets.
Configure the Malware with High Confidence IOCs and High Scores DashletConfigure the Malware with High Confidence IOCs and High Scores Dashlet
The Malware with High Confidence IOCs and High Scores dashlet presents Indicators of Compromise that have both high scores and high confidence that the events are likely to contain malware. The dashlet is also available in the Unified dashboard, and the configuration options are described as part of the NetWitness Content in Dashlets.
Configure the Top Listing of Possible Zero Day Malware DashletConfigure the Top Listing of Possible Zero Day Malware Dashlet
The Top Listing of Possible Zero Day Malware dashlet presents potential zero day events in the Events List or the Files List. The dashlet is also available in the Unified dashboard, and the configuration options are described as part of the NetWitness Content in Dashlets.