Managing the Springboard

(From 11.5 and later) NetWitness Platform Springboard presents platform-wide detections and signals in this view so analysts hunt and investigate faster than ever before.

From 12.0 and later, NetWitness Platform Springboard introduces five more out-of-the-box panels based on the events processed with a specific query and presented on Springboard view. This helps analysts with further investigation.

The Springboard congregates the following information for analysts to view:

  • Critical incidents and high severity alerts that require attention.
  • Hosts and files with high risk scores that may be potential threats.
  • Risky users that are potential leads for investigation.
  • Events with specific query and high severity that require immediate attention.

122_Springboardview_1122.png

122_springboard_new_panels_1122.png

The Springboard displays important information for the last 24 hours in the following out-of-the-box panels:

  • Top Incidents
  • Top Alerts
  • Top Risky Hosts
  • Top Risky Files
  • Top Risky Users
  • MITRE ATT&CK tactics

  • MITRE ATT&CK techniques

  • Indicators of Compromise

  • Enablers of Compromise

  • Behaviors of Compromise

For example, the Top Risky Hosts displays the top 25 risky hosts based on the highest risk score and Operating system (Windows, Linux, and Mac). The result displays hosts of all Endpoint Servers if the Endpoint Broker is available. Otherwise, it displays the result of the first Endpoint Server.

From 12.3 version and later, NetWitness Springboard provides the ability for analysts to choose from a variety of color palettes when creating or editing panels using the Visualization Color Theme option. This option gives analysts more control over the appearance of their panels, making them more visually appealing and easier to understand. As a result, analysts can visualize the data better and perform analysis and investigations more efficiently.

Note: The Multiple color option is available only for the Donut chart.

springboard_color_multiple.png

Springboard_color1.png

You can perform the following actions on the Springboard:

  • Change the time range for some panels namely Incidents and Alerts panels. To change the time range, select the time range selection box from the drop-down menu in the top left corner of the Springboard view.

    IMPORTANT: If the selected filter has a time range selected, it is given priority, otherwise the Springboard time range for the specified panel is considered.

  • Increase the display of the results in the table to view more than 25 results. Click netwitness_edit_icon_17x16.png on the panel, the Edit Panel dialog is displayed. Edit the number of results field and click Save Panel.

  • Click a row in the table to view details or to investigate.
  • Click netwitness_inv-openrelatedevens.png at the top of the panel to view all the results. For example, in the Top Incidents panel, click netwitness_inv-openrelatedevens.png to view all incidents in the Incidents list view.

  • Click a row name in the events panel to view or investigate the event details with relevant filters applied in the Events view.

  • Scroll to view the different panels using the netwitness_springmove_7x11.png scroll bar available below the panels.

Administrators can customize the Springboard by performing the following:

  • Create own custom private board and add panels on the board. For more information, see Add a Custom Private Board.

  • Edit the out-of-the-box panels. For more information, see Edit a Panel.
  • Refresh the out-of-the-box panels. For more information, see Refresh a Panel.
  • Create new panels with important system indicators. For example, a new panel showing focused event metadata based on pre-defined query conditions can be created. For more information, see Add a Panel.

Working with the Springboard

Note: An administrator must provide the appropriate permissions to allow users to edit the springboard panels. For more information see the the Springboard section in the "Role Permissions" topic in the System Security and User Management Guide.

You can customize the information on the out-of-the-box Springboard by adding, editing, copying, moving, and deleting panels.

From 12.0 and later, the data sources and query filters are automatically added for the new out-of-the-box panels.

Add a Custom Private Board

(From 12.0 and later), Administrators and Analysts can create their own custom private board in the springboard and add panels with important system indicators, which helps in threat hunting and investigation. The users can also add, edit, rearrange, and delete panels in the custom private board view. The board allows users to organize and manage information in an easy manner.

122_custom_private_board_1122.png

IMPORTANT:
- The board will be saved as a custom private board, and other users will not be able to view the board.
- Only one custom private board can be created.

Note: The maximum number of panels on the custom private board must not exceed 20 panels.

To add a custom Board

  1. Click + Add New Board.

    122_add_new_custom_board_1122.png

    It navigates to a custom private board view to add panels.

  2. Add the panels. For more information, see Add a Panel.

  3. To edit the custom board’s name, click at the top left corner and enter a unique name.

  4. Click Save Board.

Add a Panel

You can add a panel to the Springboard according to the analyst preferences. For example, an analyst can watch top risky users or top risky hosts for a particular region in a panel.

Note: The maximum number of panels on the Springboard should not exceed 20 panels.

To add a panel

  1. Click Manage Board.
  2. Click netwitness_addpanel_61x19.png either on the top or on the right side of the view or click netwitness_ic_addpanel_13x11.png at the bottom of the view to add a panel.

    The Create New Panel dialog is displayed. The following figure is an example of the events panel configuration.

    Eventspanel1.png

  3. In the Input Settings section:
    • Name: Enter a unique name for the panel. The name can include letters, numbers, spaces, and special characters, such as _ - ( ) [ ].

    • Number of Results: By default, the number of results is 25. Specify the number of results that range from 25 to 100.

    • Data Type: Select the type of data to use for the panel:
      • Alerts
      • Incidents
      • Events
      • Files
      • Hosts
      • Users
    • Data Source: Select the source of the data to use for the panel. This field is enabled when the data type is Events, Files, or Hosts.
      • Events: Select either Broker or Concentrator.
      • Files: Select either Endpoint Broker Server or Endpoint Server.
      • Hosts: Select either Endpoint Broker Server or Endpoint Server.
    • (Optional) Filter : Filter the data as required from the drop-down for each data type from the saved filters list.
  4. In the Output Settings section, select the appropriate settings based on the data type.

  5. Click Add Panel.
  6. Click Save Board once you have added all the panels.

Edit a Panel

You can edit the out-of-the-box or newly added panels on the Springboard.

To edit a panel

  1. Click netwitness_edit_icon_17x16.png on the panel that you want to edit.
    The Edit Panel dialog is displayed.

  2. Edit and click Save Panel.

Rearrange Panels

You can arrange the panels by dragging and dropping them into a different order on the Springboard.

To rearrange panels

  1. Click Manage Board.
  2. To move a panel, click anywhere on the panel, drag and drop the panel to the desired location.

  3. Click Save Board.

Delete Panels

You can delete panels permanently in the following situations:

  • Services are not installed. For example, if you do not have Endpoint Log Hybrid installed, then you can delete the panels for Top Risky Hosts and Files.

  • The maximum number of panels have exceeded the limit, that is 20, and you want to add a new panel.

To delete existing panels

  1. Click Manage Board.
  2. Select the panels that you want to delete.
  3. Click Remove Panel.
  4. Click Save Board.

Restore System Default Settings

Note: This is enabled only if any changes are made to the out-of-the-box Springboard panels.

To restore the out-of-the-box panels:

  1. Click Manage Board.

  2. Click Restore System Default.

    A confirmation pop-up is displayed to confirm if you want to restore the out-of-the-box panels or not.

  3. Click Restore System Default.

Refresh a Panel

To refresh a panel

Click netwitness_refresh_icon_18x13.png on the panel that you want to refresh, it loads the latest data in the panel.