There are several Preconfigured dashboards available upon installation. These dashboards provide a high-level overview of network traffic and logs. They help provide immediate value to SOC Managers, Analysts and System Admins in gaining quick overall status of the network.
The Overview dashboard provides a sampling of information that can be viewed in more detail in the dashlets of the other dashboards. It provides high-level trends and state-of-the-business view of network traffic and logs status. From its dashlets, links are provided to drill down to view more information about individual dashboards. For example, when you drill down from the Top Services dashlet on the Overview dashboard, it will lead to the Operations—Network dashboard, which shows further details on Operations—Network Top Source Countries and Destination Countries.
All these dashboards are available upon installation. However, they are disabled by default except the Default dashboard. Every dashboard consists of dashlets that are built based on a chart supported by a Report Rule. So, each dashlet is dependent on a Report Rule and a Report Chart. These Preconfigured dashboards are read-only dashboards with no option to edit them. If their Refresh Interval or Past Hours are edited for any reason, they may get overridden during upgrades. RSA recommends that you make a copy of the Preconfigured dashboards before you make any modifications.
For detailed information on Dashlets, see Dashlets.
Available Preconfigured Dashboards
The following table describes each Preconfigured dashboard.
Name | Description |
---|---|
Identity Dashboard |
Shows users and services that may potentially have malicious activities. The trends help compare them against daily logs to find abnormal behavior. |
Overview Dashboard |
Provides a trending view of traffic flow within the customer's environment over a 24 hour period. |
Operations—Logs Dashboard |
Shows top trends and distribution of logs from different classes and categories, for a quick view of log categories and event classes. Use this view to adjust devices that are producing more logs than expected. |
Operations—Network Dashboard |
Shows top trends of source and destination traffic, including geographic locations, in order to easily monitor network traffic. |
SecurID Dashboard |
Allows analysts to monitor specific identities and their behaviors. It empowers organizations to monitor two-factor environments that utilize RSA's SecurID for authenticating to protected resources. |
Threat—Hunting Dashboard |
Displays a summary of the events that have been categorized according to the Hunting meta keys. |
Threat—Indicators Dashboard |
Shows top Threat and Risk trends that help monitor any changes to the normal categories or sources of risk. If there are abnormal amount of threats from an uncommon source, it needs further investigation. |
Threat—Intrusion Dashboard |
Provides a view into firewall events and actions as well as IDS signatures over the last 24 hours. |
General Dependencies
Each Dashlet is dependent upon one report rule and one report chart. Also, dashlets may be dependent on other content. In that case, those dependencies are listed.
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
Dashboard-Related Procedures
Occasionally, you may want to perform the following tasks:
- Add or Change a Reporting Engine data source
- Enable some charts
Add a Data Source to a Reporting Engine
In most cases, for customers that have other reports running, the Data Source is already defined. If so, you can skip this section.
Perform the following steps to associate a data source with a Reporting Engine:
- Navigate to ADMIN > Services.
- In the Services Grid, select a Reporting Engine service.
-
Click View > Config.
The Services Config View of Reporting Engine is displayed.
- Click the Sources tab, and select the appropriate Concentrator service as the Data source.
Enable Charts
To enable the charts, do the following:
- Navigate to MONITOR > Reports.
- Click Charts.
-
Click Identity Group.
The RSA SecureID folder appears.
-
Select the RSA SecureID folder.
All charts related to RSA SecureID are listed under the Charts list panel.
-
In the Charts list panel, select a chart or several charts that display in the Enabled column.
- Click .
A confirmation message indicates that the state of the selected charts is changed successfully.
Identity Dashboard
The Identity dashboard shows users and services that may potentially have malicious activities. The trends help compare them against daily logs to find abnormal behavior.
Sample dashboard screen:
Dependencies
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
The following table describes the dependencies for each dashlet, as well as other details.
Dashlet | Medium | Dependencies | |
---|---|---|---|
Report Rule | Report Chart | ||
Top Log Event Users Trend |
log |
Log Event Users |
Log Event Users |
Top Logon Failures Summary |
log |
Logon Failures Summary |
Logon Failures Summary |
Top Logon Success Summary |
log |
Logon Success Summary |
Logon Success Summary |
Top Cleartext Authentications by Service Trend |
packet |
Cleartext Authentications by Service |
Cleartext Authentications by Service |
Top Cleartext Passwords by Service |
packet |
Cleartext Passwords by Service |
Cleartext Passwords by Service |
Top Email Sender Trends |
packet |
Email Senders |
Email Senders |
Note: All of the dashlets are also dependent upon the Hunting Pack and the Identity Feed.
Dashlets Contained in this Dashboard
The Identity dashboard contains the following dashlets:
- Top Log Event Users Trend: Displays the top 10 users as populated by log event traffic.
- Top Logo Failures Summary: Displays the top 10 logon failures as populated by log event traffic.
- Top Logon Success Summary: Displays the top 10 logon success as populated by log event traffic.
- Top Cleartext Authentications by Service Trend: Displays the top authentications detected in clear text by service through packet traffic.
- Top Cleartext Passwords by Service: Displays the top passwords detected in clear text by service through packet traffic.
- Top Email Sender Trends: Displays the top email senders from packet traffic.
Operations—Logs Dashboard
The Operations—Logs dashboard shows top trends and distribution of logs from different classes and categories, for a quick view of log categories and event classes. Use this view to adjust devices that are producing more logs than expected.
Sample dashboard screen:
Dependencies
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
The following table describes the dependencies for each dashlet, as well as other details.
Dashlet | Medium | Dependencies | |
---|---|---|---|
Report Rule | Report Chart | ||
Top Log Event Classes Trend |
log |
Log Event Classes |
Log Event Classes |
Top Log Event Types Trend |
log |
Log Event Types |
Log Event Types |
Top Log Event Categories |
log |
Log Event Categories |
Log Event Categories |
Top Log Destination Ports |
log |
Log Destination Ports |
Log Destination Ports |
Dashlets Contained in this Dashboard
The Operations—Logs dashboard contains the following dashlets:
- Top Log Event Classes Trend: Displays the top 10 log event classes as populated by log event source traffic.
- Top Log Event Types Trend: Displays the top 10 log event types as populated by the log event traffic.
- Top Log Event Categories: Displays the top 10 log event categories as populated by log event traffic.
- Top Log Destination Ports: Displays the top 10 log destinations ports as populated by log event traffic.
Operations—Network Dashboard
The Operations—Network dashboard shows top trends of source and destination traffic, including geographic locations, in order to easily monitor network traffic.
Sample dashboard screen:
Dependencies
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
The following table describes the dependencies for each dashlet, as well as other details.
Dashlet | Medium | Dependencies | ||
---|---|---|---|---|
Report Rule | Report Chart | Other | ||
Top Services Trend |
packet |
Top 10 Services |
Top Services |
|
Top TCP Destination Ports |
packet |
Top TCP Destination Ports |
Top TCP Destination Ports |
|
Top Source IP Addresses |
log, packet |
Top Source IP Addresses |
Top Source IP Addresses |
|
Top Destination IP Addresses |
log, packet |
Top 10 Destination IP Addresses |
Top Destination IP Addresses |
|
Top Destination Countries |
log, packet |
Top 10 Destination Countries |
Top Destination Countries |
GeoIP parser |
Top Source Countries |
log, packet |
Top Source Countries |
Top Source Countries |
GeoIP parser |
Dashlets Contained in this Dashboard
The Operations—Network dashboard contains the following dashlets:
- Top Services Trend: Displays the top 10 services (protocols), based on the network traffic.
- Top TCP Destination Ports: displays the top 10 TCP destination ports based on the network traffic.
- Top Source IP Addresses: displays the top 10 source IP addresses based on the network traffic.
- Top Destination IP addresses: displays the top 10 destination IP addresses based on the network traffic.
- Top Destination Countries: displays the top 10 destination countries based on the network traffic.
- Top Source Countries: displays the top 10 source countries based on the network traffic.
Overview Dashboard
The Overview dashboard provides a trending view of traffic flow within the customer's environment over a 24 hour period.
Sample dashboard screen:
Dependencies
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
The following table describes the dependencies for each dashlet, as well as other details.
Dashlet | Medium | Dependencies | ||
---|---|---|---|---|
Report Rule | Report Chart | Other | ||
Top Services |
packet |
Top 10 Services |
Top Services |
|
Top Log Event Classes |
log |
Log Event Classes |
Log Event Classes |
|
Traffic Flow Direction |
log, packet |
Traffic Flow Direction |
Traffic Flow Direction |
Traffic Flow Lua parser |
Top Firewall Systems |
log |
Firewall Systems |
Firewall Systems |
|
Top Threat Sources |
log, packet |
Threat Sources |
Threat Sources |
RSA Research Feed |
Top Cleartext Passwords by Service |
packet |
Cleartext Passwords by Service |
Cleartext Passwords by Service |
Dashlets Contained in this Dashboard
The Overview dashboard contains the following dashlets:
- Top Services: Displays the top 10 services (protocols) based on the network traffic trends.
- Top Log Event Classes: Displays the top 10 log event classes as populated by log event source traffic.
- Traffic Flow Direction: Displays traffic flow as populated with the Traffic Flow Lua parser or as parsed from a log event source.
- Top Firewall Systems: Displays firewall systems based on the ip.addr meta key from a Firewall log event source.
- Top Threat Sources: Displays threat sources based on the threat.source meta key populated by feeds.
- Top Cleartext Passwords by Service: Displays the top passwords detected in clear text by service through packet traffic.
RSA SecurID Dashboard
The RSA SecurID dashboard allows analysts to monitor specific identities and their behaviors. It empowers organizations to monitor two-factor environments that utilize RSA's SecurID for authenticating to protected resources. Users can run reports using the NetWitness Report Engine, either ad-hoc or on a recurring schedule.
Sample dashboard screen:
Dependencies
The RSA SecurID Dashboard only applies to customers collecting from logs. Thus, All the dashlets for this dashboard have a medium of Log.
The following table describes the dependencies for each dashlet, as well as other details.
Dependencies | |||
---|---|---|---|
Dashlet | Report Rule | Report Chart | Other |
RSA SecurIDBadPIN Good Token Code | RSA SecurIDBadPIN Good Token Code | RSA SecurIDBadPIN Good Token Code | The RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) is required. |
RSA SecurIDBadPIN Previous Token Code | RSA SecurIDBadPIN Previous Token Code | RSA SecurIDBadPIN Previous Token Code | |
RSA SecurIDBadToken Code Bad PIN | RSA SecurIDBadToken Code Bad PIN | RSA SecurIDBadToken Code Bad PIN | |
RSA SecurIDBadToken Code Good PIN | RSA SecurIDBadToken Code Good PIN | RSA SecurIDBadToken Code Good PIN | |
RSA SecurIDStatic Passcode Authentication | RSA SecurIDStatic Passcode Authentication | RSA SecurIDStatic Passcode Authentication | |
RSA SecurIDToken Code Reuse | RSA SecurIDToken Code Reuse | RSA SecurIDToken Code Reuse | |
RSA SecurIDUnknownUser Failed Login | RSA SecurIDUnknownUser Failed Login | RSA SecurIDUnknownUser Failed Login | |
RSA SecurIDAccount Lockouts | RSA SecurIDAccount Lockouts | RSA SecurIDAccount Lockouts |
Dashlets Contained in this Dashboard
The SecurID dashboard contains the following dashlets:
- RSA SecurID-Account Lockouts: A user has attempted to login too many times without successfully logging in and has locked their SecurID account.
- RSA SecurID-Bad PIN Good Token Code: A user had a valid SecurID Token Code for the user account but entered a bad PIN.
- RSA SecurID-Bad PIN Previous Token Code: A user entered a previous token code but the token code had reached the end of its valid period of time (usually 60 seconds) and rolled out of the system before authentication was completed.
- RSA SecurID-Bad Token Code Bad PIN: A user has attempted to login with a valid username but has entered the SecurID Token Code and PIN incorrectly.
- RSA SecurID-Bad Token Code Good PIN: A user had a valid PIN for their user account but had typed the SecurID Token Code incorrectly.
- RSA SecurID-Static Passcode Authentication: A user has authenticated with a static passcode and not a SecurID token.
- RSA SecurID-Token Code Reuse: A user had a valid token code but used it in a prior attempt to login. The user did not allow the token code to change before attempting another login.
- RSA SecurID-Unknown User Failed Login: A user has attempted to login with a username that does not exist on the SecurID Server database. (invalid username)
Threat—Hunting Dashboard
The Threat—Hunting dashboard displays a summary of the events that have been categorized according to the meta keys described below.
The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the RSA NetWitness Hunting Guide and the Investigation Feed for more details about the contents of the pack and the suggested investigation techniques.
Sample dashboard screen:
Dependencies
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
The following table describes the dependencies for each dashlet, as well as other details.
Dashlet | Medium | Dependencies | |
---|---|---|---|
Report Rule | Report Chart | ||
Behaviors of Compromise |
packet |
Behaviors of Compromise |
Behaviors of Compromise |
Enablers of Compromise |
packet |
Enablers of Compromise |
Enablers of Compromise |
File Analysis |
packet |
File Analysis |
File Analysis |
Indicators of Compromise |
packet |
Indicators of Compromise |
Indicators of Compromise |
Service Analysis |
packet |
Service Analysis |
Service Analysis |
Session Analysis |
packet |
Session Analysis |
Session Analysis |
Note: All of the dashlets are also dependent upon the Hunting Pack.
Dashlets Contained in this Dashboard
The Threat—Hunting dashboard contains the following dashlets:
- Behaviors of Compromise: Designated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated.
- Enablers of Compromise: Instances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated.
- File Analysis: A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated.
- Indicators of Compromise: Possible intrusions into the network that can be identified through malware signatures or IPs and domains associated with command and control campaigns. This rule displays output when the meta key, Indicators of Compromise, is populated.
- Service Analysis: Core application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated.
- Session Analysis: A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, Session Analysis, is populated.
Threat—Indicators Dashboard
The Threat—Malware Indicators dashboard displays web-based packet and web logs traffic going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate that an infected host on your network is making requests.
Sample dashboard screen:
Dependencies
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
The following table describes the dependencies for each dashlet, as well as other details.
Dashlet | Medium | Dependencies | ||
---|---|---|---|---|
Report Rule | Report Chart | Other | ||
Threat Sources |
log, packet |
Threat Sources |
Threat Sources |
|
Threat Categories |
log, packet |
Threat Categories |
Threat Categories |
|
Malware Activity DNS |
packet |
Malware Activity DNS |
Malware Activity DNS |
You will also need to have at least one of the following feeds deployed.
If deploying the Investigation feed, you will need at least one of the related Lua parsers:
Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See the Investigation Feed for more details. |
Malware Activity Web |
log, packet |
Malware Activity web |
Malware Activity web |
You will also need to have at least one of the following feeds deployed.
If deploying the Investigation feed, you will need at least one of the related Lua parsers:
If collecting logs you will need at least one event source with device class of web logs. This includes web proxy and security products such as Cisco WSA and SQUID. Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See the Investigation Feed for more details: |
Malware Activity Unidentified |
log, packet |
Malware Activity Unidentified |
Malware Activity web Unidentified |
You will also need to have at least one of the following feeds deployed.
If collecting logs, you need at least one of the following event source types:
Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See the Investigation Feed for more details: |
Note: All of the dashlets are also dependent upon the Hunting Pack.
Dashlets Contained in this Dashboard
The Threat—Hunting dashboard contains the following dashlets:
- Threat Sources: Displays threat sources based on network traffic. The threat.source meta key is populated by feeds and Lua parsers.
- Threat Categories: Displays threat categories based on network traffic. The threat.category meta key is populated by feeds and Lua parsers.
-
Malware Activity DNS: Displays DNS packet traffic that is going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making DNS queries. The native NETWORK packet parser must be enabled in order to identify the DNS service. This parser is enabled by default.
- Malware Activity Web: Displays web-based packet and web logs traffic that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making web requests. The native NETWORK packet parser must be enabled in order to identify the web service. This parser is enabled by default.
- Malware Activity Unidentified: Displays packet and log traffic other than DNS and Web that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network. The native NETWORK packet parser must be enabled. This parser is enabled by default.
Threat—Intrusion Dashboard
The Threat—Intrusion dashboard provides a view into firewall events and actions as well as IDS signatures over the last 24 hours.
Sample dashboard screen:
Dependencies
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
The following table describes the dependencies for each dashlet, as well as other details.
Dashlet | Medium | Dependencies | |
---|---|---|---|
Report Rule | Report Chart | ||
Top Firewall Destination IP Addresses Trend |
log |
Firewall Destination IP Addresses |
Firewall Destination IP Addresses |
Top Firewall Denied Connections |
log |
Firewall Denied Connections |
Firewall Denied Connections |
Top Firewall Users |
log |
Firewall Users |
Firewall Users |
Top Firewall Events |
log |
Firewall Events |
Firewall Events |
Top IDS Signature Trend |
log |
IDS Signatures |
IDS Signatures |
Top IDS Signatures |
log |
IDS Signatures |
IDS Signatures |
Top Firewall Systems Trend |
log |
Firewall Systems |
Firewall Systems |
Top Virus Detection Trend |
log |
Virus Detection |
Virus Detection |
Dashlets Contained in this Dashboard
The Threat—Intrusion dashboard contains the following dashlets:
- Top Firewall Destination IP Addresses Trend: Displays the top 10 destination IP addresses as populated by device class of Firewall.
- Top Firewall Denied Connections: Displays the top 10 destination IP addresses with an action showing a denied connection, as populated by device class of Firewall.
- Top Firewall Users: Displays the top 10 destination users, as populated by device class of Firewall.
- Top Firewall Events: Displays the top 10 firewall events, using the action meta key, as populated by device class of Firewall.
- Top IDS Signature Trend: Displays the top 10 IDS signatures as a trend over a 24 hour period, through the meta key policy.name, as populated by device class of IDS.
- Top IDS Signatures: Displays the top 10 IDS signatures totals over a 24 hour period, through the meta key policy.name, as populated by device class of IDS.
- Top Firewall Systems Trend: Displays the top 10 firewall systems by device IP, using the ip.addr meta key, as populated by device class of Firewall.
- Top Virus Detection Trend: Displays the top 10 virus names by using the virusname meta key, as populated by device class of Antivirus.
SecurID Dashboard
The RSA SecurID dashboard allows analysts to monitor specific identities and their behaviors. It empowers organizations to monitor two-factor environments that utilize RSA's SecurID for authenticating to protected resources. Users can run reports using the NetWitness Report Engine, either ad-hoc or on a recurring schedule.
Sample dashboard screen:
Dependencies
The RSA SecurID Dashboard only applies to customers collecting from logs. Thus, All the dashlets for this dashboard have a medium of Log.
The following table describes the dependencies for each dashlet, as well as other details.
Dependencies | |||
---|---|---|---|
Dashlet | Report Rule | Report Chart | Other |
RSA SecurIDBadPIN Good Token Code | RSA SecurIDBadPIN Good Token Code | RSA SecurIDBadPIN Good Token Code | The RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) is required. |
RSA SecurIDBadPIN Previous Token Code | RSA SecurIDBadPIN Previous Token Code | RSA SecurIDBadPIN Previous Token Code | |
RSA SecurIDBadToken Code Bad PIN | RSA SecurIDBadToken Code Bad PIN | RSA SecurIDBadToken Code Bad PIN | |
RSA SecurIDBadToken Code Good PIN | RSA SecurIDBadToken Code Good PIN | RSA SecurIDBadToken Code Good PIN | |
RSA SecurIDStatic Passcode Authentication | RSA SecurIDStatic Passcode Authentication | RSA SecurIDStatic Passcode Authentication | |
RSA SecurIDToken Code Reuse | RSA SecurIDToken Code Reuse | RSA SecurIDToken Code Reuse | |
RSA SecurIDUnknownUser Failed Login | RSA SecurIDUnknownUser Failed Login | RSA SecurIDUnknownUser Failed Login | |
RSA SecurIDAccount Lockouts | RSA SecurIDAccount Lockouts | RSA SecurIDAccount Lockouts |
Dashlets Contained in this Dashboard
The SecurID dashboard contains the following dashlets:
- RSA SecurID-Account Lockouts: A user has attempted to login too many times without successfully logging in and has locked their SecurID account.
- RSA SecurID-Bad PIN Good Token Code: A user had a valid SecurID Token Code for the user account but entered a bad PIN.
- RSA SecurID-Bad PIN Previous Token Code: A user entered a previous token code but the token code had reached the end of its valid period of time (usually 60 seconds) and rolled out of the system before authentication was completed.
- RSA SecurID-Bad Token Code Bad PIN: A user has attempted to login with a valid username but has entered the SecurID Token Code and PIN incorrectly.
- RSA SecurID-Bad Token Code Good PIN: A user had a valid PIN for their user account but had typed the SecurID Token Code incorrectly.
- RSA SecurID-Static Passcode Authentication: A user has authenticated with a static passcode and not a SecurID token.
- RSA SecurID-Token Code Reuse: A user had a valid token code but used it in a prior attempt to login. The user did not allow the token code to change before attempting another login.
- RSA SecurID-Unknown User Failed Login: A user has attempted to login with a username that does not exist on the SecurID Server database. (invalid username)
Operations—File Analysis Dashboard
The Operations—File Analysis dashboard displays a summary of the events that have been categorized according to the File Analysis meta key or applicable application rules.
The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the RSA NetWitness Hunting Guide and the Investigation Feed for more details about the contents of the pack and the suggested investigation techniques.
Sample dashboard screen:
Dependencies
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
The following table describes the dependencies for each dashlet, as well as other details.
Dashlet | Medium | Dependencies | |
---|---|---|---|
Report Rule | Report Chart | ||
Windows Executable |
packet |
Windows Executable Anomalies |
Windows Executable |
XOR Encrypted Executable |
packet |
XOR Encrypted Executable |
XOR Encrypted Executable |
Java File Analysis |
packet |
Java File Analysis |
Java File Analysis |
PDF File Analysis |
packet |
PDF File Analysis |
PDF File Analysis |
ZIP File Analysis |
packet |
ZIP File Analysis |
ZIP File Analysis |
RTF File Analysis |
packet |
RTF File Analysis |
RTF File Analysis |
Note: All of the dashlets are also dependent upon the Hunting Pack.
Dashlets Contained in this Dashboard
The Operations—File Analysis dashboard contains the following dashlets:
- Windows Executable: Displays different Windows-compatible files grouped by file types running on the system. Analyst can prioritize investigation according to file type and perform a deep dive into investigating more about a particular file.
- XOR Encrypted Executable: Displays source IPs of the host on which XOR executables are detected. Analyst can prioritize investigation based on host IP.
- Java File Analysis: Displays file analysis for java, and java script files. Analyst can look for particular alerts related to java, or js files.
- PDF File Analysis: Displays file analysis for PDF files. Analyst can look for particular alert related to PDF files.
- ZIP File Analysis: Displays file analysis for ZIP files. Analyst can look for particular alert related to ZIP files.
- RTF File Analysis: Displays file analysis for RTF files. Analyst can look for particular alert related to RTF files.
Operations—Protocol Analysis Dashboard
The Operations—Protocol Analysis dashboard displays a summary of the events that have been categorized according to the Service Analysis meta key for web-based protocols of HTTP, DNS and SSL.
The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the RSA NetWitness Hunting Guide and the Investigation Feed for more details about the contents of the pack and the suggested investigation techniques.
Note: To generate meta values for the HTTP - Non Standard dashlets, you need to set the advanced option to true in the HTTP_lua_options file. For details, see Edit the HTTP_lua Options File below.
Sample dashboard screen:
Dependencies
Dashboards support various mediums: each individual dashlet supports a medium:
- Log: content parsed from events generated from logged data.
- Packet: content parsed from events generated from network packet data
- Log and packet: content that correlates across log and packet events
Additionally, some dashlets contain content that is parsed from either log or packet data.
The following table describes the dependencies for each dashlet, as well as other details.
Dashlet | Medium | Dependencies | |
---|---|---|---|
Report Rule | Report Chart | ||
HTTP Headers Non Standard |
packet |
HTTP Headers Non Standard |
HTTP Headers Non Standard |
HTTP User Agents Non Standard |
packet |
HTTP User Agents Non Standard |
HTTP User Agents Non Standard |
HTTP Webshells |
packet |
HTTP Webshells |
HTTP Webshells |
Hostnames Non Standard |
packet |
Hostnames Non Standard |
Hostnames Non Standard |
DNS Non Standard |
packet |
DNS Non Standard |
DNS Non Standard |
HTTP Methods Non Standard |
packet |
HTTP Methods Non Standard |
HTTP Methods Non Standard |
SSL Non Standard |
packet |
SSL Non Standard |
SSL Non Standard |
SSL Self-Signed Certificates |
packet |
SSL Self-Signed Certificates |
SSL Self-Signed Certificates |
Note: All of the dashlets are also dependent upon the Hunting Pack.
Dashlets Contained in this Dashboard
The Operations—Protocol Analysis dashboard contains the following dashlets:
- HTTP Headers Non Standard: Indicators of outbound traffic with HTTP headers that show a suspicious, low amount of headers. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
- HTTP User Agents Non Standard: Indicators of outbound traffic with HTTP user agents that seem forged for malicious activity such as max or short lengths. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
- HTTP Webshells: Inbound traffic with indicators of executable code on a web server for attacker remote code execution. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
- HTTP Methods Non Standard: Displays sessions with HTTP without GET as well as suspicious CONNECT methods. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
- Hostnames Non Standard: Indicators of outbound traffic with non standard hostnames that may indicate command and control behavior, port calculation or signaling an action. This enables a drill point into interesting sessions that should be investigated for additional signs of malware.
- DNS Non Standard: Indicators of outbound traffic with indicators of suspicious DNS servers, ports or large sessions. This enables a drill point into interesting sessions to investigate for additional signs of data ex-filtration or evasion of reputable services.
- SSL Self-Signed Certificates: This dashlet displays identified SSL sessions where the certificate authority is the same as the SSL subject. These sessions combined with traffic flow metadata can be used to discover beaconing behaviors on a network.
- SSL Non-Standard: Identified service of SSL utilizing a port other than the 443. Non standard protocol indicators can be used as atomic indicators paired with additional ones to hunt for malicious software.
Edit the HTTP_lua Options File
To generate the meta values needed to populate this dashboard, you need to edit the HTTP_lua_options.lua file as follows:
- Go to Live and deploy the HTTP_lua Options file to the decoder.
- In the Security Analytics menu, select Administration > Services.
- In the Services grid, select a Decoder.
- From the Actions menu, select View > Config, then select the Files tab.
- From the drop-down menu, select the HTTP_lua_options.lua file.
-
Scroll to the end of the file, to the function advanced () section, and change return false to return true. The updated section should look like the following:
function advanced() --[=[ "Advanced Analysis" : default FALSE Perform advanced analysis of HTTP characteristics. Analysis includes only the first request and first response. Meta is registered to the key "proto.analysis". --]=] return true end