Skip to content

User Guide

Nextgen CyberQuest™ Overview

About Nextgen CyberQuest™

Nextgen CyberQuest™ is an innovative big data security analytics solution designed to provide total auditing and security coverage for your enterprise network. We have built Nextgen CyberQuest™™ to function as an agile, scalable business platform that intelligently collects and correlates data in the organization\'s IT infrastructure and works with it to address any type of present or future threat that the business can go through.

Nextgen CyberQuest™ can be scaled to any organization specific and size, and easily integrates with all security solutions on the market, no matter of their classification. CyberQuest™ is a true aggregator of security data coming from either security information and event management software, firewalls, intrusion prevention and detection platforms, or email security and endpoint security solutions. In addition, CyberQuest™ can collect, correlate and provide useful insights on heterogeneous data generated by network equipment, servers, databases and applications, which makes it an operational management ally for your administrative and security teams:

  • Collect -- gather all security and relevant data sources from your infrastructure

  • Correlate -- add threat intelligence security data for offline or online correlation

  • Detect -- identify quickly the most significant threats to your network

  • Visualize -- monitor accurately within a single point of access and get specific alerts

  • Respond -- generate reports and make decisions with complete awareness

CyberQuest™ aggregates and monitors all activity taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who, what, where, when, why made a change, and then turn that information into intelligent, in-depth forensics enhanced with additional data from the entire environment, make that information available for auditors and security officers and reduce the risks associated with day-to-day modifications.

Concept and availability

Nextgen CyberQuest™ can seamlessly be integrated within your existing infrastructure and deliver real-time user behaviour and data monitoring, threat detection, data analytics and correlations, security information and event management, in a single platform, enabling you to:

  • Have unified and increased infrastructure visibility for security management

  • Ensure and track regulatory compliance, security audits and policy

  • Reduce organization threat surface quickly and accurately

  • Optimize and generate predefined, ready-to-go reports

  • Improve your existing security and event management solution's response capabilities to incidents

Nextgen CyberQuest™ is an appliance type of product (hardware & software) supporting multi-redundant topologies and that can be scaled horizontally by installing any number of processing nodes, or vertically by adding processing resources. Given its deployment flexibility, the solution can be easily architected to meet multi-site deployment challenges. The solution is also available through Software-as-a-Service offering. Please check with your local reseller for licensing options available.

Its main functionalities are given by multiple modules:

  • Normalizing available information from SIEM systems in its own format through special dedicated connectors;

  • Reporting module;

  • Investigation module (which is the main purpose of the application);

  • Administrative module (ensures configuration and management functions for the application);

  • Alerting module (provides real time alerting for configurable situations with configurable response actions);

  • Case management module;

  • Data Transformation System module;

For more details regarding architecture, topology and multi-site distribution, please see Nextgen CyberQuest™ 2.15 Deployment Guide documentation.

High-level data flow description

Nextgen CyberQuest™ is a dedicated security analytics platform intended to be used by IT security officers. Therefore, CyberQuest™ helps companies to be more secure and also compliant to internal and industry regulations by doing collection of high volumes of disparate data from infrastructure and third-party security solutions, aggregating and enhancing collected data, and presenting security personnel with useful information on possible threats and risks -- all in real-time.

Initially, real-time data is collected from various sources using CyberQuest's WMI, syslog, NetFlow, ODBC or file-level gathering capabilities. Data is organized in queues sent to a Data Acquisition Service (DAS), which applies acquisition rules and then sends raw data to a Data Transformation Service (DTS). DTS is responsible for parsing data and generate real-time alerts.

Once parsing rules are applied, transformed data is applied with retention rules. Retention rules will tell if data is stored in the Online Storage or Archive Data Storage. The major difference between the two types of storage is access speed. Online Storage applies indexing on uncompressed data, which makes any information available in term of seconds, with the cost of space. Archive DataStorage is designed for long term retention of data, without imposing a limit to the maximum volume of that data. The archive stores data in compressed and encrypted files; a compression ratio of 1:20 is the norm.

.

Online and Archive storages exchange data depending on need. When a certain information is requested, data is automatically extracted and imported into ElasticSearch nodes for processing. Correlation is performed by a CyberQuest Server and resulted information is presented in dashboards and reports.

CyberQuest Web Interface is the central module used for both management and utilization of platform. Web Interface uses a web frontend allowing administrators and operators to interact with Nextgen CyberQuest™. Depending on the access level allowed, a user will be able to access Reports, Dashboards, Investigations, Browser and Alerts modules and take benefit of the entire set of security analytics.

CyberQuest Web Interface

Accessing the web interface

Web Interface is a consolidated web frontend hosting all administration and operation functionalities of Nextgen CyberQuest™. The web interface is compatible with all major browsers on the market.

To access Web Interface, open a web browser and type the application's address or DNS name. The default address initially assigned to Web Interface is https://192.168.100.1

The browser automatically redirects you to Nextgen CyberQuest™'s authentication page:

.

User authentication

Authentication can be accomplished in one of two ways:

  • Using a local user defined in the application;

  • Using a company's Active Directory user. This facility allows authentication with Active Directory credentials when LDAP integration has been configured within application. The user must belong to one of two Active Directory security groups: "CyberQuest Administrators" or "CyberQuest Users".

After typing your username and password, press . button.

The initial authentication is performed under the default administrative account. When authenticating as administrator, an additional confirmation box is displayed. This additional authentication step was introduced to notify on indiscriminatory access to the entire platform configuration and to require user confirmation of acknowledgement. Superadmin activity should be performed with maximum responsibility and knowledge of platform's administration. Wrongfully changing configuration, rules and retention policies can break access to analytics data, delete or damage objects, and more important, can cause permanently loss of history data.

. .

If you agree authenticating as an administrator, press . button and Web Interface will open. If you want to go back to login and authenticate as an operator, press . button.

Web Interface Overview

Once authenticated, Nextgen CyberQuest™ Web Interface will open. By default, Dashboards module is displayed. Depending on each user's access permissions, the interface may differ. Below we are describing user experience and interface functionalities when authenticating as an administrator.

The Web Interface can be split in several areas:

.

Module Area

.

From top-left section of the Web Interface you can select the application module to be displayed in main operation area:

  • Dashboards is the default module that loads when first authenticating to application. It allows an operator to quickly view information contained in the online repository, and action on contained graphical objects

  • Reports is the reporting module proprietary to the application. It contains all predefined and custom reports for general use and also, reports defined for the authenticated operator

  • Investigations module (or mode) is intended to represent graphically the audit information from the application. This mode allows native correlation of data and connecting apparent relational events. This serves to create bonds between diverse events and fields/strings.

  • Browser module (or mode) is intended to display the log information present in the system.

  • Alerts module (or Alerting mode) manages alerts and alert correlations, and allows users to start full investigation processes from an initial point -- the base alert displayed in Main Operation Area.

By clicking on . logo displayed in the top-left corner of the Web Interface, you will be taken to the "home" screen that is displayed after logging in to application.

Main Operation Area

Main Operation Area is the place where people accessing the application can perform their activities. This area is specific to each accessed module (or mode) and options being available depend on user's assigned permissions. Depending on each module capabilities, Main Operation Area may contain per user personalized content -- like custom dashboards and reports.

Available content and options are detailed within each module chapter in CyberQuest™ 2.15 User's Guide.

Performance Area

Performance Area in the top-right side of the Web Interface maintains three indicators updated in real time:

. CPU -- displays CyberQuest Web Application Server current CPU load. Pointing on the color-filled part of the graph opens a tooltip with the actual value of current load

. Memory -- displays CyberQuest Web Application Server current memory load. Pointing on the color-filled part of the graph opens a tooltip with the actual value of current load

. Disk -- displays CyberQuest Web Application Server current disk load. Pointing on the color-filled part of the graph opens a tooltip with the actual value of current load

User Enabler Area

User Enabler Area in the top-right side of the Web Interface comprises three action buttons as follows:

  • Stats . button opens a quick pop-up with statistical information on processed data. The following information is provided:

    .

  • Total events – total number of events currently stored in the online repository

  • Last hour events – total number of events collected in the last hour

  • Last day events – total number of events collected in the last day

  • Total alerts – total number of alerts currently managed by the Application Server

  • Last hour alerts – total number of alerts raised in the last hour

  • Last day alerts – total number of alerts raised in the last day

  • User . button opens User drop-down menu containing the options described below:

    .

  • Welcome \<user> option indicates currently logged in user

  • Change password option opens Change your password window, where currently logged in user can change his password.

  • Executed schedules option opens My Executed Schedules report listing all schedules executed by the currently logged in user

  • Case Management option opens Case Management module for the currently logged in user

  • Logout option logs out currently logged in user

  • Settings . button opens Settings drop-down menu containing the options described below:

    .

  • Users and Groups > Users and Users and Groups > Groups are options allowing an administrator to view, add, edit or delete users and groups. Additional actions are available for users: change password, activate or inactivate, copy dashgroups to users.

  • Connectors option opens Data Connectors configuration page allowing an administrator to list all configured connectors, add a new connector, or perform actions on existing ones. Possible actions are activate/inactivate, duplicate, view, edit and delete.

  • Event dictionary option opens Event Definitions configuration page allowing an administrator to list all event definitions, add a new event definition or import a definition from an external file, or perform actions on existing event definitions. Possible actions are export, view, edit and delete.

    .

  • Management > Dashboards option opens Dashboards configuration page allowing an administrator to list all defined dashboards, import a definition from an external file, or perform actions on existing dashboards. Possible actions are edit and delete.

  • Management > Filters option opens Filters configuration page allowing an administrator to list all defined filters, add a new filter, or perform actions on existing ones. Possible actions are view, edit and delete.

  • Management > Objects option opens Object Management configuration page allowing an administrator to list objects, list object lists, add a new object or object list, or import objects from an external CSV file. Possible actions on listed objects are edit and delete.

    .

  • Alerts > Realtime option opens the list of defined alerts in Alerts module, allowing an administrator to create a new alert definition or import alert from external file, and to perform actions on existing alert definitions. Possible actions are edit, export and delete.

  • Alerts > Summary option opens the list of custom summary alerts in Alerts module, allowing an administrator to list alert templates, create a new alert template or create a new registered summary alert. Possible actions on listed summary alerts are activate/inactivate, view, edit and delete.

  • Alerts > Notification templates option opens Alert Templates configuration page, allowing an administrator to create a new alert template or action on listed alert templates. Possible actions are edit and delete.

    .

  • Rules > Filter Rules option opens Filter Rules configuration page allowing an administrator to create a new filter rule, import a filter rule from an external file or perform actions on existing ones. Possible actions are activate/inactivate, export, edit and delete.

  • Rules > DTS Objects option opens DTS objects configuration page allowing an administrator to create and import a DTS object from an external file or perform actions on existing ones. Possible actions are activate/inactivate, export, edit and delete.

  • Rules > DA Rules option opens DA Rules configuration page allowing an administrator to create and import a data acquisition rule from an external file or perform actions on existing ones. Possible actions are activate/inactivate, order, export, edit and delete.

    .

  • Jobs > Jobs option opens Jobs configuration page allowing an administrator to create a new job or perform actions on existing ones. Possible actions are activate/inactivate, run, edit and delete.

  • Jobs > Jobs Executions option opens the list of job executions. You can delete a job execution and see the execution status for each listed job.

    .

  • Network Applications option opens Network Applications configuration page allowing an administrator to create a new network application, search in list or perform actions on existing ones. Possible actions are edit and delete.

  • Data Storages option opens Data Storages configuration page allowing an administrator to create a new data storage or perform actions on existing ones. Possible actions are edit and delete.

  • Data source status option opens a report of all data sources and their status. The report allows for data sources to be deleted and alert time to be changed. Each data source is presented with a status. The page includes a search field and possibility to sort by any column. The report can be customized in terms of details included or excluded, and exported in CSV format.

    .

  • Batch Fields Checker option opens Batch Fields Checker window allowing you to upload a text file and execute batch checking. Result can be exported in CSV format.

  • Each of the Application Settings option opens Application Settings configuration page allowing an administrator to configure in detail the main CyberQuest™ settings. The page presents configuration capabilities for:

    .

    • Active Directory integration

    • Functional parameters

    • Alert templates

    • Assets and asset groups

    • Company identity customization

    • Data acquisition parameters

    • Data correlation parameters

    • Data server parameters

    • Data storage parameters

    • ElasticSearch identification

    • Email settings

    • Reports export path

    • Retention period for online repository and archive

    • Defined tenants

Quick Reports Area

Provides a search box for all reports available to a logged in user. Reports become available as you type in. By selecting a report in the drop-down search results you are taken to that report in Reports module.

.

Changing User Password

Once authenticated, a user can change his password from User menu. This is a strongly recommended action after the first login, and it can be performed at any time forward.

In order to change your password, access User > Change password option. Change your password window opens:

a. In Old Password field, type your current password

b. In New Password field, type the new password. Make sure you follow the complexity requirements set for the specific company environment

c. Repeat the new password in Confirm Password field

d. Press . button to save the new password and close the window or press . button to close the window without saving changes. As an option, you can close the window without saving changes by clicking the . mark in top-right corner.

.

e. After changing password, it is recommended to perform logout by clicking User > Logout in User menu.

An administrator with user management privileges can change his password and can also change passwords for any other user. In order to do that:

a. In Settings menu, click Users and groups > Users. Users configuration page opens.

b. Click on . button for yourself or the user for which you need to change the password. A different Change user password opens

c. Type in the new password in Password and Password Confirm fields.

d. Press . button to save the new password and close the window or press . button to close the window without saving changes. As an option, you can close the window without saving changes by clicking the . mark in top-right corner.

.

e. Instruct the user to logout from application and then log back in.

Role Based Access Control (RBAC)

User accounts created can be configured to access components based on the user role assigned to their account. You can add or edit user roles and user accounts as needed.

Add or edit User Roles

User roles are assigned to user accounts to control access in Web Interface. You can add or edit user roles as needed. Roles are assigned at group level.

In order to add or edit user roles:

a. Login to application with an administrative account.

b. Navigate to Settings by expanding . in the top-right corner of the interface, then click Users and groups > Groups.

.

c. In Groups window, click the option New Group.

.

d. Add group window opens. In Add group window:

In the Name field, provide a name, such as Users Restricted Permissions.

In the Users field select the users that will be impacted by the predefined rules.

In the Assigned Permissions field select the appropriate permissions for the selected users.

In the Data Permission field select the appropriate data the selected users can view.

.

e. By default the new group is disabled. Activate the group by selecting . option.

f. Press . button to add new defined group and close the window or press . button to close the window without saving changes. As an option, you can close the window without saving changes by clicking the . mark in top-right corner.

Delete User Groups

To delete a group, navigate to Settings by expanding . in the top-right corner of the interface, then click Users and groups > Groups. Press . icon and confirm deletion of desired group. The procedure is irreversible.

Built-in groups cannot be deleted.

Edit User Groups

To edit a group, navigate to Settings by expanding . in the top-right corner of the interface, then click Users and groups > Groups. Press . icon. Edit group window is displayed where you can change group name, group members, assigned permissions and data permissions.

Changing group members, assigned permissions and data permissions is done by selecting or de-selecting objects in each drop-down list.

.

You can also change group status being Enabled or Disabled. Group status can be quickly changed from main Groups window by actioning on Active option button and selecting On or Off. In this case, changes are saved automatically.

.

For built-in groups you will only be allowed to add or remove members.

Press . button to save changes and close the window or press . button to close the window without saving changes. As an option, you can close the window without saving changes by clicking the . mark in top-right corner.

Dashboards migration

Each user can create his own dashgroups containing its own dashboards. After creating a new user, an administrator can copy dashgroups from another user that already has dashgroups configured. To do this follow the next steps:

a. Login to application with an administrative account.

b. Navigate to Settings by expanding . in the top-right corner of the interface, then click Users and groups > Users.

.

c. In Users window, select Copy dashgroups to user

.

d. Copy dashgroups to user window will open. Check source and destination users from User where dashgroups are copied from and Users where to copy dashgroups drop-down lists. Select desired dashgroups from Dashgroups that are copied drop-down list and press Submit to save changes.

.

.

e. Logout from the administrative account and login with the new user account. After login is successful, the Dashboards module will show the new dashgroups selected during previous step.

Data permissions

The solution provides data permissions options which combined with the role-based access features offers a granulized control over the data made available for user members of a group. Data permissions are set at group level.

In order to change data permissions for an existing group:

a. Login to application with an administrative account.

b. Navigate to Settings by expanding . in the top-right corner of the interface, then click Users and groups > Groups.

.

c. In Groups window, click . button for the group containing the user for which you want to change data permissions. Edit group window opens.

d. In Data Permissions field select or deselect on the appropriate data permissions. If no filter is selected, the user will have unrestricted access to all data available.

Alt text

e. Press . button to save changes and close the window or press . button to close the window without saving changes. As an option, you can close the window without saving changes by clicking the . mark in top-right corner.

Dashboards Module

CyberQuest Dashboards

A CyberQuest dashboard is a graphical representation of events (either circular or histograms) which can be accessed from Dashboards module interface when first logging in to application or by pressing . button at any time in top-left section of Web Interface.

Working with Dashboards module

After logging in to application, Web Interface will direct you to Dashboards module which provides a visual, real-time representation of all data that is contained in the online repository, data that is correlated and graphically designed to give you a meaningful context of the entire organization's compliance.

The module operation area is divided in two sections:

  • Search and Filter section allows you to granularly control what information is displayed in dashboards

  • Dashboards section contains the dashgroups configured for the logged in user

Search and Filter section

This section allows you to control what information is displayed in dashboards, and to define additional filters and combination methods for searched data in specified date and time interval.

.

Search field provides the ability to filter displayed information by using free text capabilities. If nothing is entered in field box, all events are displayed.

You will find a similar search field available for Browser module. A complete guide to using free text capabilities is included in this manual.

You can specify additional filters using Filtering options. By default, nothing is selected. When you access Additional filters drop-down list, you are presented with a large collection of pre-defined filters sorted by technology. You can select one, or multiple filters.

You will also need to select the logical method for combining selected filters in Combining method drop-down list. Available options are AND and OR logical operators. Please note the operator you choose applies to all selected filters.

.

When finished, press . button to apply your selections.

Other options available in Search and Filter section:

  • Send to investigations option will direct your selection to Investigations module. The option opens a new web browser tab to Investigations interface. You are presented with Filter data window that is now populated with filtering information you already entered. Press . button to command data extraction based on your filters and display in Investigations interface.

.

  • Send to browser option will direct your selection to Browser module. The option opens a new web browser tab to Browser interface listing filtered results.

  • Send to alerts option will direct your selection to Alerts module. The option opens a new web browser tab to Alerts interface listing filtered results.

You can also choose to save your current filters selection at any time. By pressing . button you are presented with three options of making your filters selection permanent:

  • Save as New Dashboard option opens Save as New Dashboard window which allows you to create a new dashboard. The following must be specified:

  • A convention-based name for the new dashboard. This name will show in dashboard lists

  • A descriptive friendly name for the new dashboard. This name will be displayed in Dashboards interface

  • A descriptive text detailing the information will be presented in the new dashboard

  • The field by which graph will be built

  • Graphic type (barchart, pie, gauge etc.)

.

  • Save as New Report option opens Save as New Report window which allows you to create a new report. You will need to add a report name and description before saving

  • Save as New Filter option opens Save as New Filter window which allows you to create a new filter. You will need to add a filter name and description before saving

Search and Filter section includes options for setting the date and time interval for which you need information. This feature is very helpful when you need to have a quick look on compliance over a certain period of time.

The interface allows you to set a specific start date and end date, and also provides you with quick options for date (last hour, last day, last three days, last ten days, last 30 days, last 90 days). By default, Dashboards interface displays the last hour of data. Buttons below Start Date and End Date fields allow you to quickly increase or decrease time interval, and specify time reference to be considered (local time, GMT, or event time)

.

Dashboards section

This is the main display area for user dashboards. A logged in user will be presented with actionable dashgroups that are set for his profile. By clicking on a dashgroup, the user will be able to display dashboards that are included in that dashgroup.

.

Possible actions are:

  • Select -- By clicking on a dashgroup, the user will be able to display dashboards that are included in that dashgroup. For a selected dashgroup you get the possibly to quickly add or edit a dashboard in that dashgroup

  • Add dashgroup -- By pressing the . button at the end of dashgroups row, you can quickly create a new dashgroup in your profile and then populate it with dashboards by pressing . button.

  • Delete dashgroup -- Each dashgroup selector has a remove button in top-right corner, which becomes visible on mouse over action. Pressing the button permanently deletes the selected dashgroup. The action does not delete the dashboards linked to dashgroup, which can be then added again to a new dashgroup.

When clicking on a dashgroup, included dashboards are listed in Dashboards interface. For all dashboards displayed, the following actions became visible on mouse over:

  • On top-right corner of the dashboard you will find a set of quick-action buttons:

    .

  • Maximize/Minimize -- Allows for expanding the dashboard to fit the entire display area, or shrinking it back to its original position

  • Export to CSV -- Saves a CSV file containing events graphically displayed in dashboard. The list of exported events matches the number set in Max. no. of items drop-down selection

  • Export Dashboard Object -- Creates an export of dashboard's definition in proprietary format

  • Graph selection -- Opens a drop-down list of graphical formats available for dashboards, allowing you to quickly change the graphical display format for that dashboard. Changing the display format here does not change the dashboard definition and the change will be reverted on the next load.

  • Edit dashboard -- Allows you to edit and permanently change the dashboard definition

    .

  • Max. no. of items option allows you to change the max number of entries that are displayed in dashboard. Since the purpose of Dashboard interface is to provide a quick glance of monitored environment in real-time, the maximum number of events that can be displayed is limited.

  • A show/hide . button allows you to either show or hide the items list from view. The number of listed items depends on Max. no. of items set for that dashboard

Types of dashboards

Dashboards are divided into different categories. The most representative are:

  • Event related charts

  • Network-related charts

  • Active Directory related charts

Represent the dashboards built on events collected from various sources. Below are the most commonly used:

  • Gauge chart in reference to the top events categories

    Alt text

  • Pie chart in reference to event sources

    Alt text

  • Two-Level Pie chart in reference to event ID

    Alt text

  • The Bar Chart in reference to the computer that generated the event

    Alt text

  • Area Chart in reference to the proportion between logons and logoffs

    Alt text

  • Histogram about the distribution of events over a selected time interval

    Alt text

Represent the dashboards built on flow collected from NetFlow or other type of network flow sources. Below are the most commonly used:

  • Two-Level Pie chart in reference to top IP addresses found in logs

    Alt text

  • Gauge chart in reference to internal IP addresses identified in events

    Alt text

  • Bar Chart in reference to external IP addresses identified in events -- Top external IP addresses

    Alt text

Represent the dashboards built on additional information collected from Windows Active Directory and other sources of information using a correlation between events and WMI, SNMP or other type of network flow sources. Below are the most commonly used:

  • Pie in reference to usernames - Top Users

    Alt text

  • Two-Level Pie chart in reference to computer names

    Alt text

  • Pie chart in reference to Active Directory accounts for users and computers

    Alt text

Browser Module

Browser Mode

Browser mode was introduced to Web Interface in order to assist operators needing a clear view of events collected. It can be accessed from Browser module interface by pressing . button at any time in top-left section of Web Interface.

Working with Browser module

The module operation area is divided in two sections:

  • Search and Filter section allows you to granularly control what information is displayed in dashboards

  • Results section contains the actionable data listed function of searches and filters.

  • Geolocation section is a graphical display which will assist you marking events on a world map, function of the originating or destination IP address

Browser Search and Filter section

This section allows you to control what information is displayed in Browser, and to define additional filters and combination methods for searched data in specified date and time interval.

.

Search field provides the ability to filter displayed information by using free text capabilities. If nothing is entered in field box, all events are displayed.

You will find a similar search field available for Dashboards module. A complete guide to using free text capabilities is included in this manual.

Unlike in Dashboards module, there is an extra drop-down list available next to Search field. By pressing . button you will be able to instruct the interface on how many items are displayed per page. Default option is 10 items, but you can increase to 50 or 100 items.

You can specify additional filters using Filtering options. By default, nothing is selected. When you access Additional filters drop-down list, you are presented with a large collection of pre-defined filters sorted by technology. You can select one, or multiple filters.

You will also need to select the logical method for combining selected filters in Combining method drop-down list. Available options are AND and OR logical operators. Please note the operator you choose applies to all selected filters.

.

When finished, press . button to apply your selections.

Other options available in Search and Filter section:

  • Send to investigations option will direct your selection to Investigations module. The option opens a new web browser tab to Investigations interface. You are presented with Filter data window that is now populated with filtering information you already entered. Press . button to command data extraction based on your filters and display in Investigations interface.

    .

  • Send to dashboards option will direct your selection to Dashboards module. The option opens a new web browser tab to Dashboards interface listing filtered results.

  • Send to alerts option will direct your selection to Alerts module. The option opens a new web browser tab to Alerts interface listing filtered results.

  • Export all events option allows you to create a CSV export file containing all events listed in Results section. Because the number of events can be very high, which may result in a lengthy operation, pressing this button opens a status window informing on the export percentage. When the export reaches 100%, you will have the possibility to save file by accessing Download report CSV link.

    .

You can also choose to save your current filters selection at any time. By pressing . button you are presented with three options of making your filters selection permanent:

  • Save as New Dashboard option opens Save as New Dashboard window which allows you to create a new dashboard. The following must be specified:

  • A convention-based name for the new dashboard. This name will show in dashboard lists

  • A descriptive friendly name for the new dashboard. This name will be displayed in Dashboards interface

  • A descriptive text detailing the information will be presented in the new dashboard

  • The field by which graph will be built

  • Graphic type (barchart, pie, gauge etc.)

  • Save as New Report option opens Save as New Report window which allows you to create a new report. You will need to add a report name and description before saving

  • Save as New Filter option opens Save as New Filter window which allows you to create a new filter. You will need to add a filter name and description before saving

    .

Search and Filter section includes options for setting the date and time interval for which you need information. This feature is very helpful when you need to have a quick look on compliance over a certain period of time.

The interface allows you to set a specific start date and end date, and also provides you with quick options for date (last hour, last day, last three days, last ten days, last 30 days, last 90 days). By default, Browser interface lists all events. Buttons below Start Date and End Date fields allow you to quickly increase or decrease time interval, and specify time reference to be considered (local time, GMT, or event time).

.

Results section

This is the main display area for browsing activities. All events are listed in chronological order, the number of items on a page being the one set in Search and Filter options.

.

Not all event fields are displayed. The default ones are LocalTime, Computer and Description since these are the main correlation fields and should be included with all events. You have the option to add or remove fields from being displayed by clicking . in field selection bar. This action opens a drop-down list of all available fields. You are adding fields to list by selecting them. You can remove fields at any time by clicking on the x checkmark present with selected fields.

The following fields can be added:

  • Category -- Category to which the event belongs;

  • DestIP -- Destination IP address;

  • SrcIP -- Source IP address;

  • DestMAC -- Destination MAC address;

  • SrcMAC -- Source MAC address;

  • EventID -- Identification number of the event;

  • EventLog -- Event log to which the event pertains;

  • EventType -- Type of event to which the event pertains;

  • GMT -- Universal coordinated time;

  • PlatformID -- Identification number from computer where the event occurred;

  • SessionID -- Session identification number;

  • Source -- Source to which the event pertains;

  • UserDomain -- Domain containing the user that produced the event;

  • VersionMajor -- Major version number of the software that produced the event;

  • VersionMinor -- Minor version number of the software that produced the event;

  • S1-S150 -- Additional information fields.

Browser interface enables you to action on listed events. For each event, pressing . on the left opens a drop-down menu with following options:

.

  • View Event -- Opens an informational window with all event details

  • Export Event as JSON -- Exports the event as a JSON file

  • Create Investigation case -- opens Add evidence to new case window which allows an investigator to create a case based on a suspicious event. Case management is described in detail in CQ 2.15 User Guide, Case Management Module

  • Add to Existing investigation -- opens a selection window allowing you to add the event to an existing investigation case

  • Add to Event Actions (Map) -- If the event contains a public IP matching a geolocation reference, the event will be added to the world map in Geolocation section.

All fields except Description allow you focus on a selected event, either by quickly filtering listed events in Browser mode or by narrowing navigation focus in other modules. By clicking on any of the fields for a specific event, a drop-down menu will open presenting the following options:

  • Remove globally -- Creates a search that removes all events containing the selected field value from events list. The search is written in Search box

  • Show only this item globally -- Instructs Browser to filter listed events by selected field value. The search is written in Search box

  • Send to Investigations - Directs your selection to Investigations module. The option opens a new web browser tab to Investigations interface. You are presented with Filter data window that is now populated with search information you already entered. Press . button to command data extraction based on your filters and display in Investigations interface.

  • Send to Dashboards -- Directs your selection to Dashboards module. The option opens a new web browser tab to Dashboards interface listing search results.

    .

  • Send to Browser as \<value>/\<field> -- Directs your selection to a new Browser tab listing search results.

  • Send to Alerts -- Directs your selection to Alerts module. The option opens a new web browser tab to Alerts interface listing search results.

All quick actions described above operate by creating searches. The search automatically populates in Search box. If multiple actions are selected before deleting the previous ones, Browser automatically inserts an AND logical operator in Search box, separating actions. That means, for example, two Remove globally instructions will cumulate resulting in a search similar to

NOT DestIP:\"\<IP_Address_1\" AND NOT Computer:\"IP_Address_2\"

For more information, please read CQ 2.15 User's Guide, Using Searches.

Geolocation section

When you instruct Browser to add an event to map, if that event contains a public IP address with geolocation reference, the event will be marked on world map. This allows users to see exactly from where an event originates or what is its destination.

.

Using Searches

Running Searches

To begin searching, enter what you are looking for in the search box. For example, start with a user name, a network share path, a computer name or a phrase to look for in event fields.

A search involves all available item types (events, users, files, computers and so on) at once, no matter which item type is currently highlighted.

To display events from only a specific time period, use the time range filter options in Search and Filter section of Dashboards, Browser or Investigations modules.

Simple searches produce results where the term you specify is contained anywhere in the discovered data. To make your searches less broad and more relevant, you can use hints---for example, by prefixing the field names to look in. For details, see Search Term Sintax below.

Automating Complex Search Scenarios

To begin searching, enter what you are looking for in the search box. For example, start with a user name, a network share path, a computer name or a phrase to look for in event fields.

Some search workflow ideas are best expressed as multi-stage search queries where data produced by a search is automatically streamed into the next search in a chain. The pipe operator (|) helps you achieve this, and field names in curly braces specify which fields to analyse in that data.

Example 1:

Find the managers of all users who have created or deleted files on the \\FILESRV1\Software network share

\"\\FILESRV1\Software\" | Description:{SharePath} AND (What=\"File Created\" OR What=\"File Deleted\") | Who={Who} | DisplayName=\"{ManagedByDisplayName}\"

Example 2:

Find events by users from the Milwaukee office on computer FILESRV1

Office=\"Milwaukee\" | Who:{SAMAccountName} AND Where:filesrv1

Example 3:

Find computers where members of the Accounting group have logged in

\"Accounting\" | Who:{SAMAccountName} AND What:logon | Where={Where}

Example 4:

Find all users from the same office as user dshaw

Who=\"dshaw\" | Office=\"{Office}\"

Search Term Sintax

Use the following syntax for search terms in the search box. Searches are case-insensitive.

Single-Word Terms

This is known as full-text search. The search involves all available fields and uses the Contains operator.

Meaning Syntax Details
Look for a single-word term in any attribute Word without spaces
Example: john
john matches John or john in any attribute, but does not match stjohn in any attribute
Look for a single-word term with the specified beginning in any attribute Word ending in an asterisk ( ) without spaces
Example:
john**
john matches John or Johnson* in any attribute
Find attributes where a specific single word term is not contained in any attributes Word without spaces with a leading hyphen Example: -john -john may match entries that contain stjohn, but does not match entries that contain john in any attribute
Find entries where a specific single word term with the specified beginning is not contained in any attributes Word ending in an asterisk () without spaces with a leading hyphen
Example:
-john* *
-john may match entries that contain stjohn, but does not match entries that contain john or johnson* in any attribute
Term Combinations
Meaning Syntax Details
------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Look for entries with specific single-word terms in any attributes Word separated by spaces
Example: john glen*
john glen matches john and glen, or john and glenda, or john and glen and glenda*, wherever they are found
Look for entries that do not contain specific single-word terms in any attribute Word without spaces
Examples:
-john -glen*
• **John -glen
-john -glen* matches entries that do not contain johnor glen anywhere
**• john -glen
matches entries that contain john in any attribute and at the same time do not contain glen or glenda anywhere
Look for entries with a specific multiple-word phrase in any attribute Phrase in quotation marks
Example: “Account Logon”
“Account Logon” matches entries that contain the exact phrase Account Logon in any attribute
Look for entries that do not contain a specific multiple-word phrase in any attribute Phrase in quotation marks
Example: logon server01 -“Account Logon”
logon server01 –“Account logon” matches entries that contain the words Logon and server01 anywhere but do not contain the exact phrase Account Logon in any attribute
Meet one of the specified terms (or sets of terms) Terms (single words or phrases) separated by the OR operator; this operator has the following specifics:
• it is case-sensitive: it must always be specified as OR
• it denotes a choice between everything to the left of it and everything to the right of it
• you can use multiple OR operators in a query; the boundary of an OR clause is the beginning of the query, the end of the query, or another OR
Examples:
•- paul john OR Thomas
-“logon/logoff” server01 OR stjohn
paul john OR Thomas matches entries that contain either both John and Paul, or Thomas anywhere
-“logon/logoff” server01 OR stjohn matches either entries without the phrase Logon/Logoff that contains server01, or entries with stjohn (no matter whether they contain the phrase Logon/Logoff)
Explicitly mark an AND operation for visual clarity Terms (single words or phrases) separated by the AND operator; this operator has the following specifics:
• It is case-sensitive: it must always be specified as AND
• It can be omitted wherever it occurs
Examples:
Paul AND john
Paul john
paul AND john and paul john are identical in meaning: look for entries where both paul and john occur
Group and nest terms for logical operations on them Parentheses enclosing the terms you want to group
Example: (homer marge) OR (peter lois)
(homer marge OR (peter lois) matches either entries with both homer and marge, or entries with both peter and lois.
It does not match entries with both peter and homer that do not contain lois or marge

Searching in Specific Attributes

To apply your search term only to a particular attribute, prepend the name of the attribute with a colon (:) or equals sign (=) to your search term, as shown in the table below. If the attribute name is made up of multiple words, enclose it in brackets (as in [log name]:security). All the syntax conventions described above also apply.

The following distinction is important:

  • Labels unambiguously mapped to entry attributes; for example, Path:\"Documents and Settings\" in file access entries. In this case, the search involves the specified field and uses the Contains operator.

  • Labels mapped to different attributes in different contexts (known as normalized attributes); for example, Where:primrose would mean the primrose domain for users or groups, the primrose computer for files or shares, and so on. In this case, the search involves the associated fields as necessary and may even modify the search terms.

Specifying Quotation Marks

If your search term must include double quotes (\"), then for each double quote you need supply an additional double quote as an escape character. See the following examples:

To find this string Specify this term
the "Cancel" button "the " "Cancel" " button"
computer "kltest16" "computer " "kltest16" " "

This requirement does not apply to apostrophes, which are frequently used as quotes. Single quotes of this kind do not need escaping and should be specified in a plain string, as in \"local \'Administrator\' user\".

Filter Syntax

Select one of the operators (explained in the following table) and enter your filter terms.

Operator Syntax Example Meaning
Contains [FieldName]:\ Name:Paul The attribute contains all of the specified terms at once in any combination
Does not contain NOT [FieldName]:\ NOT Name:John The attribute contains none of the specified terms anywhere
Equals [FieldName]:\ Name:"John Paul" The attribute contents are identical to the specified phrase; do not enclose the phrase in quotation marks for this operator
Does not equal NOT [FieldName]:\ NOT SamAccountName:jpaul The attribute contents are not identical to the specified phrase;
do not enclose the phrase in quotation marks for this operator

The following search syntax rules described above also apply to filter terms:

  • Terms are case-insensitive

  • The term can be a single word, multiple words, or a phrase in quotation marks.

  • In single-word terms, a trailing asterisk is treated as a wildcard character

  • In exact phrases, an asterisk is treated as a regular character.

Making Multi-Stage Searches

You have the option to run a search on the results of another search. It is a way to automate your established search practices, and it may provide a clearer and more convenient representation of your intentions.

This is similar to how the output of a command is redirected into another command as its input in PowerShell and Unix shell languages. Accordingly, search result redirection is provided by the familiar pipe (|) operator.

To indicate a field whose value should be carried over from the left query to the right through the pipe, enclose the field name in curly braces, as in {Where} or {EventID}. Example:

Example:

\"rd.itsearch\"| What:Logon AND Who:\"{SAMAccountName}\" | Name=\"{Where}\"

In this three-stage search, the initial results are refined twice. First, it finds all users that are members of the rd.itsearch group. For these users, it finds such events that the users\' SAM account names are in the Who field, and the What field contains \"Logon\". From the resulting events, pick only those that have any of the discovered computer names in the Where field.

Investigations Module

Investigations Mode

Investigation mode is intended assist an investigational flow through guided, tree-based representation of audit information collected from network. This mode uses native data correlation to visually connect related events. It has the unique ability of being able to connect events which apparently do not relate to each other, meaning they do not share a common connection point like computer name, user name, originating point, destination IP address and are not part of a defined non-compliance pattern based on any of the attributes enumerated above and an event ID.

This functionality has the purpose to create bonds between various events and fields/strings. An investigation is presumed to start from an event that needs to be investigated and following a step-by-step breadcrumb to find adjacent helpful information. The event can mark the trail for a user logon, access to a file, an IP address, or a configuration change.

Starting from the initially provided information, investigators can easily discover the events associated with the initial marking point, dynamically correlating the information around fields or strings.

Working with Investigations module

You access Investigation mode by pressing . button you will find in top-left section of Web Interface.

Filter Data window

Unlike modules described in previous chapters, Investigations interface first opens a Filter Data window similar to Search and filter sections present in Dashboards or Browser modules. CyberQuest uses a different approach for Investigations module because unlike Dashboards or Browser, there is no default information to display and to allow an investigator as much space as possible on display to roll the investigation.

There are several similarities for data filtering options you also find in Browser mode. Search field provides the ability to filter displayed information by using free text capabilities. If nothing is entered in field box, all events are displayed.

By pressing . button you will be able to instruct the interface on how many items are displayed per page. Default option is 10 items, but you can increase to 50 or 100 items.

.

You can specify additional filters using Filtering options. By default, nothing is selected. When you access Additional filters drop-down list, you are presented with a large collection of pre-defined filters sorted by technology. You can select one, or multiple filters.

You will also need to select the logical method for combining selected filters in Combining method drop-down list. Available options are AND and OR logical operators. Please note the operator you choose applies to all selected filters.

.

When finished, press . button to apply your selections or . to close the window without saving changes. As an option, you can also close the window without saving changes by clicking the . mark in top-right corner.

Other options available in Filter Data window:

  • Send to dashboards option will direct your selection to Dashboards module. The option opens a new web browser tab to Dashboards interface listing filtered results.

    .

  • Send to browser option will direct your selection to Browser module. The option opens a new web browser tab to Browser interface listing filtered results.

  • Send to alerts option will direct your selection to Alerts module. The option opens a new web browser tab to Alerts interface listing filtered results.

Filter Data window includes options for setting the date and time interval for which you need information. This feature is very helpful when you need to have a quick look on compliance over a certain period of time.

The interface allows you to set a specific start date and end date, and also provides you with quick options for date (last hour, last day, last three days, last ten days, last 30 days, last 90 days). By default, Browser interface lists all events. Buttons below Start Date and End Date fields allow you to quickly increase or decrease time interval, and specify time reference to be considered (local time, GMT, or event time)

.

Remember to press . button to apply your selections and display Investigations interface. If you click outside the window, or close the window without getting data, the interface will be displayed without any information. The only way to load any events and be able to operate in this mode will be to reload the page or press New Investigation button in Investigations page.

New Investigation page

When pressing Get data button, Filter Data window will close, and a New Investigation page will open. The investigation tree is displayed on page centre.

Clicking any event in investigation tree, causes the event information to be displayed in Event details section on the left of the page. Following actions are possible:

  • Clicking on any of the event details opens a new Filter Data window pre-populated with the search containing your selection, date and time of the event as start date and end date incremented by one hour from start date. You can change any of the filters here and modify the search if needed, before pressing Get data button.

  • The investigation tree will expand with a new branch starting from your previously selected event, which contains events that are correlated to previously selected event

  • From this point you can repeat the process by selecting an event on the new branch and then choosing a detail in refreshed Event details section, that will cause a new Filter data window to open

    .

The process can be repeated indefinitely.

By pressing . button for an event listed in Event details section of the page, causes information in Description field to be shown. Pressing . button hides the additional information. It is possible to run an investigation by the parsed information in Description field also, not only standard event fields.

Pressing . button here opens a Case Management pop-up allowing you to add the event to a new or existing investigation case. You can find additional information about case management in CQ 2.15 User's Guide, Case Management module.

The scale of main investigation tree can be increased or decreased from mouse scroll wheel, and you can move the tree in New Investigation main section as needed in order to properly observe the investigation logic, follow the breadcrumbs and steer your investigation accordingly by selecting other events and filtering data.

Remember that for any branch in tree, the number of events displayed in page is the one set in your original Filter data selection. Therefore, if the number of events is higher than maximum to be displayed, additional data pages are created.

.

Current data section to the right of New Investigation page allows you to navigate forward and backward in these data pages by pressing . and . buttons. The values displayed in section's header will change accordingly.

.

On the right side the system shows statistics about current events so that we can have an overview of the resulted current events. By default, the system graphically displays the events resulted from our query, grouped by Category field in a Pie format. Using the controls, we can choose other groupings and other formats in which the results are shown.

Logon investigation scenario example

The investigation scenario presumes to find the authentication to resources pertaining to a user in a certain period of time.

Step 1:

Access the Investigation mode from Web Interface.

Step 2:

Insert the username in the search field. This can be done in one of two ways:

a. If we want to treat the username as a string and search for it in all event fields, it is introduced directly

b. If we want to filter exactly on the username field, we have to use the specific notation: (UserName:" *investigateduser*")

The inserted text is interpreted and is supported by the complex syntax: Valid examples for the search:

  • Simple search: test;

  • Simple exact search: "test. User2";

  • Complex search (space is interpreted as logic operator 'OR'): test user2;

  • Complex search with field: (UserName:\"test. User2\") AND (IP:\"192.168. 190.5\");

  • Complex search with OR and AND: ((UserName:\"test. User2\") OR (UserName:\"test. User1\")) AND (IP:\"192.168.190.5\").

Step 3:

Select the timeframe we are searching for by choosing the start/end time. To change these, additional buttons can be used: these automatically add/subtract days/hours/minutes from the current day/hour.

Alt text

Alt text

Step 4:

Click the Get data button. The system will show the requested results or a message that "No result has been found". The results are displayed as a tree.

Step 5:

Select an event (a dot) in the left side of the screen all the fields pertaining to that specific event are shown. All these fields are either standard fields from the Windows environment, or fields specific to other types of events. The Description field can be minimized/maximized to show additional information for that event by pressing the More button.

Alerts Module

Introduction to Alerts Module

CyberQuest's alerting feature is a completely customizable module for each connected user. The event triggering an alert can be user-defined to respond to specific event needs, ensuring great accuracy and reducing false alerting to a minimum. This can be done from Alerts options in Settings Alt text menu.

.

Customization capabilities for each option is described below.

Real time alerts customization

From Settings menu, select Alerts > Realtime. Alerts customization page opens in Alerts module interface. All alert definitions are listed here and can be edited, deleted or quickly exported to a CQO file.

.

Press . button to create a new alert definition. Alert Settings window opens, allowing you to create a new custom alert specific to your needs. The window functionalities are identical to the ones for editing an alert and are described later in this chapter.

Press . to import an alert definition from an existing CQO file.

Click Show 100 entries drop-down list to change the number of alert definitions displayed on a page. Valid options are 100, 50, 25 and 10 entries.

At the bottom of page, a navigation selector allows you to navigate through pages containing alert definitions.

Editing an alert definition

Press . button to edit an existing definition. Alert Settings window opens.

Under Alert Name section, you can set the following options:

  • Enter an alert name, change or leave unchanged.

  • Choose a notification template to apply to your alert. You can choose from built-in or custom notification templates. Default is Default notification.

  • Select ALERT ACTIVE checkbox if the alert is active or uncheck to inactivate it.

  • Change the predefined value for Time frame (TTL) or leave as default. This setting instructs the alert for how long to be active once triggered, reducing the number of repeating alerts

    .

  • Set an Alert Security Score baseline from 1 to 100. When an alert is triggered, its security score will dynamically change value starting from this defined baseline, depending on defined rules and number of events. A real time security score cannot be lower than defined baseline and higher than 100. Security scores are marked in colour code:

  • Green color indicates a low alert. Maximum is 30

  • Yellow color indicates a medium alert. It ranges from 31 to 60

  • Red color indicates a high alert. It ranges from 61 to maximum 100.

  • Set an Alert Security Level baseline from 1 to 10. Security levels behave in a similar manner to security scores and support the same color coding.

    .

  • Send as Alert checkbox has a similar effect to ALERT ACTIVE checkbox. When unchecked, the alert is active but will not produce any visible effect. This setting ensures backend correlation of anomaly analysis over multiple events, triggers and alerts.

  • Send via Email checkbox allows the alert being sent to defined recipients.

  • If a script execution can be associated with the alert, check also Has Script Rule checkbox. Script rule is the last rule in rule conditions list and prevails all other rules. Press . button to open Script Editor window where you can create a custom script to apply as rule.

Under Rules section, you can granularly define rules controlling the alert behaviour. You can define from single event rules to any correlation between events, order in which events occur, correlation to missing an event from a logical succession of events and so on.

.

Left pane lists defined rules. The following actions are available:

  • Add a new rule by pressing . button. The new rule is defined in Rule Settings pane to the right

  • Navigate through defined rules using Previous and Next buttons. Selected rule is marked in yellow and its settings are shown in Rule Settings pane.

  • You can delete a rule by pressing . button

Rule Settings pane assists you defining the rule logic. Rule logic consists of field, report and correlation conditions separated by logical operators AND, OR and NOT.

Each rule has:

  • A Description where you enter a text describing the rule

  • A Rule's Trigger Type presented as a drop-down list where you can choose from:

  • A single event trigger

  • Count until MaxTreshold before TTL value expires, or TTL expires and count MinThreshhold value is achieved

  • Sum PivotField until MaxTreshold before TTL value expires or TTL expires and Sum PivotField MinTreshold value is achieved

  • Average on PivotField until TTL has MinTreshold value

  • MaxTreshold, MinTreshold and TTL (sec.) values for rule's trigger type

    .

You can add, edit or delete rule conditions:

  • To add a field condition press . button. In SelectField drop-down, select a representative event field. From the next drop-down select the appropriate value operator. In the third field enter desired value

  • To add a report condition press . button. The rule condition presents you with a drop-down list from which you can select a report from all existing reports.

  • To add a correlation condition press . button. The correlation condition presents you with two Select Filed drop-downs from where to choose the event fields to correlate, a comparison operator drop-down (equal, not equal, lower, lower or equal, bigger, bigger or equal) and the option to choose the rule condition to which correlation applies.

Remember that by adding a script rule, the script rule acts as the last rule condition in chain and its effect supersedes all other rule conditions defined above.

You can delete a rule condition by pressing . button at the far right of your rule condition.

When adding a rule condition, a logical operator is automatically added for correlation to the previous condition. The default operator is AND. Click on . switch to change the logical value to OR. Click again to change back to AND.

If logical chain requires, a NOT operator is also added in the form of a checkbox. By default, the operator is not selected. Click . to select the operator. In that case, the logical expression interpreted within your rule will be AND NOT, OR NOT respectively.

Note that all rule conditions are added in order, one subsequent to the other.

When finished, press . button at the top to save your rule and return to the alert definitions list, or press . button to cancel all changes.

Default script rule example:

'''javascript var obj = { Exec:function(Alert) {

var currentAlertState =  JSON.parse(Alert);

// in order to filter the current alert just based on custom scenarios
// return null;

} };

'''

Summary alerts customization

From Settings menu, select Alerts > Summary. Registered Summary Alerts page opens allowing you to manage registered summary alerts and alert templates.

By default, the page opens a list of defined summary alerts. From the list you can quickly activate or inactivate, as well as view, edit or delete a registered summary alert.

.

Press . to quickly view the definition of the registered summary alert, including its parameters, internal GUID and the alert template (if existing) from which the alert was built

Press . to edit the alert. Below is a short description of each setting in Edit Summary Alert page:

  • Name field, contains the registered summary alert name

  • Report is the report for which current summary alert is generated

  • Security Score and Security Level fields display the baseline value for summary alert's security threat. As explained for alert definitions, this score is used for internal anomaly analytics scoring

  • SummaryOn Level n, Time, TimeInterval Unit, Summary Type, Split Into Groups of and Threshold are values used to define the summaries for this registered summary alert

  • Notifications field contains the email addresses where the summary alert will be sent. Type in one email address per line, without separators

  • Template Used for Notification opens a drop-down listing all alert templates that can be used for notification

  • On/Off selector allows you to specify if the summary alert is active or not

Press Submit to save changes and return to Registered Summary Alerts page.

In page's Actions list, possible actions are:

.

  • New Registered Summary Alert option allows you to create a new summary alert

  • New Alert Template option allows you to create a new alert template

  • List Alert Templates option switches current page to Alert Templates page listing all defined alert templates.

Creating a new registered summary alert

To create a new summary alert, select New Registered Summary Alert option in any of the pages detailed above. New Summary Alert page opens; possible settings are similar to Edit Summary Alert page options described above:

  • In Name field, enter a unique name for the new summary alert

  • In Report drop-down list, select the report for which summary alert will be generated

  • In Security Score and Security Level fields enter the baseline value for summary alert's security threat. If you don't know which value to type, entering 50 (5, respectively) is recommended in most cases

  • In SummaryOn Level n drop-downs, select the event fields you need to summarize. You need to have a value at least for Level 1 in order for summary alert to function

  • Enter a Time value for the TimeInterval Unit (minutes, hours, days, weeks or months) you need to create a summary

  • Summary Type can be a count, sum or average; select accordingly

  • Select a value for Split Into Groups of setting. Default is to split by days

  • Enter a Threshold value for this summary alert

  • In Notifications field, enter the email addresses where the summary alert will be sent, in the form of one address per line, without separators

  • You can select a Template Used for Notification; this is optional

  • On/Off selector allows you to specify if the summary alert is active or not

Press Submit to save changes and return to Registered Summary Alerts page.

.

Creating or editing an alert template

. To create a new alert template, select New Alert Template option in any of the pages detailed above. New Alert Template page opens; possible settings are similar to Edit Alert Template page you can open from Alert Templates list:

  • In Name field, enter a unique name for the new alert template

  • In Text field, type a descriptive text or insert an object

Press Submit to save changes and return to Alert Templates page.

Working with Alerts mode

You access Alerts mode by pressing . button you will find in top-left section of Web Interface.

The module operation area is divided in two sections:

  • Search and Filter section allows you to granularly control what information is displayed in alerts list

  • Results section contains the actionable data listed function of searches and filters.

Alerts Search and Filter section

This section allows you to control what information is displayed in alerts list.

.

Search field provides the ability to filter displayed information by using free text capabilities. If nothing is entered in field box, all events are displayed.

A complete guide to using free text capabilities is included in this manual.

By pressing . button you will be able to instruct the interface on how many items are displayed per page. Default option is 10 items, but you can increase to 50 or 100 items.

When finished, press . button to apply your selections.

Other options available in Search and Filter section:

  • Send to investigations option will direct your selection to Investigations module. The option opens a new web browser tab to Investigations interface. You are presented with Filter data window that is now populated with filtering information you already entered. Press . button to command data extraction based on your filters and display in Investigations interface.

    .

  • Send to dashboards option will direct your selection to Dashboards module. The option opens a new web browser tab to Dashboards interface listing filtered results.

  • Send to browser option will direct your selection to Browser module. The option opens a new web browser tab to Browser interface listing filtered results.

Search and Filter section includes options for setting the date and time interval for which you need information. This feature is very helpful when you need to have a quick look on compliance over a certain period of time.

The interface allows you to set a specific start date and end date, and also provides you with quick options for date (last hour, last day, last three days, last ten days, last 30 days, last 90 days). By default, Alerts interface lists all alerts. Buttons below Start Date and End Date fields allow you to quickly increase or decrease time interval, and specify time reference to be considered (local time, GMT, or event time).

.

Alerts Results section

This is the main display area for triggered alerts. All alerts are listed in chronological order, the number of items on a page being the one set in Search and Filter options.

.

By pressing . button at the top of Results section, you are taken to the Alerts page where you can customize your real-time alerts. Alerts page functionalities are described in detail in Real time alerts customization title.

You can execute actions on selected alerts in list from options available at the bottom of page:

  • By selecting Change to drop-down menu, you can change alerts status to New, Acknowledged or FalsePositive

  • Pressing . button deletes selected alerts.

Any of the listed alerts can be added to a new or existing case in Case Management module by pressing . button. Case management is described in chapter Case Management Module.

Clicking the alert name in Alert Name column of the list opens Alert Viewer pop-up window where you can investigate the triggered alert in detail. The following are of interest for an investigation:

  • AlertSecurityLevel is the current security level calculated for a triggered alert, starting from a baseline defined in alert definition

  • AlertSecurityScore is the current security score calculated for a triggered alert, starting from a baseline defined in alert definition

  • In Assets tab are listed all assets currently affected by this alert

  • In SrcIPs tab are listed all network addresses currently affected by this alert

  • In Users tab are listed all users currently affected by this alert

    .

  • When pressing Alert Extra Info, you are presented with the unique ID of the alert, and the correlation index responsible for triggering the alert and calculating security level and score

  • When pressing Triggered Rules, you are presented with a short report listing triggered rules from alert definition. Pressing . button for an entry in list takes you to a full report detailing the associated events for that triggered rule.

    .

    .

Create a Logon alert scenario example

This scenario presumes setting up an alert for a specific user who has two failed logons during a 60 seconds time interval.

Step 1:

Go to Settings > Alerts > Realtime

To add the new alert, press Create new alert definition button in the Alerts page.

Step 2:

Create \"Default - Audit policy change\" alert definition with the following settings:

  • Name: Default -- Audit policy change

  • Alert is active

  • Security score of 40

  • Security level of 5

Step 3:

Define a new rule with the following settings:

  • Description: Audit policy change events

  • EventID: 4670

Step 4:

Save the alert definition

Alt text

The new definition shows in Alerts page

.

Step 5:

All alerts are generated in real time when conditions defined are met, and are displayed as events in Alerts mode interface. In this example, the alert was generated based on collecting an event with ID 4670 (Audit policy change) from Windows Security Log.

Alt text

Configuring a Logon summary alert scenario example

The alerting scenario will be to notify the security officer if a user failed to authenticate for more than 50 times a day.

Step 1:

Create a report containing the alert definition (a report that shows all filtered events, in this case: "An account failed to log on"). Once executed, the report will find all events matching the report definition. It will also send a notification with relevant information like network address, username, date, time etc.). To achieve this result:

  • Open Browser module

  • Search for "EventID:4625" which is the Windows event ID for event: "An account failed to log on". Press Filter data to show matching events

  • Click Save and select option Save as New Report

  • Type in "An account failed to log on" for Name and Description fields

  • By default, the new created report will be saved in Custom reports folder in Reports module

Step 2:

Create a new summary alert using the new created report. Open Settings > Alerts > Summary and click on New Registered Summary Alert option.

Use the following settings:

  • The custom report name

  • A security score of 50 and a security level of 5

  • SummaryOn Level 1: UserName

  • SummaryOn Level 2: Computer

Step 3:

Check results.

Reports Module

Introduction to Reports module

You access Reports module by pressing .button you will find in top-left section of Web Interface.

In addition to opening the Reports module and act on included reports as explained in this chapter, the Web Interface provides a quick search for the desired report. In order to search for a report, type in the report name, or a part of it, in Search reports box at the top-right corner of the interface.

Typing creates a dynamic drop-down list of matching reports. By selecting a report in list, you are taken directly to that report's details in Reports module.

The module facilitates scheduled and ad hoc reporting, all at once or granularly, in order to gain a complete compliance and operational summary into IT. The module interface allows users to view only those reports for which they are authorized. Using a simple, Web-based interface, you'll be able to quickly access the tool's predefined and customizable reports and begin gaining value.

CyberQuest built-in reports are designed to ensure compliance with the following standards:

  • COBIT (Control Objectives for Information and Related Technology)

  • FISMA (Federal Information Security Management Act)

  • GDPR (General Data Protection Regulation)

  • HIPAA (Health Insurance Portability and Accountability Act)

  • ISO 27001 (Information Security Standard)

  • PCI DSS (Payment Card Industry Data Security Standard)

  • SOX (Sarbanes-Oxley Act)

CyberQuest provides a technological grouping and compliance grouping of included reports. The report tree is structured as follows:

  • By accessing any of the technology folders you will be presented with summarized and detailed reports for that technology, designed to assist an operator reporting on compliance issues

  • By accessing Best Practices folder, you will be presented with a list of most used summarized and detailed reports described in technology best practices

  • By accessing Compliance folder, you will be presented with all reports mapped to included compliance standards, where addressed compliance requirements are listed accordingly

  • By accessing Custom Reports folder, you will be able to access reports not included by default with CyberQuest

    .

You can always create a new folder in structure by pressing . button. The folder will be created on the same level as the folder you are currently browsing.

You can also import a report definition from an external CQO file, which is CyberQuest's proprietary format. In order to import a report definition, press . button.

Working with Reports module

Reports module interface is divided in two sections:

  • Reports and schedules section allows you to navigate the reports folder structure and to select the report you want to action on, as well as creating, editing and deleting report schedules

  • Reports detail section allows you to edit, delete and execute a selected report.

Report detail window

When selecting a report from reports list, you are presented with a report detail window on the right, allowing you to edit, delete or execute the selected report.

.

The detail window includes the following elements:

  • Report title and description in top-left corner presents with a full path and name for the selected report, and the report description

  • Hide/expand. button on the top-right allows you to hide or display the report execution options

  • Edit . button on the top-right corner allows you to edit selected report

  • Delete . button next to it allows you to delete selected report

  • Report execution options allow you to execute a report filtered as needed

Executing reports

To execute a report, make sure execution options are displayed.

Execution options allow you to control in detail what data will be included in report:

  • You can set a specific Start Date and End Date for reported data

  • By pressing Items on page drill-down, you can select from 100, 50 and 10 items to be displayed on each page.

  • If checking Time interval box, you can choose for each day in your selection, which time interval will be reported on.

  • Note time reference on the right (local time, GMT, or event time). Function of selected option, the reported data will change time values accordingly

  • The Filter Data text box allows you to filter which information will be included in report, based on the free text searches entered here. The text box acts like the Search field in Dashboards, Browser and Investigations modules and supports the same syntax.

  • The drill-down below Filter Data text box allows you to select which event fields will be added to report. By default, the report includes only Computer, Description, Destination IP and LocalTime listed as report columns. Check or uncheck any other field you consider being needed.

You can schedule the report to be executed with selected options. In order to do that, press . button in details window. Add/Edit schedule pop-up window opens:

  • In Name field, enter a representative name for your scheduled report or leave as default

  • Report drop-down list will be pre-populated with the source report. You can change the report you want executed from here

  • Filter Data text box includes the filtering query introduced in main Report detail window. You can edit the text as needed

  • In Schedule Type drop-down list, you can choose between Daily, Weekly or Monthly values. Your selection options will change accordingly

  • In Hour field, choose an hour when you want the report executed

  • In Email addresses text box, enter the email addresses of your intended recipients. Email addresses must be entered one per line, with no punctuation separators. There is no limit to the number of recipients allowed by scheduling engine.

    .

Press Submit button to create a new schedule or Close to cancel your action and return to the main interface.

In main interface, press . button to execute the report. Execution time depends on the query complexity, volume of data to be searched, and the number of items to be displayed. A simple search will list any volume in a matter of seconds.

You can hide or expand report results from the . button at the bottom of execution options.

.

All report results are dynamic and allow an operator to further extend the reporting action scope.

By clicking on a report field other than Description, a persistent pop-up menu opens allowing the user to:

.

  • Create a new search in Dashboards, Investigations or Browser module for all events with specified field value. The module opens in a new browser tab

  • Create a new alert in Alerts module, for all events with specified field value. The module opens in a new browser tab

  • Further filter the report by listing only selected data. The search in Filter Data text box changes accordingly

  • Further filter the report by excluding selected data from list. The search in Filter Data text box changes accordingly

By clicking . button in Description field, the event expands showing full details and an explanation of the event meaning. The explanation populates from an internal knowledge base and will only be available for documented Event IDs.

In a similar manner to the above, a user can click on any of the values present in expanded Description field to further extend the reporting action scope.

Hide expanded information by clicking . button.

.

By clicking . button for an event in list, you will be able to instantly export the event in JSON format.

Managing report schedules

When selecting Schedules in Reports and schedules section of the Reports module interface, a list with all report schedules defined is presented.

.

For any of the schedules listed here, you can edit and delete them. You can also create a new schedule by pressing New Schedule button.

Adding a new schedule or editing an existing one opens Add/Edit schedule pop-up window described above.

Editing reports

To edit a selected report, press . button on the top-right corner of the Reports interface. Edit Report pop-up window opens:

  • In Name field, change the report name or leave as default

  • Parent drop-down list allows you to move the report to a different folder in reports structure

  • In Description field, change the provided description or leave as default

    .

Press Submit button to save your changes or Close to cancel your action and return to the main interface.

Deleting reports

To delete a selected report, press . button on the top-right corner of the Reports interface.

A confirmation window will ask you to press OK to delete the report, or press Cancel to cancel your action and return to the main interface.

Report execution scenario example

Step 1:

Access the Reports module from Web Interface.

Step 2:

By navigating to Windows reports folder, select Windows All user activities report.

Step 3:

Select a start and end date for your report.

Step 4:

In the additional filter field both simple and complex filters can be added with the help of logical operators AND, OR and NOT, for example for a search that results from only certain users and a category (ex: Logoff) a complex filter can be created like this:

(UserName:DC01\$) AND (Category:File System)

Step 5:

The search results will be displayed in the bottom part of the web page in ascending chronological order; for details pertaining to events, the respective field needs to be clicked. In the result display field, the number of pages on which the results appear is shown and displayed and also the number of total results ("Total results") and current page.

Case Management Module

Working with Case Management module

Nextgen CyberQuest provides a case management module designed to help organizations and users to create and track workflows in order to quickly address incidents. Every case made has an owner and can be assigned collaborators to enhance the decision-making process and streamline case resolution. It also allows adding all existing evidence based on the event or alert that led to creation of the case.

You access Case Management module by selecting . option from Users . menu in Web Interface.

User is presented with Case Management -- My Cases page allowing managing existing cases and opening a new case, as needed:

.

  • To open a new case, select New Case option in Actions menu

  • To view all cases where authenticated user is owner, select My Cases

  • To list cases where authenticated user has permissions accessing, select from Status drop-down menu:

  • All option lists all cases with disregard to their status

  • New option lists all new opened cases

  • Open option lists all open cases

  • Solved option lists all cases marked as solved

  • Closed option lists all closed cases

  • Archived option lists all cases that were archived

  • To search for a case, use the Search box at the bottom of Actions menu.

Listing cases causes a list of cases being presented to the right of Actions menu. Listing is shown in chronological order, with last created case at the top.

.

Press . to obtain a quick view of a listed case. Case page opens where you can see information like:

  • Case name, description, status and current owner

  • The case timeline presenting all activity performed in this case, where each activity consists of who, what and when added something to the case.

    .

  • By pressing . button you get the full evidence that was added to case

  • By pressing . button you can see the full details of the event that was presented as evidence to the case

At any time, you can use the quick options available in Actions menu to edit or delete the case, and create a new case.

.

Press . to edit the case. Below is a short description of each setting in Edit Case page that opens:

  • In Name field change the case title or leave unchanged

  • In Collaborators drop-down list, select users who will have permissions to contribute to case

  • In Status drop-down, change the status of your case. Possible statuses are new, open, solved, closed and archived.

  • Add a new evidence to your case. You can add any external file that you consider relevant.

Press . button to save changes and return to main page.

Create a new case

To create a new case, select . option in Actions menu from any page part of Case Management module. Add Case page opens similar to Edit Case page described above. Observations:

  • Enter a relevant name and description for your case. Best practice is to use a coding standard for Name field, and use Description to indicate your collaborators what the name refers to

  • Default case status is New. We recommend having an internal procedure for when a case is moved from New to Open, Solved / Closed and when is archived

  • For your organization, define a list of case types. Case types are relevant for historical sorting of information

Adding events/alerts to a case

Case management is deeply integrated into all CyberQuest's investigational modules. Everywhere a Case Management action menu can be opened, or an entry is presented with an . action button, that reference can be added as evidence to an existing case, or a new case can be created starting from that evidence.

Adding an event to a case can be done from Investigations and Browser modules:

  • To add an event from Investigations module, select the desired event in Investigations interface and press . button. That will open a Case Management quick action menu allowing to add the event to an existing case or create a new case from scratch.

    .

  • To add an event from Browser module, press . for the desired event in list and choose either Create Investigation case or Add to Existing investigation option.

    .

Adding an alert to a case can be done from Alerts module. To add an event from Alerts module, press . button. That will open a Case Management quick action menu allowing to add the event to an existing case or create a new case from scratch.

.