Introduction

About CYBERQUEST

CYBERQUEST is an innovative Big Data Security Analytics Platform designed to provide total auditing and security coverage for your enterprise network. We have built CYBERQUEST to function as an agile, scalable business platform that intelligently collects and correlates data in the organization's IT infrastructure and works with it to address any type of present or future threat that the business can go through.

CYBERQUEST can be scaled to any organization specific and size, and easily integrates with all security solutions on the market, nomatter of their classification. CYBERQUEST is a true aggregator of security data coming from either security information and event management software, firewalls, intrusion prevention and detection platforms, or email security and endpoint security solutions. In addition, CYBERQUEST can collect, correlate and provide useful insights on heterogeneous data generated by network equipment, servers, databases and applications, which makes it an operational management tool for your administrative and security teams.

Core Capabilities:

Collect: gather all security and relevant data sources from your IT infrastructure;
Correlate: add threat intelligence security data for offline or online correlation;
Detect: quickly identify the most significant threats to your network;
Visualize: monitor accurately within a single point of access and get specific alerts;
Respond: Security Orchestration, Automation, and Response (SOAR features) capabilities are embedded in the solution;
Vulnerability assessment: with OpenVAS integration.

CYBERQUEST aggregates and monitors all activity taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who, what, where, when, why made a change, and then turn that information into intelligent, in-depth forensics enhanced with additional data from the entire environment, make that information available for auditors and security officers and reduce the risks associated with day-to-day modifications.

Access Web Interface

Web Interface is a consolidated web frontend hosting all administration and operation functionalities of CYBERQUEST. The web interface is compatible with all major browsers on the market.

To access Web Interface, open a web browser and type the application's address or DNS name. The default address initially assigned to Web Interface is https://CyberquestIPAddress (example).

The browser automatically redirects you to CYBERQUEST's authentication page:

Alt Image

Authentication

User authentication

Authentication can be accomplished in one of two ways:

Using a local user defined in the application;
Using a company's Active Directory user. This facility allows authentication with Active Directory credentials when LDAP integration has been configured within application. The user must belong to one of two Active Directory security groups: "CYBERQUEST Administrators" or "CYBERQUEST Users".

Type the default username and password, then select the interface language.

Alt Image

You will be prompted with a default message about accessing restricted information. This message is fully customizable.

Alt Image

Accept the responsibility by clicking the button Alt Image . Else and you will be redirected to the authentication page.

Alt Image The initial authentication is performed under the default administrative account. When authenticating as administrator, an additional confirmation box is displayed. This additional authentication step was introduced to notify on indiscriminatory access to the entire platform configuration and to require user confirmation of acknowledgement. Superadmin activity should be performed with maximum responsibility and knowledge of platform's administration. Wrongfully changing configuration, rules and retention policies can break access to analytics data, delete or damage objects, and more important, can cause permanently loss of history data.

Web Interface Overview

Once authenticated, CYBERQUEST Web Interface will open. By default, Dashboards module is displayed. Depending on each user's access permissions, the interface may differ. Below we are describing user experience and interface functionalities when authenticating as an administrator.

The Web Interface can be split in several areas:

Alt Image

Module Area

Alt Image

From top-left section of the Web Interface you can select the application module to be displayed in main operation area:

Dashboards is the default module that loads when first authenticating to application. It allows an operator to quickly view information contained in the online repository, and action on contained graphical objects
Reports is the reporting module proprietary to the application. It contains all predefined and custom reports for general use and also, reports defined for the authenticated operator
Investigations module (or mode) is intended to represent graphically the audit information from the application. This mode allows native correlation of data and connecting apparent relational events. This serves to create bonds between diverse events and fields/strings.
Browser module (or mode) is intended to display the log information present in the system.
Alerts module (or Alerting mode) manages alerts and alert correlations, and allows users to start full investigation processes from an initial point -- the base alert displayed in Main Operation Area.

By clicking on Alt Image logo displayed in the top-left corner of the Web Interface, you will be taken to the "home" screen that is displayed after logging in to application.

Main Operation Area

Main Operation Area is the place where people accessing the application can perform their activities. This area is specific to each accessed module (or mode) and options being available depend on user's assigned permissions. Depending on each module capabilities, Main Operation Area may contain per user personalized content -- like custom dashboards and reports.

Available content and options are detailed within each module chapter in Cyberquest 2.20 User's Guide.

Performance Area

Performance Area in the top-right side of the Web Interface maintains three indicators updated in real time:


	CPU -- displays CYBERQUEST Web Application Server current CPU load. Pointing on the color-filled part of the graph opens a tooltip with the actual value of current load
	Memory -- displays CYBERQUEST Web Application Server current Memory load. Pointing on the color-filled part of the graph opens a tooltip with the actual value of current load
	Disk -- displays CYBERQUEST Web Application Server current Disk load. Pointing on the color-filled part of the graph opens a tooltip with the actual value of current load

User Enabler Area

User Enabler Area in the top-right side of the Web Interface comprises three action buttons as follows:

Events

Press Alt Image button and will open a quick pop-up with statistical information on processed data. The following information is provided:

Alt Image

Total events – total number of events currently stored in the online repository
Last hour events – total number of events collected in the last hour
Last day events – total number of events collected in the last day
Total alerts – total number of alerts currently managed by the Application Server
Last hour alerts – total number of alerts raised in the last hour
Last day alerts – total number of alerts raised in the last day

User

Press Alt Image button and will open User drop-down menu containing the options described below:

Alt Image

Add two factor authentication with 2FA, you add an extra layer of security to your account
Change password option opens Change your password window, where currently logged in user can change his password.
Executed schedules option opens My Executed Schedules report listing all schedules executed by the currently logged in user
Case Management option opens Case Management module for the currently logged in user
Logout option logs out currently logged in user

Settings

Press Alt Image button will open Settings drop-down menu containing the options described below:

Alt Image

1) Users and Groups:

Users and Groups > Users
Users and Groups > Groups - are options allowing an administrator to view, add, edit or delete users and groups. Additional actions are available for users: change password, activate or inactivate, copy dashgroups to users.

Alt Image

2) Application Settings

Each of the Application Settings option opens Application Settings configuration page allowing an administrator to configure in detail the main CYBERQUEST settings. The page presents configuration capabilities for:

Alt Image

3) Event dictionary

Event dictionary option opens Event Definitions configuration page allowing an administrator to list all event definitions, add a new event definition or import a definition from an external file, or perform actions on existing event definitions. Possible actions are export, edit and delete.

Alt Image

4) Management

Alt Image

Management > Dashboards option opens Dashboards configuration page allowing an administrator to list all defined dashboards, import a definition from an external file, or perform actions on existing dashboards. Possible actions are edit and delete.
Management > Filters option opens Filters configuration page allowing an administrator to list all defined filters, add a new filter, or perform actions on existing ones. Possible actions are edit and delete.
Management > Objects option opens Object Management configuration page allowing an administrator to list objects or add a new object. Possible actions on listed objects are edit and delete.
Management > AgentManager option opens the Agent Manager configuration page allowing an administrator to register a new Windows agent. Possible actions are edit, deploy and delete.
Management > DataSourceManager option opens the Data Source Manager configuration page allowing an administrator to add a data source.
Management > CredentialManager option opens the Configured Credentials page allowing an administrator to add a new credential. Possible actions are edit and delete.
Management > VulnerabilityManager option opens the Vulnerability Manager page allowing an administrator to update the list of vulnerabilities.

5) Alerts

Alt Image

Alerts > Summary option opens the list of custom summary alerts in Alerts module, allowing an administrator to list alert templates, create a new alert template or create a new registered summary alert. Possible actions on listed summary alerts are activate/inactivate, edit and delete.
Alerts > Notification templates option opens Alert Templates configuration page, allowing an administrator to create a new alert template or action on listed alert templates. Possible actions are edit and delete.
Alerts > Realtime option opens the list of defined alerts in Alerts module, allowing an administrator to create a new alert definition or import alert from external file, and to perform actions on existing alert definitions. Possible actions are edit, export and delete.

6) Rules

Alt Image

Rules > Filter Rules option opens Filter Rules configuration page allowing an administrator to create a new filter rule, import a filter rule from an external file or perform actions on existing ones. Possible actions are activate/inactivate, export, edit and delete.
Rules > DTS Objects option opens DTS objects configuration page allowing an administrator to create and import a DTS object from an external file or perform actions on existing ones. Possible actions are activate/inactivate, export, edit and delete.
Rules > DA Rules option opens DA Rules configuration page allowing an administrator to create and import a data acquisition rule from an external file or perform actions on existing ones. Possible actions are activate/inactivate, export, edit and delete.

7) Jobs

Alt Image

Jobs > Jobs option opens Jobs configuration page allowing an administrator to create a new job or perform actions on existing ones. Possible actions are activate/inactivate, run, edit and delete.
Jobs > Jobs Executions option opens the list of job executions. You can delete a job execution and see the execution status for each listed job.

8) Data Storages option opens Data Storages configuration page allowing an administrator to create a new data storage or perform actions on existing ones. Possible actions are activate/inactivate, edit and delete.

Alt Image

9) Data source status option opens a report of all data sources and their status. The report allows for data sources to be deleted and alert time to be changed. Each data source is presented with a status. The page includes a search field and possibility to sort by any column. The report can be customized in terms of details included or excluded, and exported in CSV format.

Alt Image

10) Batch Fileds Checker

Alt Image

Batch Fields Checker option opens Batch Fields Checker window allowing you to upload a text file and execute batch checking. Result can be exported in CSV format.