Dashboards Module
CYBERQUEST Dashboards
A CYBERQUEST dashboard is a graphical representation of events (either circular or histograms) which can be accessed from Dashboards module interface when first logging in to application or by pressing button at any time in top-left section of Web Interface.
Working with Dashboards module
After logging in to application, Web Interface will direct you to Dashboards module which provides a visual, real-time representation of all data that is contained in the online repository, data that is correlated and graphically designed to give you a meaningful context of the entire organization's compliance.
The module operation area is divided in two sections:
-
Search and Filter section allows you to granularly control what information is displayed in dashboards
-
Dashboards section contains the dashgroups configured for the logged in user
Search and Filter section
This section allows you to control what information is displayed in dashboards, and to define additional filters and combination methods for searched data in specified date and time interval.
1) Search field provides the ability to filter displayed information by using free text capabilities. If nothing is entered in field box, all events are displayed. You will find a similar search field available for Browser module. A complete guide to using free text capabilities is included in this manual: Using Searches
2) You can specify additional filters using Filtering options. By default, nothing is selected. When you access Additional filters drop-down list, you are presented with a large collection of pre-defined filters sorted by technology. You can select one, or multiple filters. In Filtering Options, you will also need to select the logical method for combining selected filters in Combining method drop-down list. Available options are AND and OR logical operators. Please note the operator you choose applies to all selected filters.
When finished, press button to apply your selections.
Other options available in Search and Filter section:
- Send to investigations option will direct your selection to Investigations module. The option opens a new web browser tab to Investigations interface. You are presented with Filter data window that is now populated with filtering information you already entered. Press
button to command data extraction based on your filters and display in Investigations interface.
-
Send to browser option will direct your selection to Browser module. The option opens a new web browser tab to Browser interface listing filtered results.
-
Send to alerts option will direct your selection to Alerts module. The option opens a new web browser tab to Alerts interface listing filtered results.
You can also choose to save your current filters selection at any time. By pressing button you are presented with three options of making your filters selection permanent:
-
Save as New Dashboard option opens Save as New Dashboard window which allows you to create a new dashboard. The following must be specified:
-
A convention-based name for the new dashboard. This name will show in dashboard lists
-
A descriptive friendly name for the new dashboard. This name will be displayed in Dashboards interface
-
A descriptive text detailing the information will be presented in the new dashboard
-
The field by which graph will be built
-
Graphic type (barchart, pie, gauge etc.)
-
Save as New Report option opens Save as New Report window which allows you to create a new report. You will need to add a report name and description before saving
-
Save as New Filter option opens Save as New Filter window which allows you to create a new filter. You will need to add a filter name and description before saving
-
Search and Filter section includes options for setting the date and time interval for which you need information. This feature is very helpful when you need to have a quick look on compliance over a certain period of time.
The interface allows you to set a specific start date and end date, and also provides you with quick options for date (last hour, last day, last three days, last ten days, last 30 days, last 90 days). By default, Dashboards interface displays the last hour of data. Buttons below Start Date and End Date fields allow you to quickly increase or decrease time interval, and specify time reference to be considered (GMT, Local Time, or ReceivedTime, Now, AutoRefresh, TimeInterval and Not in this time interval)
-
GMT - is the time reference which converts your search time into GMT(Greenwich Mean Time Zone).
-
LocalTime - is the time reference when an event occurred.
-
ReceivedTime - is the time reference when the events arrived in CYBERQUEST machine.
-
Now - self-update end data with current time.
-
AutoRefresh - refreshes the page every 10 seconds.
-
Time Interval - the search is made from Start Time to End Time interval
-
Not in this time interval - the search outputs the events that are NOT between Start Time and End Time
Dashboards section
This is the main display area for user dashboards. A logged in user will be presented with actionable dashgroups that are set for his profile. By clicking on a dashgroup, the user will be able to display dashboards that are included in that dashgroup.
Possible actions are:
-
Select -- By clicking on a dashgroup, the user will be able to display dashboards that are included in that dashgroup. For a selected dashgroup you get the possibly to quickly add or edit a dashboard in that dashgroup
-
Add dashgroup -- By pressing the
button at the end of dashgroups row, you can quickly create a new dashgroup in your profile and then populate it with dashboards by pressing
button.
-
Export dashgroup -- This option allows you to export events from Dashgroups, over a period of time using a filter in Search Field.
To see how to export data from Dashgroup, please follow the link: How to export data from dashgroup.
- Delete dashgroup -- Each dashgroup selector has a remove button in top-right corner, which becomes visible on mouse over action. Pressing the button permanently deletes the selected dashgroup. The action does not delete the dashboards linked to dashgroup, which can be then added again to a new dashgroup.
When clicking on a dashgroup, included dashboards are listed in Dashboards interface. For all dashboards displayed, the following actions became visible on mouse over:
- On top-right corner of the dashboard you will find a set of quick-action buttons:
-
Maximize/Minimize -- Allows for expanding the dashboard to fit the entire display area, or shrinking it back to its original position
-
Export to CSV -- Saves a CSV file containing events graphically displayed in dashboard. The list of exported events matches the number set in Max. no. of items drop-down selection
-
Export Dashboard Object -- Creates an export of dashboard's definition in proprietary format
-
Graph selection -- Opens a drop-down list of graphical formats available for dashboards, allowing you to quickly change the graphical display format for that dashboard. Changing the display format here does not change the dashboard definition and the change will be reverted on the next load.
-
Edit dashboard -- Allows you to edit and permanently change the dashboard definition:
-
Max. no. of items option allows you to change the max number of entries that are displayed in dashboard. Since the purpose of Dashboard interface is to provide a quick glance of monitored environment in real-time, the maximum number of events that can be displayed is limited.
-
A show/hide
button allows you to either show or hide the items list from view. The number of listed items depends on Max. no. of items set for that dashboard.
Types of dashboards
Dashboards are divided into different categories. The most representative are:
- Event related charts
- Network related charts
- Active Directory related charts
- ALERTS related charts
Event related charts
Represent the dashboards built on events collected from various sources. Below are the most commonly used:
- Gauge chart in reference to the top events categories
- Pie chart in reference to event sources
- Two-Level Pie chart in reference to event ID
- The Barchart in reference to the computer that generated the event
- AreaChart in reference to the proportion between logons and logoffs
- LineChart about the distribution of events over a selected time interval
- BrushBarChart - chart reference to top events types
- RadarChart the chart shows the classification event by category
- WorldMap the chart shows the events group by SrcIPGeoCountry
- WorldMapCities the chart shows events by SrcIPGeocity
Network related charts
Represent the dashboards built on flow collected from NetFlow or other type of network flow sources. Below are the most commonly used:
- Two-Level Pie chart in reference to Top IP addresses found in logs
- Gauge chart in reference to internal IP addresses identified in events
- BarChart in reference to external IP addresses identified in events
- BrushBarChart the chart shows the Top Internal Destination IP Addresses from events
- AreaChart the chart shows the Top extDestination IP Addresses from events
Active Directory (or other) related charts
Represent the dashboards built on additional information collected from Windows Active Directory and other sources of information using a correlation between events and WMI, SNMP or other type of network flow sources. Below are the most commonly used:
- Pie in reference to Last Change - Active Directory Events by Last Change
- Two-Level Pie chart in reference to User Name
- Line Chart chart in reference to Pass Never Expire
- Gauge chart in reference to Active Directory events by Last Logon
Alerts related charts
Represent the dashboards built on alerts collected from various sources. Below are the most commonly used:
- Barchart shows the Alerts by Computers
- BrushBar Chart shows the Alerts by DataSources
- TwoLevelPie Chart shows the Alerts by name
- Gauge shows the Alerts by Users
-
WorldMap shows the Alerts by Countries
-
WorldMap Cities shows the Alerts by Cities
How to create a new dashboard, dashgroup and view data
A CYBERQUEST dashboard is a graphical representation of events (either circular or histograms) which can be accessed from Dashboards module interface when first logging in to application or by pressing "Dashboards" button at any time in top-left section of Web Interface.
How to create a new dashboard
Authentication
To access Web Interface, open a web browser and type the application's address or DNS name. The default address initially assigned to Web Interface is https://CyberquestIPAddress (example).
The browser automatically redirects you to CYBERQUEST's authentication page:
Navigate to dashboards page
Navigate to “Dashboards” page. Create a filtering rule, in which case we will filter the self-audit events using the desired filtering rule (e.g. EventID:"56789"). Save as a dashboard by clicking on “SAVE OPTIONS” > "Save as New Dashboard".
Complete the form
Complete the form with the appropriate information and press the "Save" button:
Name: The name of the new Dashboard;
Friendly Name: A descriptive friendly name for the new dashboard. This name will be displayed in Dashboards interface.
Text: A descriptive text detailing the information will be presented in the new dashboard.
Choose Field: The field after which it aggregates the dashboard;
How many records: Number of events;
Data Filter: The filter after which this dashboard is formed;
Choose Chart Type: Choose dashboard type;
How to create a new dashgroup
This is the main display area for user dashboards. A logged in user will be presented with actionable dashgroups that are set for his profile. By clicking on a dashgroup, the user will be able to display dashboards that are included in that dashgroup. Follow the this steps to create a new dashgroup:
Add dashgroup
Navigate to “Dashboards” page and press the button "ADD DASHGROUP" or the plus button .
Complete the form
Complete the form with the appropriate information and press the "Save" button:
Dashgroup name: The name of the dashgroup;
Select dashgroup preset: You can choose from a list of already created dashgroups;
Select active dashgroup items: Select active dashgroup items from a list;
How to view data from a dashboard
What we created earlier can be viewed on the "Dashboards" page.
In this dashboard you will find a set of quick action buttons:
Maximize/Minimize -- Allows for expanding the dashboard to fit the entire display area, or shrinking it back to its original position;
Export to CSV -- Saves a CSV file containing events graphically displayed in dashboard. The list of exported events matches the number set in Max. no. of items drop-down selection;
Export Dashboard Object -- Creates an export of dashboard's definition in proprietary format;
Graph selection -- Opens a drop-down list of graphical formats available for dashboards, allowing you to quickly change the graphical display format for that dashboard. Changing the display format here does not change the dashboard definition and the change will be reverted on the next load;
Edit dashboard -- Allows you to edit and permanently change the dashboard definition;
Show items option allows you to change the max number of entries that are displayed in dashboard. Since the purpose of Dashboard interface is to provide a quick glance of monitored environment in real-time, the maximum number of events that can be displayed is limited;
A show/hide button allows you to either show or hide the items list from view. The number of listed items depends on Max. no. of items set for that dashboard;
How to export data from dashgroup
When you export data from dashgroups you can download a graphical report based on aggregated events or alerts.
The data can be exported as follows:
Authentication
To access Web Interface, open a web browser and type the application's address or DNS name. The default address initially assigned to Web Interface is https://CyberquestIPAddress (example).
The browser automatically redirects you to CYBERQUEST's authentication page:
Navigate to Dashboards
- Navigate to “Dashboards” page and select the time interval:
-
Choose the dashgroup that you want to export (for example Events, Network, Alerts etc.) or create your own dashgroup.
-
Also you could export a dashgroup with filter using search and additional filters ( for specific EventID, UserName, Computer etc.).
After that, you have to press Export button:
Export the Dashgroups
Start the export by pressing the "Start export" button or you can close the export by pressing the "Close" button.
After export is completed, press "Download file" button to save on local machine the desired information. The format of report is in PDF file.
The examples of downloaded a graphical dashgroups report: