Management
Managing dashboards
Dashboards page allows you to granularly configure dashboards appearance and behaviour in Dashboards module. To access the page, go to Settings > Management > Dashboards. All objects in your CYBERQUEST instance are listed here.
Dashboards can be exported and imported
, edited
, or deleted
.
To create a dashboard, press button. A window will open that allows for dashboard configuration:
Save Dashboard window opens.
Press "Save" to save your changes and close the window, or "Cancel" to close the window without saving.
Managing filters
Filters page allows you to modify predefined filters or create new ones. To access the page, go to Settings > Management > Filters.
To edit and existing filter press , or create a new one select
in Action menu. Edit Filter configuration page opens.
All predefined filters have queries built on compliance standards. Editing these usually involves advanced knowledge on building queries. As a general recommendation, it is advisable to always create a new filter based on an existing one and test before introducing to production.
When you finished creating or editing the filter, press "Save" button to save changes.
Managing objects
Objects Management page allows you to modify predefined objects or create new ones. To access the page, go to Settings > Management > Objects.
Anything can be an object: users, computers, IP addresses, an IP address range, network equipment and so on. Most objects are created automatically. For example, when logging in with a new Windows domain account, the correspondent object is also created.
New objects can be created also manually, or by importing from a CSV file. Once added to the system, they can be edited by pressing button. The list of editable attributes is limited (name, value, corresponding object list). Their role in the platform is to provide the needed display consistency in lists, making easier for an administrator to correctly identify the target of
their investigations.
Agent Manager
Agent Manager page allows you to register a new agent and manually with download windows agent. To access this page, go to Settings > Management > Agent Manager.
-
Edit agent settings
: allows you to edit the agent configurations.
-
Set status manually deploy and not deployed
: Allows you to choose the status for the agent between two options: Manually deploy & not deployed.
-
Start agent service
: starts CYBERQUEST agent from target machine.
-
Stop agent service
: stops CYBERQUEST agent from target machine.
-
Uninstall service
: uninstall the agent service.
The register new agent button is for deploying the CYBERQUEST agent on Windows or Linux operating systems.
For more details about how to register a new agent, please access the link below: Collecting with CQ Windows agent.
Download windows agent - download the latest version of the CYBERQUEST agent. The agent must be installed on a Windows target machine and the file will be downloaded as “AgentSetup.msi”.
Fore more details how to manually deploy the agent please follow the link: How to manually deploy the agent
Data Source Manager
Data Source Manager page alows you to add data sources. To access this page, go to Settings > Management > Data Sources Manager. All data sources in your CYBERQUEST instance are listed here.
- Bulk Clone
: Clone the current data source settings for each element of the field “Bulk Clone”;
- Clone
: Clone the data source;
- Edit
: Edit the data source;
- Delete
: Delete the data source;
To add a new data source, press button. A window will open allowing you to select the desired data source from a predefined list.
Complete with the below form and press "Save" button to save changes, or "Cancel" button to close the window without saving.
Select datasource button reveals a menu with the following buttons
:
- Assign Agent
: You can assign multiple agents to data sources. Select the desired data sources using the checkbox on the left, press the "Assign Agent" button and select the desired agent that will collect data and send to CYBERQUEST.
- Unassign Agents
: Unassign the agent or agents for multiple data sources. Select the desired data sources using the checkbox on the left and click the "Unassign Agents" button that will stop collecting data from the selected data source.
- Bulk delete
: Delete multiple data sources. Select the desired data sources using the checkbox on the left and click the “Bulk delete” button.
- Close selection
: Close the menu.
To check how to add/collect data from different types of datasources, please follow the link:
- How to collect data on Windows System Log
- How to connect to CQ Threat Intelligence
- How to connect to Active Directory
Credential Manager
Credential Manager allows you to create a set of credentials which is using for collecting data. Windows agent needs an account with administrative rights to collect data. To access this page, go to Settings > Management > Credential Manager.
On this page you can add new credential / edit / delete access credentials for collection agents.
To edit the credentials, press button. This process is almost identical to adding credentials.
You can also delete the credentials by pressing button.
To create credentials press the button and complete the form:
Name: This is the name given to the credentials. More than one set of credentials can be created.
Username/Email: Username or Email.
Password: add a Password.
Confirmation Password: You have to confirm the password.
Domain: The domain name, if there is a case of using a domain user.
Notes: We can add details about credentials.
Click the "Save" button to confirm the creation of your credentials or you can cancel by pressing the "Cancel" button.
Vulnerability Manager
Vulnerability Assessment Module: provided by integration with OpenVAS (https://www.openvas.org/). It's a full-featured vulnerability scanner.
The scanner obtains the tests for detecting vulnerabilities from a feed that has a long history and daily updates. To see more information about Vulnerability Manager function, please follow the link: Vulnerability Manager.
Tag Alias
Tag Alias is a function that allows parsing events using a parser other than the original one given by the data server.
To see more information about this function, please follow the link: Tag Alias