15.2 Understand the Provided Widgets

The Dashboard ships with several widgets designed to help you manage your security operations. When you create or modify a dashboard, you can choose from the full set of widgets and configure them as needed.

The Dashboard provides the following out-of-the-box widgets:

15.2.1 Active List

Requires data collection from Intelligence and ESM for best effect.

To watch for suspicious activity associated with entities, add Active List widgets to your dashboard. Each widget displays the top five at-risk entities, based on the specified Active list, Field, and Entity type settings with both ESM and Intelligence installed.

The available active lists correspond to active lists in ESM. For example, you might have watch lists for privileged or administrative users or vulnerable hosts. If an active list entry matches an entity in Intelligence, then the widget also shows the Intelligence risk score for that entry. However, if the Intelligence capability is not deployed, the widget cannot display risk scores but just entities in alphabetical order.

15.2.2 Case Breakdown

Requires data collection from ESM.

The Case Breakdown widget displays the number or percentage of cases by their Severity, Owners, or Owner Groups. The widget always shows data As of Now, regardless of the specified time range for the dashboard.

By default, the widget shows data for total open, assigned cases. The widget displays a maximum of six data points, which comprise the top five objects associated with the specified filter plus an Other object that combines the rest of the cases. For example, if you have seven case owners, the widget shows specific values for the five owners with the largest quantity of cases, then groups the total number of cases for the other two owners in the Other category.

You can change the widget’s properties to view cases in a different state, such as cases created by specific analysts. For example, SOC Manager Franz Tupper wants to view all cases created by his Level 1 analysts. He sets the filter to Assigned Owners, and in the sub-filters specifies Jin Stafford, Neve Marshall, Troy Leach, and Chole Gay as Owners. Then he selects Created for the state that he wants to analyze. The widget will display the quantity and percentage of cases created by each analyst. Because Franz has configured the dashboard to automatically refresh, he sees in real-time when the analysts add new cases.

If you don’t specify an owner or owner group, the widget displays data for all cases.

15.2.3 Case Load

Requires data collection from ESM.

To help managers balance the amount of work assigned to case owner, the Case Load widget provides several case management metrics:

  • Average number of cases each owner closes per week

  • Estimation of the time required to close all cases currently assigned to the owner based on the time elapsed since the cases were opened

  • Projection of the number of cases per severity that the owner might not be able to close, based on the configured target, the time elapsed since the cases were opened, and the average velocity of the owner. This assumes that owners work on cases in severity order, from highest to lowest.

By default, the widget shows the data for total open, assigned cases for the top three members of the group based on their average number of cases per week. You can filter the data by specific Owner Groups. The metrics are based on the specified time range and the target number of cases that you expect the owners to close per Severity.

For best use of this widget, we recommend that you create one Case Load widget per owner group. In this way, you will see details for members of the owner group.

15.2.4 Case Timeline

Requires data collection from ESM.

The Case Timeline widget shows changes in the volume of cases over a specified time range. By default, the widget filters the data according to the Severity category assigned in ESM. However, you can also choose to view trends for other case states, such as cases Closed by specific Owners or Owner Groups.

To observe the breakdown of cases associated with a specific date, you can hover over any location within the timeline. You can also zoom in to view a particular time range, either using the magnifier icons or by clicking and dragging within the graph.

15.2.5 Case Workflow Analysis

Requires data collection from ESM.

The Case Workflow Analysis widget helps you compare the current volume of cases per stage with how the cases transitioned among the stages. In the widget, the width of the lines indicates the average time cases have taken to move from stage to stage during the specified time range. The diameter of each circle, except for the Closed stage, represents the total number of cases currently at that stage, based on the last refresh of data from the source.

NOTE:The widget does not represent backward transitions. For example, a case moves from Final back to Follow-up during the specified time range.

By default, the widget shows data for total open, assigned cases. You can also choose to filter the data by Severity, Owners, or Owner Groups.

15.2.6 Database Event Ingestion Timeline

Requires that at least one deployed capability includes a database.

To help SOC managers and IT administrators monitor the rate of event ingestion into the database, use the Database Event Ingestion Timeline widget. Due to differences in how quickly an event from different sources arrives at the database for storage, the moment when a database stores an event differs from when the event occurred. This widget measures when the database receives the event data.

15.2.7 Database Cluster Node Status

Requires that at least one deployed capability includes a database.

The Database Cluster Node Status widget helps SOC managers and IT administrators monitor the state of the nodes that host the database. This widget displays the state of each node in the database cluster. It also raises awareness that the number of nodes that are down can affect the resiliency of the database cluster. For example, if the database resiliency setting is 1, and two of three nodes go down, then the database might automatically shut down to protect itself.

Also, when nodes are down or recovering from a failure, it’s possible that you might experience data loss. The longer that a node is offline, the longer it will take to recover because it needs to acquire the data available in the rest of the cluster.

15.2.8 Database Storage Utilization

Requires that at least one deployed capability includes a database.

To help SOC Managers and IT Administrators ensure that disk use does not overload the database nodes, the Database Storage Utilization widget displays storage utilization data for up to five database nodes. In general, most administrators keep disk usage below 60 percent per node, thus ensuring space for temporary activity required by some query execution operators.

If the database cluster has more than five nodes in the cluster, you might specify the nodes with the least amount of free space available. In this way, you can monitor the nodes at most risk of running out space. For each node, you can compare the percent and quantity of space used to the total amount. You can also monitor the throughput and latency of the database per second.

15.2.9 Entity Count Overview

Requires data collection from Intelligence.

To help identify users and entities currently at risk, the Entity Count Overview widget shows the number of entities by entity type that you monitor, then indicates which have high risk scores As of Now. You can select an entity to review its details.

15.2.10 Productivity

Requires data collection from ESM.

To help managers optimize analyst activity for the specified time range, the Productivity widget incorporates several elements related to SOC productivity:

Case Closure Velocity

Shows the current rate of case closure per week based on the target velocity for all owners and owner groups. For example, you might expect teams to close at least 5 cases per week. The dotted line in the graph represents the target.

The trend indicates whether the velocity fails to meet or exceeds the target rate compared to the previous week. The velocity is based on when cases were created.

Highest Velocity

Represents the owner that currently has the fastest closure rate per week. You can also see the total number of cases assigned to the owner by severity.

The trend indicates whether the velocity fails to meet or exceeds the target rate compared to the previous week. The velocity is based on when cases were assigned to the owner.

Productivity by Owner Groups

Lists the owner groups that currently have the highest average number of cases closed per week. It also identifies which owner in the group has the highest velocity.

You can observe the average number of cases closed and whether the rate is trending up or down. The colored bar indicates the volume of cases by severity.

By default, the widget displays data according to the specified time range.

15.2.11 Threat Analysis Funnel

Requires data collection from ESM.

The Threat Analysis Funnel provides the SOC Manager an overview for the volume of events in the specified time range that transition from initial analysis of events from source devices through correlation to case creation. The widget also shows the percent of change between each state.

Analyzed

Shows the number of events, from source devices, that would need to be handled manually without the use of ArcSight correlation.

Found

Indicates the reduction in the number of items that you would need to handle manually. This data includes the correlation events generated by rules that monitor events from source device as well as events created by ArcSight components. For typical correlation rule configurations, the data usually represents a reduction in the number of items. However, it is possible for an increase to occur in unusual configurations.

Created

Represents the number of cases created within the time range, based on correlation event activity, content or systems detecting what’s significant, and manual assessments.