Understand the Provided Widgets

The Dashboard ships with several widgets designed to help you manage your security operations. When you create or modify a dashboard, you can choose from the full set of widgets and configure them as needed.

The Dashboard provides the following out-of-the-box widgets:

• Active List

• Analytics Pipeline

• Case Breakdown

• Case Load

• Case Timeline

• Case Workflow Analysis

• Database Cluster Node Status

• Database Event Ingestion Timeline

• Database Storage Utilization

• Entity Count Overview

• Overall Risk Level

• Productivity

• SOAR Productivity

• SOAR Average KPI for Event

• SOAR Case Breakdown - Severity

• SOAR Case Load

• SOAR Case Status

• SOAR Threat Analysis Funnel

• SOAR Case Timeline

• SOAR Top Playbooks Executed

• SOAR Trend - Playbooks Executed

• SOAR Trend - Mean Time To Resolve

• SOAR Trend - Mean Time To Response

• Threat Analysis Funnel

• Top Risky Entities

Active List

Requires ArcSight Intelligence and ArcSight ESM be deployed for best effect. This widget is not available in a SaaS environment.

To watch for suspicious activity associated with entities, add Active List widgets to your dashboard. Each widget displays the top five at-risk entities, based on the specified Active list, Field, and Entity type settings with both ESM and ArcSight Intelligence installed.

The available active lists correspond to active lists in ESM. For example, you might have watch lists for privileged or administrative users or vulnerable hosts. If an active list entry matches an entity in ArcSight Intelligence, then the widget also shows the ArcSight Intelligence risk score for that entry. However, if the ArcSight Intelligence capability is not deployed, the widget cannot display risk scores but just entities in alphabetical order.

Analytics Pipeline

Requires ArcSight Intelligence be deployed. This widget is not available in a SaaS environment.

The Analytics Pipeline widget provides the risk statistics for the last analytics run. It displays the number of events analyzed, the number of anomalies and violations found, and the number of active risky entities. This widget also provides the option of downloading a PDF report detailing the current risk of the organization. You can select the orientation of the widget as Landscape or Portrait. The default orientation is Landscape.

Case Breakdown

Requires ArcSight ESM be deployed. This widget is not available in a SaaS environment.

The Case Breakdown widget displays the number or percentage of cases by their Severity, Owners, or Owner Groups. The widget always shows data As of Now, regardless of the specified time range for the dashboard.

By default, the widget shows data for total open, assigned cases. The widget displays a maximum of six data points, which comprise the top five objects associated with the specified filter plus an Other object that combines the rest of the cases. For example, if you have seven case owners, the widget shows specific values for the five owners with the largest quantity of cases, then groups the total number of cases for the other two owners in the Other category.

You can change the widget’s properties to view cases in a different state, such as cases created by specific analysts. For example, SOC Manager Franz Tupper wants to view all cases created by his Level 1 analysts. He sets the filter to Assigned Owners, and in the sub-filters specifies Jin Stafford, Neve Marshall, Troy Leach, and Chole Gay as Owners. Then he selects Created for the state that he wants to analyze. The widget will display the quantity and percentage of cases created by each analyst. Because Franz has configured the dashboard to automatically refresh, he sees in real-time when the analysts add new cases.

If you don’t specify an owner or owner group, the widget displays data for all cases.

Case Load

Requires ArcSight ESM be deployed. This widget is not available in a SaaS environment.

To help managers balance the amount of work assigned to case owners, the Case Load widget provides several case management metrics:

• Average number of cases each owner closes per week

• Estimation of the time required to close all cases currently assigned to the owner based on the time elapsed since the cases were opened

• Projection of the number of cases per severity that the owner might not be able to close, based on the configured target, the time elapsed since the cases were opened, and the average velocity of the owner. This assumes that owners work on cases in severity order, from highest to lowest.

By default, the widget shows the data for total open, assigned cases for the top three members of the group based on their average number of cases per week. You can filter the data by specific Owner Groups. The metrics are based on the specified time range and the target number of cases that you expect the owners to close per Severity

For best use of this widget, it is recommended that you create one Case Load widget per owner group. In this way, you will see details for members of the owner group.

Case Timeline

Requires ArcSight ESM be deployed. This widget is not available in a SaaS environment.

The Case Timeline widget shows changes in the volume of cases over a specified time range. By default, the widget filters the data according to the Severity category assigned in ESM. However, you can also choose to view trends for other case states, such as cases Closed by specific Owners or Owner Groups.

To observe the breakdown of cases associated with a specific date, you can hover over any location within the timeline. You can also zoom in to view a particular time range, either using the magnifier icons or by clicking and dragging within the graph.

Case Workflow Analysis

Requires ArcSight ESM be deployed. This widget is not available in a SaaS environment.

The Case Workflow Analysis widget helps you compare the current volume of cases per stage with how the cases transitioned among the stages. In the widget, the width of the lines indicates the average time cases have taken to move from stage to stage during the specified time range. The diameter of each circle, except for the Closed stage, represents the total number of cases currently at that stage, based on the last refresh of data from the source.

By default, the widget shows data for total open, assigned cases. You can also choose to filter the data by Severity, Owners, or Owner Groups.

Database Cluster Node Status

Requires that at least one deployed capability uses the ArcSight Database.

The Database Cluster Node Status widget helps SOC managers and IT administrators monitor the state of the nodes that host the database. This widget displays the state of each node in the database cluster. It also raises awareness that the number of nodes that are down can affect the resiliency of the database cluster. For example, if the database resiliency setting is 1, and two of three nodes go down, then the database might automatically shut down to protect itself.

Also, when nodes are down or recovering from a failure, it’s possible that you might experience data loss. The longer that a node is offline, the longer it will take to recover because it needs to acquire the data available in the rest of the cluster.

Database Event Ingestion Timeline

Requires that at least one deployed capability uses the ArcSight Database.

To help SOC managers and IT administrators monitor the rate of event ingestion into the database, use the Database Event Ingestion Timeline widget. Due to differences in how quickly an event from different sources arrives at the database for storage, the moment when a database stores an event differs from when the event occurred. This widget measures when the database receives the event data.

Database Storage Utilization

Requires that at least one deployed capability uses the ArcSight Database.

To help SOC Managers and IT Administrators ensure that disk use does not overload the database nodes, the Database Storage Utilization widget displays storage utilization data for up to five database nodes. In general, most administrators keep disk usage below 60 percent per node, thus ensuring space for temporary activity required by some query execution operators.

If the database cluster has more than five nodes in the cluster, you might specify the nodes with the least amount of free space available. In this way, you can monitor the nodes at most risk of running out space. For each node, you can compare the percent and quantity of space used to the total amount. You can also monitor the throughput and latency of the database per second.

The ArcSight Database supports use of a third party storage location technology, shared among its database nodes on premises or cloud. This shared storage location is also called Communal Storage and represented in the associated widget.

Entity Count Overview

Requires ArcSight Intelligence be deployed. This widget is not available in a SaaS environment.

To help identify users and entities currently at risk in your organization, the Entity Count Overview widget displays the number of entities involved in risky behaviors, by entity type, along with their risk counts based on the last analytics run. When you click an entity type in the widget, the Entities page opens in the ArcSight Intelligence UI, where additional information for the selected entity type is displayed.

Overall Risk Level

Requires ArcSight Intelligence be deployed. This widget is not available in a SaaS environment.

To help understand the general risk in your organization, the Overall Risk Level widget displays the trending risk of the organization based on the last analytics run.

Productivity

Requires ArcSight ESM be deployed. This widget is not available in a SaaS environment.

To help managers optimize analyst activity for the specified time range, the Productivity widget incorporates several elements related to SOC productivity:

Case Closure Velocity

Shows the current rate of case closure per week based on the target velocity for all owners and owner groups. For example, you might expect teams to close at least 5 cases per week. The dotted line in the graph represents the target.

 

The trend indicates whether the velocity fails to meet or exceeds the target rate compared to the previous week. The velocity is based on when cases were created.

Highest Velocity

Represents the owner that currently has the fastest closure rate per week. You can also see the total number of cases assigned to the owner by severity.

 

The trend indicates whether the velocity fails to meet or exceeds the target rate compared to the previous week. The velocity is based on when cases were assigned to the owner.

Productivity by Owner Groups

Lists the owner groups that currently have the highest average number of cases closed per week. It also identifies which owner in the group has the highest velocity.

 

You can observe the average number of cases closed and whether the rate is trending up or down. The colored bar indicates the volume of cases by severity. By default, the widget displays data according to the specified time range.

SOAR Productivity

Requires data from ArcSight SOAR.

To help managers optimize analyst activity for the specified time range, the SOAR Productivity widget incorporates several elements related to SOC productivity. You can change the widget’s properties to select an available option from the Number of Groups drop-down list:

Case Closure Velocity

Shows the current rate of case closure per week based on the target velocity for all owners and owner groups. For example, you might expect teams to close at least 5 cases per week. The dotted line in the graph represents the target.

The trend indicates whether the velocity fails to meet or exceeds the target rate compared to the previous week. The velocity is based on when cases were created.

Highest Velocity

Represents the owner that currently has the fastest closure rate per week. You can also see the total number of cases assigned to the owner by severity. The trend indicates whether the velocity fails to meet or exceeds the target rate compared to the previous week. The velocity is based on when cases were assigned to the owner.

Productivity by Owner Groups

Lists the owner groups that currently have the highest average number of cases closed per week. It also identifies which owner in the group has the highest velocity.

You can observe the average number of cases closed and whether the rate is trending up or down. The colored bar indicates the volume of cases by severity.

By default, the widget displays data according to the specified time range.

SOAR Average KPI for Event

Requires data from ArcSight SOAR and that ArcSight ESM be deployed. This widget is not available in a SaaS environment.

The SOAR Average KPI For Event widget provides the SOC Manager an overview for the volume of events in the specified time range that transition from initial analysis of events from source devices through correlation to case creation. The widget also shows the percentage of change between each state.

Correlated Event Count

Shows the number of alerts created from an ESM alert source that you must handle manually, without the use of ArcSight correlation.

Found

Indicates the reduction in the number of items that you must handle manually. This data includes the correlation events generated by rules that monitor events from source devices, as well as events generated by ArcSight components. For typical correlation rule configurations, the data usually represents a reduction in the number of items. However, the number of items might increase in the case of unusual configurations.

Created

Represents the number of cases created within a time range, based on correlation event activity, content, or systems detecting what is significant, and also manual assessments.

SOAR Case Breakdown - Severity

Requires data from ArcSight SOAR.

The SOAR Case Breakdown - Severity widget displays the number or percentage of cases by their Severity. The widget always shows data As of Now, regardless of the specified time range for the dashboard. By default, the widget shows data for total open cases. You can change the widget’s properties to select or deselect a severity type. You can also create custom severities. The system, however, does not limit the number of custom severities that you can create.

SOAR Case Load

Requires data from ArcSight SOAR.

To help managers balance the amount of work assigned to case owners, the SOAR Case Load widget provides several case management metrics:

• Average number of cases each owner closes per week.

• Projection of the number of cases per severity that the owner might not be able to close, based on the configured target, the time elapsed since the cases were opened, and the average velocity of the owner. This assumes that owners work on cases in severity order, from highest to lowest.

  Estimation of the time required to close all cases is set in the Severity Editor when you configure case severities.

By default, the widget shows the data for total open, assigned cases for the top three members of the group based on their average number of cases per week. You can filter the data by specific Owner Groups. The metrics are based on the specified time range and the target number of cases that you expect the owners to close per Severity

For best use of this widget, it is recommended that you create one Case Load widget per owner group. In this way, you will see details for members of the owner group.

SOAR Case Status

Requires data from ArcSight SOAR.

The SOAR Case Status widget displays the number of cases by their Statuses. The widget always shows data As of Now, regardless of the specified time range for the dashboard.

By default, the widget shows data for All cases. You can however change the widget’s properties to select or deselect one or more Status types.

SOAR Threat Analysis Funnel

Requires data from ArcSight SOAR and that ArcSight ESM be deployed. This widget is not available in a SaaS environment.

The SOAR Threat Analysis Funnel widget provides the SOC Manager an overview for the volume of events in the specified time range that transition from initial analysis of events from source devices through correlation to case creation. The widget also shows the percentage of change between each state.

Analyzed

Shows the number of events, from source devices, that you must handle with the use of ArcSight correlation.

Found

Indicates the reduction in the number of items that you must handle manually. This data includes the correlation events generated by rules that monitor events from source device as well as events created by ArcSight components. For typical correlation rule configurations, the data usually represents a reduction in the number of items. However, the number of items might increase in the case of unusual configurations.

Base and Correlation Event counts and Created Case counts come from the ArcSight ESM API and ArcSight SOAR respectively.

SOAR Case Timeline

Requires data from ArcSight SOAR.

The SOAR Case Timeline widget shows changes in the volume of cases over a specified time range. By default, the widget filters the data according to the Severity category assigned in SOAR. However, you can also choose to view trends for other case states, such as cases closed by assigned or unassigned sub-filters.

To observe the breakdown of cases associated with a specific date, you can hover over any location within the timeline. You can also zoom in to view a particular time range, either using the magnifier icons or by clicking and dragging within the graph.

SOAR Top Playbooks Executed

Requires data from ArcSight SOAR.

The SOAR Top Playbooks Executed widget displays the execution count of the playbooks over alerts created.

By default, the widget shows data for top 5 playbooks. The widget helps managers understand the count of playbooks executed over each alert.

You can view the number of playbooks for a given date period and Top N Playbooks such as top 5, top 10.

SOAR Trend - Mean Time To Resolve

Requires data from ArcSight SOAR.

The SOAR Trend - Mean Time to Resolve widget displays the amount of average time it took to resolve a malicious attack.

You can change the widget’s properties to view different classifications of attacks and their statuses.

To observe the breakdown of cases associated with a specific date, you can hover over any location within the timeline. You can also zoom in to view a particular time range, either using the magnifier icons or by clicking and dragging within the graph.

SOAR Trend - Mean Time To Response

Requires data from ArcSight SOAR.

The SOAR Trend - Mean Time to Response widget displays the amount of average time it took to respond to a malicious attack.

You can change the widget’s properties to view different classification of attacks and their statuses.

To observe the breakdown of cases associated with a specific date, you can hover over any location within the timeline. You can also zoom in to view a particular time range, either using the magnifier icons or by clicking and dragging within the graph.

SOAR Trend - Playbooks Executed

Requires data from ArcSight SOAR.

The SOAR Trend - Playbooks Executed widget displays the number of times a playbook is executed by its execution date.

By default, the widget shows data for 5 playbooks. The widget helps managers understand the number of playbooks executed everyday.

You can change the widget’s properties to view number of playbooks for a given date period.

To observe the breakdown of playbooks associated with a specific date, you can hover over any location within the timeline. You can also zoom in to view a particular time range, either using the magnifier icons or by clicking and dragging within the graph.

Threat Analysis Funnel

Requires ArcSight ESM be deployed. This widget is not available in a SaaS environment.

The Threat Analysis Funnel provides the SOC Manager an overview for the volume of events in the specified time range that transition from initial analysis of events from source devices through correlation to case creation. The widget also shows the percentage of change between each state.

Analyzed

Shows the number of events, from source devices, that would need to be handled manually without the use of ArcSight correlation.

Found

Indicates the reduction in the number of items that you would need to handle manually. This data includes the correlation events generated by rules that monitor events from source device as well as events created by ArcSight components. For typical correlation rule configurations, the data usually represents a reduction in the number of items. However, the number of items might increase in the case of unusual configurations.

Created

Represents the number of cases created within the time range, based on correlation event activity, content or systems detecting what’s significant, and manual assessments.

Top Risky Entities

Requires ArcSight Intelligence be deployed. This widget is not available in a SaaS environment.

To help identify the riskiest entities in your organization, the Top Risky Entities widget provides a list of the top risky entities, by entity type, based on the last analytics run. By default, the widget displays the top 5 risky users. If you need to view the top risky entities for another entity type, then, as part of this widget’s properties, you can change the filter to select the entity type and the number of entities you want displayed in the list. When you click an entity in the widget, the Explore page opens in the ArcSight Intelligence UI, with the selected entity's name applied to the anomalies and violations filter.