1.1 Dashboards

Sentinel provides multiple default web-based dashboards to allow you to quickly access the data you need to do your jobs.

Some of these dashboards provide event visualizations that present data in charts, tables, and maps. These visualizations make it easier to visualize and analyze large volumes of events including IP Flow events. Event visualization dashboards provide a customizable interface that help you to search, view, and analyze events in detail. These visualizations thereby help you to drill-down to potential threats much faster. In addition to the out-of-the box dashboards, you can create your own dashboards as required.

The following dashboards are event visualization dashboards. These dashboards leverage Kibana and display the data stored in Elasticsearch. These dashboards are disabled by default if the Sentinel administrator has not configured Elasticsearch as one of the data store options:

  • Threat Hunting

  • User Activities

  • IP Flow Overview

  • IP Flow Real-time

NOTE:In traditional storage, event visualization dashboards are disabled by default. Ensure that the event visualization dashboards are enabled by the administrator to view the dashboards. For more information, see Configuring Elasticsearch for Event Visualization section in the Sentinel Installation and Configuration Guide. Sharing of event visualization dashboards is set to same tenant users by default and it is not editable. After upgrading to Sentinel 8.4.0.0, even default tenant users are not allowed to view event visualization dashboards of other tenant.

You can modify or create new visualizations and dashboards with the data you want to visualize. Review any known issues and security vulnerabilities before adding new visualizations. For information about creating visualizations and dashboards, refer to Kibana documentation.

1.1.1 Alerts Dashboard

The Alerts dashboard provides a high-level visualization of all the alerts in the system. For more information, see Analyzing Alert Dashboards.

1.1.2 Events Overview Dashboard

The Events Overview dashboard provides a high-level overview of all incoming events. The widgets provide information on specific types, such as correlation events, system events, and others.

1.1.3 IP Flow Dashboards

IP Flow dashboards provide a high-level overview of the IP Flow data, which helps you to monitor all the network activities in your environment.

For more information about visualizing and analyzing IP Flow data, see Section 9.0, Visualizing and Analyzing IP Flow Communications.

1.1.4 Security Health Dashboard

The Security Health dashboard provides a high-level overview of the current state of system security, including information about whether the system is secure or compromised. The data it displays relates to threats from low-reputation IP addresses, vulnerabilities, and potential exploitation of any vulnerabilities.

For example, the dashboard can inform you of the following:

  • Threats - For example, there are known activities from low-reputation IP addresses or known attacks to exploit existing vulnerabilities on the network. For more information about the feeds, see Configuring Threat Intelligence Data Sources in the Sentinel Administration Guide.

  • Vulnerabilities - There is no known threat activity, but there are potential vulnerabilities that you must address to prevent an attack. For example, you might have vulnerabilities in your network that need to be patched, but those vulnerabilities have not been exploited.

  • Mitre Threat Landscape - If a correlation rule mapped with a Mitre Att&ck ID is triggered, the triggered events will have Mitre Att&ck ID and Mitre Att&ck Name. These events are analyzed through a widget that is available in a default security health dashboard. The top ten Mitre Att&ck Name appears in this dashboard in a Time Range of 1 day and Display Interval of 1 hour. You can edit the Chart Type, Y Axis, Time Range, and Display Interval as per your choice. Select Event Attribute as MitreAttackName.

  • Incomplete Monitoring or Threat Intelligence - Sentinel is capable of collecting and correlating a wide variety of information that it then uses to inform you of active threats or vulnerabilities. The Security Health dashboard informs you if information is not collected or is out of date, which you should address to prevent blind spots in your security monitoring. For example, you need to download low-reputation feed data to get an accurate evaluation of potential threats in your network. You need to scan vulnerabilities in your network, gather IDS/IPS data to detect potential exploits of vulnerabilities in the network.

NOTE:Users who wish to access the Sentinel Main interface can click Sentinel Main in the left side navigation. For more information, see Sentinel Main Interface.

The Security health changes color to:

  • Green when both threats and vulnerabilities are healthy.

  • Yellow when either threats or vulnerabilities require attention based on the priority.

  • Red when either threats or vulnerabilities require immediate attention and further action.

1.1.5 Threat Hunting Dashboard

The Threat Hunting dashboard enables you to identify the probable threats in the environment by using the information provided in the widgets.

You can visualize various aspects of events, such as:

  • Event time line with threat reputation scores

  • Top 5 Taxonomies and top 5 events

  • Vulnerability information and threat types

  • Geographical source and destination of the events

    NOTE:To view geographical locations of events, ensure that the IpToCountry.csv file is populated by using the IP2Location Feed plug-in. For more information, see the IP2Location Feed documentation on the Sentinel Plug-ins Website.

  • Top 5 initiator and target user names and their departments

  • Associated risks

  • Associated user activities

1.1.6 Threat Response Dashboard

The Threat Response dashboard provides an high-level overview of alerts in New state, arranged by ownership and priority. Click any of the bar charts to view further details of alerts and triage them accordingly.

For more information about the Threat Response dashboard and its options, see Viewing and Triaging Alerts.

1.1.7 User Activities Dashboard

The User Activities dashboard provides a high-level visualization of user activities in the system.

1.1.8 Accessing the Dashboards

You can access these dashboards based on your role and permission.

To access the dashboards:

  1. Launch a supported web browser.

  2. Specify the following URL:

    https://IP_AddressOrDNS_Sentinel_server:8443

    Where IP_AddressOrDNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.

  3. Log in as a user with permissions to access the dashboards.

The first time you log in, Sentinel takes you to Manage Dashboards. From here, you can:

  • Access any dashboard to which you have permissions (click Manage Dashboards > Dashboard Name.)

  • Create a new dashboard (click Manage Dashboards > Create Dashboard.)

  • Set any of the following dashboards as your home page:

    • Threat Response dashboard

    • Security Health dashboard

    • Events Overview dashboard