¶ The Cluster Data View
The cluster data view is for diving into individual alerts or entities within a cluster. It provides a data-focused tabular view of all the contents of a cluster.
¶ Where To Find The Cluster Data View
The cluster data view can be navigated to on any cluster using the view tabs in the header. Clusters with a large number of entities unsuited to the visualisation open in the data view.
¶ Cluster Data View Sections
The cluster data view has 5 distinct sections, as outlined below:
¶ Alert Search
The alert search allows both basic and advanced search over the cluster. The alert data will update to show the results of the search. This includes the alert-threat visualisation, alert table, and alert histogram.
¶ Alerts by Time and Threat
The alert time and threat view displays the number of alerts in any given time period and threat type. It shows which threats have the most activity during which time periods at a glance.
The default time period displayed is a week. This can be changed using the time period selector:
A particular bin can be selected to apply a filter to the alert table.
¶ Alerts
The alert data table allows the user to view individual alerts in the cluster. It will display the following information about the alert in a tabular format:
- Timestamp
- Alert type
- Tags
- Base score
- Source system
- Threat type
- Actioned status.
Alerts can contain dynamic attributes. These can be displayed as new columns with the "Add Attribute" button. Different attributes might be present for different clusters.
The alert table can be sorted on select fields by clicking on the column headings. It also supports grouping on select fields with the 'group' icon.
¶ Entities
The entities within the cluster can be viewed to the right of the alerts in a table. External entities are displayed at the top, and internal entities underneath. Entity attributes can be added with the "Add Attribute" button. The entity table can also be sorted and grouped.
¶ Alert Histogram
The alert histogram shows the alert frequency or score histogram. This shows a quick summary of the activity over time for the cluster.
The alert histogram allows a user to focus on by dragging a window on the time-axis.
¶ Alert Contex
Information for an individual alert can be viewed by selecting the alert in the table. This information is visible in the context tab on the left hand panel. It will display the parsed and raw alert, entities linked to this alert, threat types, and a list of all the attributes associated with it.
