Please note, dashboards use different SOC.OS data sources for specific purposes. Whilst generally similar, you may see small inconsistencies in the precise figures. We're migrating our data to use one consistent source, at which point this will be resolved.
To access the various dashboards, click on the Dashboard icon in the left toolbar.
There are three separate screens which make up the Dashboard section; Wallboard, Dashboard and Tagging. These can be selected from the drop down in the top bar. SOC.OS will cycle through these over a number of minutes to display all dashboardsfor wallboard use.
The default screen is the Wallboard, shown below. The Wallboard show four data tables; Most frequent alert types, Critical alerts, Most frequent IPs and Most frequent threat types.
-
The most frequent alert types table shows your top 10 most frequent alert types in descending order. If you click on an alert type, you’ll be redirected to the cluster workbench and presented with all clusters containing that alert. Hot tip: use this table to identify tool misconfigurations and/or to identify high volume alerts. For high volume and low fidelity alerts which you don’t want to be processed by SOC.OS, filter them out. Click here for a tutorial on how to filter alerts within SOC.OS.
-
The critical alerts table shows your top 10 most critically scored alerts, sorted by “Alert base score”, in descending order. LINK TO ALERT BASE SCORE. If you click on an alert, you’ll be redirected to the cluster workbench and presented with all clusters containing that alert.
-
The most frequent IPs table shows your top 10 most frequent IP addresses (which are contained within alerts). If you click on an IP address, you’ll be redirected to the cluster workbench and presented with all clusters containing alerts with that IP address.
-
The most frequent threat types table shows your top 10 most frequent MITRE ATT&CK threat types. Threat types are automatically assigned by SOC.OS and are deduced by analysing the alert type and mapping this to the relevant technique or tactic within the enterprise matrix. In the below table, T1203 - Exploitation For Client Exécution is shown 41 times, meaning there are 41 alert types which have mapped to this technique. If you click on a threat type, you’ll be redirected to the cluster workbench and presented with all clusters containing alerts which map to this threat type.
The threat map highlights the geographical location of any IP address and hostname (extracted from alert metadata) which SOC.OS has enriched with 3rd party threat data feeds. Please see Threat Map for more
The funnel represents all the alerts, clusters and critical clusters within an organisation. It shows how SOC.OS reduces the number of items that need attention. Read more here: Funnel
Tagging
By selecting the drop down highlighted below, you can navigate to the next screen in the list, Tagging. The y axis is how many times a certain business context tag (LINK) has been identified within your alert metadata and the x axis is time. The x-axis ticks are days, and the graph shows this week’s activity (solid line) superimposed with last week’s (dotted line).
