Dashboards are an integral component of any effective SIEM solution. After log data is aggregated from different sources, a SIEM solution prepares the data for analysis after normalization. The outcomes of this analysis are presented in the form of actionable insights through dashboards. Many SIEM solutions come with pre-configured dashboards to simplify the onboarding process for your team. Besides, an ideal solution should also allow an organization to customize dashboards as per its requirements. In this article, we discuss various types of dashboards available on Logsign SIEM.
(You can also check our article about The step-by-step procedure to customize a dashboard on Logsign SIEM )
Types of dashboards on Logsign SIEM
On Logsign SIEM, more than 40 types of dashboards are available. These dashboards are categorized into a total of 11 categories as follows:
- Threat Intelligence
- Security Suite
- Application Server
- System Events
- Event Taxonomy
- Guest Access
- Database Control
- Identity Management
- File Access Control
If you are using Logsign for the first time or have not changed the default dashboard, the Welcome dashboard is the default dashboard on Logsign SIEM. The default dashboard contains an all event-time histogram, along with event context, event types, and event actions.
Depending on your requirements and job profile, you can set any dashboard as the default dashboard so that it appears on the landing page after you login. Further, a user can add, modify, or remove widgets on these dashboards through “Add a widget” option. For every widget, Logsign SIEM has allocated a default time index. A user can configure this time index from a duration as short as 1 hour to as long as 365 days.
1. Threat Intelligence
This category has two dashboards at present. It provides information about the classification of threat messages, external malicious source and destination IP addresses, suspicious intelligence severities, most active threat sources/destinations, time analysis, and malicious activity counts.
2. Security Suite
This category has six dashboards: Attack Analysis, Endpoint Analysis, Security Overview, IDS, Content Filtering Analysis, and Trend Micro.
|Attack Analysis||Attack activity by internal/external source IP addresses, destination ports, source interface, source countries, and timeline|
|Endpoint Analysis||Infected sources, threat details, detected virus, and endpoint security events|
|Security Overview||Security activities, risk by event sources, risk summary by severity, risk summary by source/destination country, along with detected activities for attacks, malware, virus, and spam|
|IDS||Attack histogram, attack by source/destination IP addresses, destination/source attack map, and external/internal IP attack severity|
|Content Filtering Analysis||Allowed/blocked domain access, allowed/blocked categories, allowed/blocked URL sources, and URL categories|
|Trend Micro||TrendMicro products, event map info, event types, event activities, event subtypes, among other event-related information|
This category has a total of eight dashboards. These dashboards visualize information about various facets of your organization’s network.
|FTP Analysis||FTP time analysis and top sources/destinations|
|UDP Analysis||UDP time analysis, top sources/destinations, top source/destination country, and destination ports|
|Protocol Center||Usage by protocol timeline, top connection sources, port usage, and outbound/inbound connections by destination ports|
|Traffic Awareness||Traffic anomaly time analysis, traffic anomaly sources, and critical source/destination country|
|Traffic Overview||Traffic analysis, source/destination country, top source/destination country, and traffic analysis from source IP to unique destination IPs|
|HTTP/S Analysis||Blocked/allowed HTTP/S requests, top sources/destinations, and time analysis|
|DNS Analysis||DNS time analysis and top sources/destinations|
|Bandwidth Analysis||Bandwidth (download/upload) usage, download/upload MB usage, and download usage for TCP and UDP|
This category has five pre-configured dashboards concerning alerts and actions objects.
|Warning Level Alerts||Alert details, unique counts by action object, total count, and information level alerts|
|Critical/Emergency Level Alerts||Alert details, unique counts by action object, and total count|
|Compliance Alerts & Use Cases||Under development|
|Action Objects & Alert Overview||Information/warning/critical/emergency level alert counts, suspicious users, suspicious internal/external hosts, suspicious objects and alerts|
|Alert Rules Overview||Suspicious objects time analysis with unique alert counts, alerts time analysis with unique object counts, alerts & action object analysis|
5. Application Server
This category consists of pre-configured dashboards focusing on various servers inside an organization such as web, FTP, mail, DHCP, and DNS.
|Web Server||Event timeline, external IP addresses, result codes, source country, URL paths, data sources, and messages|
|FTP Server||Usage timeline, top source IP addresses, server messages, source users, and event actions|
|Mail Server||Event timeline, top mail receivers/senders, mail events, server messages, and mail subjects|
|DHCP Server||Timeline, server messages, top source IP addresses, top MAC addresses, and data sources|
|DNS Server||Time analysis, server messages, top source IP addresses, server actions, and DNS request sources|
6. System Events
This category focusses on system events inside your organization’s technical infrastructure. It provides six pre-configured dashboards for your security team.
|Network Layer System Events||Activity and their details, event messages, and events with severity|
|System Overview||System categories, information messages, system activity by event sources, and system error messages|
|Application Layer System Events||Activities, messages, system errors, and message details|
|Critical System Events||Time analysis, critical events, critical event count, and critical devices|
|SIEM System Events||CPU utilization, disk utilization, EPS stats, and health check critical/last states|
|Security Layer System Events||Activities, messages, system errors, and message details|
7. Event Taxonomy
Dashboards in this category provide detailed information about security events in your technical infrastructure based on their severity and mapping inside Logsign SIEM.
|Severity||Event timeline, context, type, subtype, data sources, and details|
|Mapping||Classification (identity/security/object/network/system/application), context, type, and subtype|
8. Guest Access
This category of dashboards provides information about guest users who connected to your organization’s wireless network.
|Hotspot User Count Analysis||Logon/Logout user count, online/registered user count, login failed user count, location-based analysis for logon, login failed, registered users, and logout|
|Hotspot User Data Usage Analysis||Users upload/download MB usage and location-based data usage|
|Hotspot User Activity Analysis||Logon/logout user activity, login failed users, login failed user activity and reasons, account termination, and all user messages|
Figure 9 shows no data as we have disabled connections to the wireless network in our demo environment.
9. Database Control
This category gives insights into your organization’s databases. It has three dashboards: one gives a general overview while one each is dedicated for MSSQL and Oracle.
|Database Overview||Usage timeline, data sources, and actions|
|MSSQL||Usage timeline, object name and database name, general events, type and actions, and activity details|
|Oracle||Usage timeline, object name, messages, SQL commands|
10. Identity Management
This category of dashboards illustrates information about user account management, user identity management, and VPN-based user activities.
|VPN User Overview||Logon activity counts, logon failure counts, top users for logon attempts/failures, activity details, time analysis, and login/failure by countries|
|Account Management||Activities count, top 10 activities, created/deleted users, enable/disable users, lock/unlock users, messages, password change activities, and expired password by account|
|Identity Overview||Logon activity counts, logon failure counts, top users for logon attempts/failures, logon and logon failure by source IP address, and logout activity by users|
11. File Access Control
This category of dashboards presents visualized information about the file system of your organization. It covers user activities, file share events, and detailed insights on change events.
|File Shared||Time analysis, shared folders, shared file events, and event details|
|File System||Time analysis, actions, user file activity, and object names|
|File Overview||File server timeline, shared folders, file modified event count, modified events by users, and shared file change event details|
Have you been able to utilize these dashboards for your organization? Feel free to get in touch with our Support team if you have any questions or queries.