1 - Telemetry Dashboard

The Telemetry dashboard provides a simple self explanatory high level view of your Managed Detection and Response service telemetry metrics.

Summary Panels

Within the dashboard are various summary panels which can be updated based on a specified time period and includes:

  • Total number of events ingested into the Samurai platform
  • Total log volume
  • Number of integrations (this is current state and not affected by the specified time period)
  • Integrations with no events in the last 12 hours (these integrations likely need action, please review the Telemetry Monitoring article for further information)

dashboard_panels.jpg

Figure 1: Example summary panels

Time period

You can update relevant panels to specific date and time ranges. We have included Quick time ranges or you can specify a date and time period.

Figure 2: Date and time selection

Detail Panels

Additional panels provide event data based on products you have integrated with the Samurai platform.

Events per product

Figure 3: Example events per product bar graph

Events per product

Figure 4: Example events per product pie chart

Data ingested per product

Table 1: Example data ingested per product table

If you wish to drill down into the events we recommend you use the Advanced Query feature. Review Advanced Query Introduction for more information.

2 - Alerts Dashboard

The alerts dashboard provides valuable insights into your organization’s security landscape, despite all alerts being handled by the Samurai Security Operation Center (SOC) it provides visibility into the volume of alerts which potentially lead to validated threats and reported to you as a security incident. Additionally we provide transparency by categorizing the alerts by detection engine and highlighting top threat signatures, whilst you do not need to act upon these alerts, this information demonstrates the Samurai MDR service’s scale and effectiveness.

Outlined below are examples and an explanation of each panel within the dashboard:

Monitoring, Detection and Response summary

The funnel outlines telemetry ingested (events) by the Samurai platform from your configured integrations, the security detections (alerts) made by the Samurai platform detection engines and third party vendors which are triaged and investigated by the Samurai SOC, and the number of security incidents reported to your organization. The funnel infers the value of the service based on the data analyzed focusing on detecting and reporting threats to your organization.

funnel.png

Figure 1: Example summary

Number of alerts

The total number of alerts analyzed by the Samurai platform and SOC analysts.

alerts.png

Figure 2: Example number of alerts

Number of unique signatures

The total number of unique alert signatures.

signatures.png

Figure 3: Example unique signatures

Alerts per detection method

Donut chart showing the alerts per detection method. For a brief explanation of the detection engines please refer to Alerts.

detection_method.png

Figure 4: Example alerts per detection method chart

Alerts timeline per detection method

Bar graph showing alerts over the time period per detection method.

alerts_timeline.png

Figure 5: Example alerts timeline per detection method graph

Top 10 signatures

Top 10 alert signatures from all detection methods.

top10_signatures.png

Figure 6: Example top 10 signatures

Top 10 signatures for Hunting Engine

Top 10 alert signatures for the Samurai hunting engine.

top10_signatures_huntingengine.png

Figure 7: Example top 10 signatures for hunting engine

Top 10 signatures for Real-time Engine

Top 10 alert signatures for the Samurai real-time engine.

top10_signatures_realtimeengine.png

Figure 8: Example top 10 signatures for real-time engine

Top 10 signatures for vendor

Top 10 alert signatures from your vendor product integrations.

top10_signatures_vendor.png

Figure 9: Example top 10 signatures for vendor

3 - Security Incident Dashboard

The Security Incidents dashboard provides a simple self explanatory high level view of your Managed Detection and Response service security incidents.

Current open security incidents per severity

For more information on severity definitions, refer to Security Incident Fields.

Figure 1: Example current open security incidents by severity

Current open security incidents by state

For more information on state definitions, refer to Security Incident Fields.

Figure 2: Example current open security incidents by state

Current open security incidents (days)

This graph helps you understand how long (in days) a security incident has remained open - this could be in ‘Awaiting feedback’ or ‘Awaiting SOC’ states. Ideally the goal is to remediate and close a security incident as quickly as possible to mitigate risk.

Figure 3: Example current open security incidents (days)

New security incidents per month by severity

Figure 4: Example new security incidents per month by severity)

Security incidents average closing time by severity (days)

This graph shows the average closing time (in days) of security incidents per severity. Ideally the goal should be to keep this average closing down to a minimum.

Figure 5: Example security incidents average closing time by severity (days))

Security incidents total opened/closed per month

Figure 6: Example Security incidents total opened/closed per month))