Using the Main Dashboard and Grids

The main dashboard provides a summary of artifacts based on severity levels. The artifacts requiring investigation are classified into four categories: Malicious, Critical, High Risk, and Unknown. The artifacts can be analyzed more thoroughly through the home page by clicking the artifact name or the hit count values. The detailed grid is opened accordingly. Through the dashboard, six different views are available:

• Artifact Overview

• Remediation Overview

• SIGMA Based Threat Hunting

• Windows Hardening Overview

• Device Summary

The artifact grids are used to perform detailed analysis and investigation. On the top part of the page, hit counts based on severity are provided. On the grid, right-click actions provide the core functionalities. Both through the grid header and body, right-click actions are available. When clicked from the grid header, bulk operations can be performed:

• Rule Management: An artifact property can be added to a new or existing classification rule.

• List Management: An artifact property can be added to a list.

• Aggregate: Aggregation actions can be performed.

• Actions: Through actions, the details of the artifact can be displayed. An artifact can be flagged as malicious or as trusted. When set as trusted, the risk score value is 0, and the malicious flag is set to false.

• Acknowledge: An artifact can be acknowledged for filtering in the grids.

• Search: The artifact property can be searched in Google and Virus Total.

• Enrichment Details: The information retrieved from threat intelligence is displayed in a pop-up.

• Host Analysis: The details of the host where the artifact is identified are displayed.

• Windows In-Depth Analysis: For Windows Autoruns, Processes, and Sysmon, an in-depth investigation of process behavior can be performed through a visual map.

• Remediation: Remediation jobs can be triggered.

• Remove: The artifact is removed from the grid when selected.

• Edit: The artifact properties can be edited.

On the top part of the grid, the main analysis and search functions are available as detailed below:

• Aggregate: The system provides two different aggregation analyses. In one type, the result is displayed as a pop-up. Through the pop-up, selected or all items can be added to classification rules and lists. The property is applied as a filter when clicked on the count values. Right-click actions are also available in the pop-up. In the second aggregation type, the results are displayed on a separate grid with full support of grid functionalities.

• Dashboards: For the active artifact, dashboard views are accessed.

• "…": Bulk actions for the active artifact are displayed through this menu. Classification rules or updated list rules can be triggered to view the most up-to-date artifact classification state.

• Remediate: For all the displayed items in the grid, remediation jobs can be triggered.

• Filter Management: The grid provides a detailed filtering function. A detailed filtering menu is opened on the right when the blue icon is clicked. After the filter is created, it can be saved by clicking the green icon on the top right part of the grid. Ac active filter can also be deleted. The saved filters can be selected from the "Select Filter" dropdown.

• Export: The items on the grid can be exported from this part of the menu.

The Host Summary section displays a summary of the host analysis. This grid allows users to see the machine's health state with different types of scoring.

The Organization Threat Score Dashboard focusing the organization's threat history with a summary of all threats. The users can analyze their past situation and current situation, and with that users can see the progress and the affectivity of the solution.

The GRC Summary dashboards are specifically designed for our GRC module. This dashboard shows which assessments are not applied in the right way. With this visibility layer, users can see their assessments and which assessment is applied correctly or not.

The Threat Intel dashboards are designed for visualizing the threat source from the global aspect. Users can see the artifact details with clicking the red circles which is representing the threat source.

The EDR/DLP Assessment dashboards are designed for visualizing the EDR and DLP assessment coverage. On the users system, they can see percentage of the coverage and coverage details.

The Zero-Day/Critical Vulnerabilities dashboard is specificly designed for vulnerable applications and packages. Users can see the detailed information about their application and package analysis in these dashboards.

The Internal Compliance dashboard is designed for users whole system detailed visualization. These dashboards specificly visualize the accesses on the system, like "Windows Network Access by Object Name", "Windows Network Access by Hostname", etc...