Kaspersky Unified Monitoring and Analysis Platform
3.4
English

Contents

Dashboard

In the Dashboard section, you can monitor the security status of your organization's network.

The dashboard is a set of widgets that display network security data analytics. You can view data only for those tenants to which you have access.

A selection of widgets used in the dashboard is called a layout. You can create layouts manually or use predefined layouts. You can edit widget settings in predefined layouts as necessary. By default, the dashboard displays the Alerts Overview predefined layout.

Only users with the Main administrator, Tenant administrator, Tier 2 analyst, and Tier 1 analyst roles can create, edit, or delete layouts. Users accounts with all roles can view layouts and set default layouts. If a layout is set as default, that layout is displayed for the account every time the user navigates to the Dashboard section. The selected default layout is saved for the current user account.

The information on the dashboard is updated in accordance with the schedule configured in layout settings. If necessary, you can force the update of the data.

For convenient presentation of information on the dashboard, you can enable TV mode. This mode lets you view the dashboard in full-screen mode in FullHD resolution. In TV mode, you can also configure a slide show display for the selected layouts.

In this section

Creating a dashboard layout

Selecting a dashboard layout

Selecting a dashboard layout as the default

Editing a dashboard layout

Deleting a dashboard layout

Enabling and disabling TV mode

Predefined dashboard layouts
Page top
[Topic 217827]

Creating a dashboard layout

Expand all | Collapse all

To create a layout:

  1. Open the KUMA web interface and select the Dashboard section.
  2. Open the drop-down list in the top right corner of the Dashboard window and select Create layout.

    The New layout window opens.

  3. In the Tenants drop-down list, select the tenants that will own the created layout and whose data will be used to fill the widgets of the layout.

    The selection of tenants in this drop-down list does not matter if you want to create a universal layout (see below).

  4. In the Time period drop-down list, select the time period from which you want to get analytics:
    • If you want to specify an exact date, in the calendar on the left, select the start and end date of the period and click Apply.

      You can select a date up to and including the current date. The date and time format depends on your browser settings. If the Date from or Date to field has a value and you have not edited the time value manually, when you select a date in the calendar, the Date from field is automatically populated with 00:00:00.000, and the Date to field with 23:59:59.999. If you have manually deleted the value in the Date from or Date to field, when you select a date in the calendar, the field is automatically populated with the current time. After you select a value in one of the fields, the focus switches to the other field. If your Date to is earlier than your Date from, this earlier value is automatically inserted into the Date from field.

    • If you want to specify a relative period, select one of the available periods in the Relative period list on the right.

      The period is calculated relative to the current time.

    • If you want to specify a custom period, edit the value of the Date from and Date to fields.

      You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a period relative to the current time as a formula. You can also combine these methods if necessary. If you do not specify milliseconds when entering the exact date, 000 is substituted automatically. If you have edited the time in the Date from or Date to fields, picking a date in the calendar does not change the time component.

      In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: + (only in the Date to field), -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second). For example, you can specify the period now-5d to get data for the last five days, or now/w to get data from the beginning of the first day of the current week (00:00:00:000 UTC) to the current time (now).

      The Date from field is required, and its value cannot exceed the value of the Date from field, and also cannot be earlier than 1970-01-01 (if specifying an exact date or a relative period). The Date to cannot be earlier than the Date from. If you do not specify a value in the Date from field, now is specified automatically.

    By default, the 1 day (now-1d) relative period is selected. The bounds of the period are inclusive: for example, for the Today time range, events are displayed from the beginning (00:00:00:000 UTC) of the current day to the current time (now) inclusive, and for the Yesterday period, events are displayed from the beginning (00:00:00:000 UTC) of the previous day to 00:00:00:000 UTC of the current day.

    KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the data display period, data will be displayed for the period from 03:00:00.000 until now, not from 00:00:00.000 until now.

    If you want to take your time zone into account when selecting a relative data display period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the Date from and Date to fields (if a value other than now is specified) by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want to display data for Yesterday, you need to change Date from to now-1d/d-3h and Date to to now/d-3h. If you want to display data for the Today period, you only need to change the value in the Date from field to now/d-3h.

    If you need results up to 23:59:59:999 UTC of yesterday, you can use an SQL query with a filter by Timestamp or specify an exact date and time.

  5. In the Refresh every drop-down list, select how often data should be updated in layout widgets:
    • never — never refresh data in widgets of the layout
    • 1 minute
    • 5 minutes
    • 15 minutes
    • 1 hour (default)
    • 3 hours
    • 6 hours
    • 12 hours
    • 24 hours
  6. In the Add widget drop-down list, select the required widget and configure its settings. You can add multiple widgets. You can drag widgets around the window and resize them using the diagonal () button that appears when you hover over a widget.

    The following limitations apply to widgets with the Pie chart, Bar chart, Line chart, Counter, and Date Histogram chart types:

    • In SELECT queries, you can use extended event schema fields of String, Number, and Float types.
    • In WHERE queries, you can use all types of extended event schema fields (String, Number, Float, Array of strings, Array of numbers, and Array of floats).

    For widgets with the Table chart type, in SELECT queries, you can use all types of extended event schema fields (String, Number, Float, Array of strings, Array of numbers, and Array of floats).

    You can do the following with widgets:

    • Add widgets.

      To add widget:

      1. Click the Add widget drop-down list and select required widget.

        The window with widget parameters opens. You can check how the widget will look like by clicking the Preview button.

      2. Configure widget parameters and click the Add button.
    • Edit widgets.

      To edit widget:

      1. Hover over the required widget and click the gear () icon that appears.
      2. In the drop-down list select Edit.

        The window with widget parameters opens. You can check how the widget will look like by clicking the Preview button.

      3. Update widget parameters and click the Save button.

    You can edit and delete a widget added to the layout by hovering over the widget, clicking the gear () icon that appears, and then selecting Edit or Delete.

  7. In the Layout name field, enter a unique name for this layout. Must contain 1 to 128 Unicode characters.
  8. If necessary, click the gear () icon on the right of the layout name field and select the check boxes next to the additional layout settings:
    • Universal—if you select this check box, layout widgets display data from tenants that you select in the Selected tenants section in the menu on the left. This means that the data in the layout widgets will change based on your selected tenants without having to edit the layout settings. For universal layouts, tenants selected in the Tenants drop-down list are not taken into account.

      If this check box is cleared, layout widgets display data from the tenants that are selected in the Tenants drop-down list in the layout settings. If any of the tenants selected in the layout are not available to you, their data will not be displayed in the layout widgets.

      You cannot use the Active lists and context tables widget in universal layouts.

      Universal layouts can only be created and edited by General administrators. Such layouts can be viewed by all users.

    • Show CII-related data—if you select this check box, layout widgets will also show data on assets, alerts, and incidents related to critical information infrastructure (CII). In this case, these layouts will be available for viewing only by users whose settings have the Access to CII facilities check box selected.

      If this check box is cleared, layout widgets will not display data on CII-related assets, alerts, and incidents, even if the user has access to CII objects.

  9. Click Save.

The new layout is created and is displayed in the Dashboard section of the KUMA web interface.

Page top
[Topic 252198]

Selecting a dashboard layout

To select a dashboard layout:

  1. Expand the list in the upper right corner of the Dashboard window.
  2. Select the relevant layout.

The selected layout is displayed in the Dashboard section of the KUMA web interface.

Page top
[Topic 217992]

Selecting a dashboard layout as the default

To set a dashboard layout as the default:

  1. In the KUMA web interface, select the Dashboard section.
  2. Expand the list in the upper right corner of the Dashboard window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the StarOffIcon icon.

The selected layout is displayed on the dashboard by default.

Page top
[Topic 217993]

Editing a dashboard layout

To edit a dashboard layout:

  1. In the KUMA web interface, select the Dashboard section.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the icon.

    The Customizing layout window opens.

  5. Make the necessary changes. The settings that are available for editing are the same as the settings available when creating a layout.
  6. Click the Save button.

The dashboard layout is edited and displayed in the Dashboard section of the KUMA web interface.

If the layout is deleted or assigned to a different tenant while are making changes to it, an error is displayed when you click Save. The layout is not saved. Refresh the KUMA web interface page to see the list of available layouts in the drop-down list.

Page top
[Topic 217855]

Deleting a dashboard layout

To delete layout:

  1. In the KUMA web interface, select the Dashboard section.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the icon and confirm this action.

The layout is deleted.

Page top
[Topic 217835]

Enabling and disabling TV mode

It is recommended to create a separate user with the minimum required set of right to display analytics in TV mode.

To enable TV mode:

  1. In the KUMA web interface, select the Dashboard section.
  2. Click the GearGrey button in the upper-right corner.

    The Settings window opens.

  3. Move the TV mode toggle switch to the Enabled position.
  4. To configure the slideshow display of the layouts, do the following:
    1. Move the Slideshow toggle switch to the Enabled position.
    2. In the Timeout field, indicate how many seconds to wait before switching layouts.
    3. In the Queue drop-down list, select the layouts to view. If no layout is selected, the slideshow mode displays all layouts available to the user one after another.
    4. If necessary, change the order in which the layouts are displayed using the DragIcon button to drag and drop them.
  5. Click the Save button.

TV mode will be enabled. To return to working with the KUMA web interface, disable TV mode.

To disable TV mode:

  1. Open the KUMA web interface and select the Dashboard section.
  2. Click the GearGrey button in the upper-right corner.

    The Settings window opens.

  3. Move the TV mode toggle switch to the Disabled position.
  4. Click the Save button.

TV mode will be disabled. The left part of the screen shows a pane containing sections of the KUMA web interface.

When you make changes to the layouts selected for the slideshow, those changes will automatically be applied to the active slideshow sessions.

Page top
[Topic 230361]

Predefined dashboard layouts

KUMA comes with a set of predefined layouts: The default refresh period for predefined layouts is Never. You can edit these layouts as needed.

Predefined layouts

Layout name

Description of widgets in the layout

Alerts Overview
  • Active alerts—number of alerts that have not been closed.
  • Unassigned alerts—number of alerts that have the New status.
  • Latest alerts—table with information about the last 10 unclosed alerts belonging to the tenants selected in the layout.
  • Alerts distribution—number of alerts created during the period configured for the widget.
  • Alerts by severity—number of unclosed alerts grouped by their severity.
  • Alerts by assignee—number of alerts with the Assigned status. The grouping is by account name.
  • Alerts by status—number of alerts that have the New, Opened, Assigned, or Escalated status. The grouping is by status.
  • Affected users in alerts—number of users associated with alerts that have the New, Assigned, or Escalated status. The grouping is by account name.
  • Affected assets—table with information about the level of importance of assets and the number of unclosed alerts they are associated with.
  • Affected assets categories—categories of assets associated with unclosed alerts.
  • Top event source by alerts number—number of alerts with the New, Assigned, or Escalated status, grouped by alert source (DeviceProduct event field). The widget displays up to 10 event sources.
  • Alerts by rule—number of alerts with the New, Assigned, or Escalated status, grouped by correlation rules.

Incidents Overview
  • Active incidents—number of incidents that have not been closed.
  • Unassigned incidents—number of incidents that have the Opened status.
  • Latest incidents—table with information about the last 10 unclosed incidents belonging to the tenants selected in the layout.
  • Incidents distribution—number of incidents created during the period configured for the widget.
  • Incidents by severity—number of unclosed incidents grouped by their severity.
  • Incidents by assignee—number of incidents with the Assigned status. The grouping is by user account name.
  • Incidents by status—number of incidents grouped by their status.
  • Affected assets in incidents—number of assets associated with unclosed incidents.
  • Affected users in incidents—users associated with incidents.
  • Affected asset categories in incidents—categories of assets associated with unclosed incidents.
  • Active incidents by tenant—number of incidents of all statuses, grouped by tenant.

Network Overview
  • Netflow top internal IPs—total volume of netflow traffic received by the asset, in bytes. The data is grouped by internal IP addresses of assets.
  • The widget displays up to 10 IP addresses.
  • Netflow top external IPs—total volume of netflow traffic received by the asset, in bytes. The data is grouped by external IP addresses of assets.
  • Netflow top hosts for remote control—number of events associated with access attempts to one of the following ports: 3389, 22, 135. The data is grouped by asset name.
  • Netflow total bytes by internal ports—number of bytes sent to internal ports of assets. The data is grouped by port number.
  • Top Log Sources by Events count—top 10 sources from which the greatest number of events was received.

[OOTB] KATA & EDR
  • KATA. Top-10 detections by type — visualizes the 10 most common types of events detected by the KATA system.
  • KATA. Top-10 detections by file type — visualizes the 10 most common file types detected by the KATA system.
  • KATA. Top-10 user names in detections — visualizes the 10 most common user names detected by the KATA system.
  • KATA. Top-10 IDS detections — visualizes the 10 most common threats detected by the IDS module of the KATA system.
  • KATA. Top-10 URL detections — visualizes the 10 most common suspicious URLs detected by the KATA system.
  • KATA. Top-10 AV detections — visualizes the 10 most common threats detected by the KATA anti-virus module.
  • EDR. Top-10 MITRE technique detections — visualizes the 10 most common MITRE ATT&CK matrix techniques detected by the EDR system.
  • EDR. Top-10 MITRE tactic detections — visualizes the 10 most common MITRE ATT&CK matrix tactics detected by the EDR system.

[OOTB] KSC
  • KSC. Top-10 users with the most KAV alerts — visualizes the 10 most common user names present in events related to the detection of malicious software, information about which is contained in the KSC system.
  • KSC. Top-10 most common threats — visualizes the 10 most common types of malware, information about which is contained in the KSC system.
  • KSC. Number of devices that received AV database updates — visualizes the number of devices on which anti-virus database updates have been installed, information about which is contained in the KSC system.
  • KSC. Number of devices on which the virus was found — visualizes the number of devices on which malware was detected, information about which is contained in the KSC system.
  • KSC. Malware detections by hour — visualizes the distribution of the number of malware per hour, information about which is contained in the KSC system.

[OOTB] KSMG
  • KSMG. Top-10 senders of blocked emails — visualizes the 10 most common senders of email messages blocked by the KSMG system.
  • KSMG. Top-10 events by action — visualizes the 10 most common actions performed by the KSMG system.
  • KSMG. Top-10 events by outcome — visualizes the 10 most common results of actions performed by the KSMG system.
  • KSMG. Blocked emails by hour — visualizes the distribution of the number of email messages blocked by the KSMG system, by hour.

 

[OOTB] KWTS
  • KWTS. Top-10 IP addresses with the most blocked web traffic — visualizes the 10 most common IP addresses from which traffic blocked by the KWTS system originated.
  • KWTS. Top-10 IP addresses with the most allowed web traffic — visualizes the 10 most common IP addresses from which traffic allowed by the KWTS system originated.
  • KWTS. Top 10 requests by client application — visualizes the 10 most common applications used to gain access to network resources, as detected by the KWTS system.
  • KWTS. Top-10 blocked URLs — visualizes the 10 most common URLs from which traffic was allowed by the KWTS system.
  • KWTS. System action types — visualizes the 10 most common actions performed by the KWTS system.
  • KWTS. Top-10 users with the most allowed web traffic — visualizes the 10 most common user names of users whose traffic was allowed by the KWTS system.

[OOTB] KSMG files and hashes*
  • KSMG. Top-5 blocked hashes — visualizes the 5 most common file hashes in email messages blocked by the KSMG system.
  • KSMG. Top-5 net-transferred hashes — visualizes the 5 most common "clean" file hashes in email messages tracked by the KSMG system.
  • KSMG. Top-5 clean file names — visualizes the 5 most common "clean" file names in email messages tracked by the KSMG system.
  • KSMG. Top-5 blocked files — visualizes the 5 most common file names in email messages blocked by the KSMG system.

[OOTB] KSMG rules and URLs*
  • KSMG. Top-5 rules — visualizes the 5 most common triggered rules of the KSMG system.
  • KSMG. Top-5 URLs — visualizes the 5 most common domains from links in email messages tracked by the KSMG system.

[OOTB] KSMG results*
  • KSMG. All results in the last 24 hours — visualizes the hour-by-hour distribution of actions performed by the KSMG system during the last 24-hour period.
  • KSMG. Top-5 results — visualizes the 5 most common actions performed by the KSMG system.

[OOTB] KSMG e-mail subjects and accounts*
  • KSMG. Top-5 e-mail subjects — visualizes the 5 most common subjects of email messages tracked by the KSMG system.
  • KSMG. Top-5 source accounts — visualizes the 5 most common sender accounts of email messages tracked by the KSMG system.
  • KSMG. Top-5 destination accounts — visualizes the 5 most common recipient accounts of email messages tracked by the KSMG system.

*Dashboards are available starting from KUMA 3.4.1. Widgets will correctly display information when using the "[OOTB] KSMG 2.1+ syslog CEF" normalizer.

Page top
[Topic 222445]