In the Change Guardian Main interface, alert dashboards allow you to analyze and study common patterns in alerts, such as:
Types of alerts
Average time owners take to close alerts
The correlation rule generating the maximum number of alerts
Geographical origin of high-severity alerts
Oldest open alerts
Alerts that took the longest time to close
You can create custom charts and tables for analysis. You can filter and refine the data further as you select certain areas in the charts and use the query and filter options.
For example, you are a Security Operations Center manager in a multi-tenant environment, and you want to analyze and investigate alerts in detail and also understand how your team is handling the alerts. You can perform the following analysis in the alert dashboard:
Investigate Alerts: You can view the alerts generated over time, number of open alerts versus closed alerts, top correlation rules generating the most number of alerts, oldest open alerts, any spikes in alerts at a specific time range, and so on.
Monitor team performance:
The type of alerts the team has been working on
How the alert load is distributed among top owners
Time taken to close alerts of specific priorities
Find the team member owning the most number of alerts
Team members that took longest to investigate alerts
Monitor performance against tenant service-level agreement (SLA): You can view alerts from various tenants, analyze the most number of alerts from a specific tenant, time taken to investigate or close alerts for a specific tenant compared to other tenants, and so on.
The Alert dashboard provides a customizable and an easy-to-configure interface that helps you to view and investigate alerts in detail.
To create or view alerts in the dashboard, you must either be an administrator or have the permission to manage alerts. Depending on the alert permissions and the tenant you belong to, Change Guardian displays the relevant alerts in the dashboard.
To create the alert dashboard:
In the Change Guardian Main interface, click Dashboards > Alert > click the Create alert dashboard icon.
The Alert dashboard view opens in a new window. For information about analyzing alerts, see Analyzing Alerts.
(Optional) Customize the default dashboard to suit your requirements. For more information about customizing the alert dashboard, see Customizing the Alert Dashboard.
Click the Save icon to save the customized dashboard.
The Alert dashboard provides some pre-configured panels that provide information about alerts such as the following:
Overview: Displays a time series chart that shows alerts generated in Change Guardian over time. You can inspect the time series charts for any spikes, which can indicate increase in attacks in your organization. You can drag and select the time period when the spike occurred to zoom into the alerts. As you select the specific time range, Change Guardian filters the dashboard for alerts in the selected time range. Also, you can find out the geographical locations from where the alerts originated.
To view geographical locations from where the alerts originated, ensure that the IpToCountry.csv file is populated by using the IP2Location Feed plug-in.
Alert Load: Provides information about the alerts at a granular level such as the following:
Topmost alerts in your enterprise
Alert distribution among top alert owners
Total number of alerts in individual alert states
Number of alerts received from each tenant
Total number of alerts based on priority
Performance rows: Provides statistical information about how efficiently alerts are investigated and closed based on priority, correlation rule, alert owners, and tenants.
Details: Provides detailed alerts information such as the oldest open alerts, number of times the duplicate alerts were rolled up, and all alert fields.
The alert dashboard displays all alerts in your local Change Guardian server. To view alerts from other Change Guardian servers, you need to view the alerts in the Alert Views. The alert dashboard displays only distinct alerts. Duplicate alerts are rolled up to a single distinct alert.
To view the alert dashboard:
In the Change Guardian Main interface, click Dashboards > Alert.
Select the desired alert dashboard and click the Open alert dashboard icon.
As you visualize and monitor alerts, you can perform the following activities in the alert dashboard:
Mouse over specific areas in the charts to view more information.
Select desired areas in the chart to filter the alert data. As you select a specific area in the chart, Change Guardian filters the alerts in rest of the charts and tables in the dashboard. Click Filtering to remove the applied filters and go back to the unfiltered view.
(Optional) You can customize the default view and save the dashboard. For information about customizing the dashboard, see Customizing the Alert Dashboard.
(Conditional) To perform various operations on alerts such as closing an alert, assigning alerts to a user, and so on, see Viewing and Triaging Alerts.
Change Guardian leverages Kibana, a browser-based analytics and search dashboard, that helps you to visualize and analyze data. The dashboard is divided into rows and panels. You can create rows and add panels as required to display various charts.You can drag and drop the rows or panels to arrange them on the dashboard. You can also configure the size, style, and type of panels for a row. For more information, see rows and panels in Kibana documentation. As you visualize and monitor alerts, you can customize the alert dashboard as follows:
Apply multiple filters to refine the alert data using the Query and Filter options. For more information about queries and filters, see queries and filters in Kibana documentation.
Customize the rows and panels according to your requirements, for example, drag and drop the panels to arrange them on the dashboard. Click Configure Dashboard > Rows tab to arrange, create, or remove rows in the dashboard. For example, if you have to view the tenant specific information frequently, move the tenant performance row to the top or if you do not want to view the detailed tables, you can remove the Details row.
Click the configure option in the panels to customize the size and style of panels.
Add markers in the time series panel to display additional information such as owners, severity, and so on.