7.2 Introduction to the User Interface

In Analysis, you can see the Create Reports and Offline Queries options.

You can navigate to these functions from:

Table 7-1 Analysis Tab -User Interface

The Analysis menu in the Menu Bar

The Navigation Tree in the Navigation Pane

The Toolbar Buttons

7.2.1 Top Ten Reports

The following are the Top 10 reports which are available in Sentinel 6:

  • Top 10 Correlation Rules Triggered

  • Top 10 Destination Host Names

  • Top 10 Destination IP Addresses

  • Top 10 Destination Port Numbers

  • Top 10 Destination User Names

  • Top 10 Destination Event Names

  • Top 10 Source Host Names

  • Top 10 Source IP Addresses

  • Top 10 Source to Destination IP Pairs

  • Top 10 Source User Names

  • Top 10 Virus Names

  • Event Count by Top 10 Assets

  • Event Count by Top 10 Departments

  • Event Count by Top 10 Taxonomy Level 3

  • Incidents by Top 10 Assets

  • Incidents by Top 10 Users

The Top 10 reports are enabled by default, and the following summaries are turned on to enable the Top 10 reports:

  • EventDestSummary

  • EventSevSummary

  • EventSrcSummary

If Top 10 reports are not needed, you can disable these summaries, or you can enable additional summaries in order to use them for reporting. If the summary service is not in use, you can disable it.

To enable/disable Aggregation:

  1. In Sentinel Control Center, go to Admin > Server Views.

  2. Right-click DAS Aggregation and select Start/Stop to enable/disable Aggregation.

To enable/disable summaries:

  1. In Sentinel Control Center, go to Admin > Report Data Configuration.

  2. Highlight the Summary to enable/disable and click the status (Active/Inactive) of that summary.

  3. Select Yes to confirm that you want to change the status of the summary.

To enable or disable EventFileRedirectSerice:

  1. At your DAS machine, using text editor, open:

    For UNIX:  

    $ESEC_HOME/config/das_binary.xml

    For Windows:  

    %ESEC_HOME%\config\das_binary.xml

  2. For EventFileRedirectService, change the status to on or off, as appropriate. For example:

    <property name="status">off</property>

  3. Log into the Sentinel Control Center as the Sentinel Administrator.

  4. Go to Admin > Servers View.

  5. Right-click DAS_Binary and select Restart.

7.2.2 Running a Report from Crystal Reports Server

To run a report:

  1. Click the Analysis tab.

  2. In the Analysis Navigator, click a report from the available reports.

    NOTE:To run any Top 10 reports, aggregation must be enabled and EventFileRedirectService in DAS_Binary.xml must be set to on. For information on how to enable aggregation, see Section 11.10, Report Data Configuration.

  3. Click Analysis > Create Report or click Create Report.

  4. Complete the information prompts and click OK. The report displays.

7.2.3 Running an Event Query Report

To create an Event Query report:

  1. Click the Analysis tab.

  2. In the Analysis Navigator, open the Historical Events folder.

  3. Click Historical Event Queries.

  4. Click Analysis > Create Report or click Create Report icon. An Event Query window displays.

  5. Set the following:

    • time frame

    • filter

    • severity level

    • batch size (this is the number of events to view – events display from oldest events to newer events)

  6. Click Begin Searching.

  7. To view the next batch of events, click More results icon.

  8. Rearrange the columns by dragging and dropping them and arrange the sort order by clicking in the column heading.

  9. When your query is complete, it is added to the list of quick queries in the Navigator.