I don't know about you but I sometimes have mixed emotions when it comes to reports. Most tend to fall into one of two buckets. Either they are a one page "executive" type summary with colored eye candy charts or they are a ridiculous number of pages showing the gory details of every port, path, or transaction between end points that is so far into the weeds you can lose sight of the bigger picture. In either case the report would probably cause you to open your
SIEM in order to do further investigation because in either case a piece of the puzzle for the initial series of follow up questions are probably missing. My top whatever is this, this, and that. Great - is that distributed or focused to just one or a hand full of machines?
So what can you do to make the report itself more stand alone or actionable?
Part of that obviously depends on the generating engine but here is a thought I had a couple weeks ago. If you are already getting daily/weekly detailed reports that are pages and pages in length, what's another page or two on top? Armed with that thought and one of my up to 70 page detailed reports I pulled up
ArcSight's templates and used the 4 charts with a table. The idea was to put a summary of activity up top which would allow readers to take the information and search within the document itself to find some of the initial answers since all of the details were there. The summary charts depend on the nature of the report but these have generated pretty good results
- Top X signatures/people/whatever reported by the silo
- Top X sources generating events for this silo
- Top X systems with multiple unique items being tracked from chart 1
- Number of events by day over the last week/month/time period in order to show the overall ebb and flow of events through that silo
This really seems to work well. For example the summary page would immediately show something like Bob having the most failed
logins and either the other charts or a search of the detailed report would show whether or not that was from one machine, a few, or lots - each scenario having its own significance. The other side benefit of this approach is people who might get just the summary report anyway can now start to interact with the data themselves in a way that is easy and intuitive. Being a glutton for punishment I created a 12 charts -4 per page- with one table report template (the fact that you can't use a filter type object on Trend queries in
ArcSight REALLY sucks). The results were great. I could break down events by external to internal, internal to internal and internal to external - again, each having its own significance. For
ArcSight users there is an additional benefit if you are using
ESM 4.5 or later. Since the reports are run from queries why not create query viewers from them and throw em into a dashboard? This way you have basically duplicated the report that not only provides a similar feel for users but also allows you to create further drill downs into the data.
Anyone else doing similar or something different with reports that gives you good results?
No comments:
Post a Comment