Grafana user manual

1. Main Dashboard #

The Main Dashboard is the main view that provides an overview of the security of the two companies involved. The different sections and functionalities available in this dashboard are detailed below.

 

• Photographs of the Companies Involved:

At the top of the Dashboard, you will find two representative photographs of the companies involved. These images help to visually identify the organizations and provide a quick reference while working on the Dashboard.

 

• Attack statistics:

In this section, two important security-related metrics are shown: «Number of Attacks Stopped by the SOC (STOPPED ATTACKS)» and «Number of Attacks Received (RECIVED ATTACKS)». These figures reflect the level of attack activity and provide an overview of the security status in real time.

 

• SLA (Service Level Agreement):

The SLA shows compliance with the service level agreement established for security. It provides a quantitative measure of how well security incidents are being addressed in relation to the established objectives.

 

• Redirection to Other Dashboards:

At the bottom of the Main Dashboard, you will find links to four other key Dashboards that provide additional detailed information on different aspects of security. You can click on the images. These Dashboards

1. Phishing: In the Phishing Dashboard we will find information related to Office365. We will get information about what kind of phishing, the criticality of phishing, who receives more phishing. Which ones have been blocked or sent to spam and which ones have been sent.
2. Cases: In the cases dashboard we will have updated in real time the information of how the most critical alerts that your company receives from Apollo Analytics are being managed. Also the history of the last cases that we have personally analyzed. You will be able to filter by case id to see the details.
3. Alerts: It provides a more detailed view of the generated security alerts. This is one of the most relevant information, since it reconstructs in a very visual way the complete work of the Apollo Analytics software. We can also filter with a multitude of parameters to provide us with details of what is happening in the infrastructure and the company.
4. Resources: Resources is another key point to understand your company’s network. It contains separate real-time information on what is generated in firewall, pc, switch alerts… Also when was their last connection or when they stop generating information. It can be very useful to detect when the network infrastructure can stop working and where it can stop working.

 

• Light Eyes News and Alerts:

We will get the latest cybersecurity news published by Light Eyes. It may be useful for us to know who and how is being attacked. We can see more information at the link.

Remember that the Main Dashboard is a central tool for monitoring and managing the security of the company involved. Use the different sections and links provided to gain a deeper understanding of security incidents and take the necessary actions to protect the environment.

 

¡Continue to explore and make the most of our Grafana and its Dashboards!

#

2. Phishing Dashboard #

The Phishing Dashboard is designed to provide detailed information about Office365-related phishing incidents. The features and metrics available in this dashboard are described below.

 

• Phishing information related to Office365:

The Phishing Dashboard focuses specifically on phishing incidents involving Office365. It provides an overview of phishing activities and their implications on the security of the platform.

 

• Criticality of the del Phishing:

The criticality level associated with each detected phishing incident is shown here. This metric helps prioritize response actions and focus efforts on the most serious and high-risk attacks. MAX Alert section.

 

• Types of Phishing:

This section shows the number of different types of phishing attacks detected. Detected mails with phishing intent or with malware content to try to stop or infect the company.

 

• User variable:

At the top left corner we can filter by users in our organization. This allows any user to check each device separately. By selecting we can see what is happening on each device. It can help to understand where attacks are being received and how. This allows effective tracking of incidents and helps to identify the success of the security measures implemented.

 

• Events by Severity over time:

We will have information on what time and when we receive the most phishing traffic. It can allow us to understand where and when these types of attacks come from.

 

• Users by IP

It shows us a table with the alerts, their total, for each IP user. Very useful to understand where the phishing attacks come from.

 

• Recipient Analysis: Phishing Affected Users

This section provides information on who receives the most phishing attacks. It can help identify the most vulnerable users or departments and enable the implementation of additional security measures, such as training or two-factor authentication.

 

• Phising Status: Phishing Logs:

The status of detected phishing incidents is displayed here. They are classified into «Blocked/Sent to Spam» and «Sent». This allows an effective follow-up of the incidents and helps to identify the success of the implemented security measures.

 

• Agent information:

This is where we will be able to see the information when we filter by users in the variable number 4 described above.

Remember that the Phishing Dashboard is a valuable tool for understanding and managing phishing incidents related to Office365. Use the metrics and information provided to take proactive actions and strengthen defenses against phishing attacks.

 

3. Cases Dashboard #

The Cases Dashboard provides a detailed view of the management of the most critical alerts received by your company from Apollo Analytics. The following is a description of the features and functionality available in this dashboard.

 

• Critical Alert Management:

The Cases Dashboard focuses on the most critical alerts received by your company. It provides real-time updates on how these alerts are being handled to ensure a timely and efficient response.

 

• Case history: 

This section shows the history of the latest cases that have been personally analyzed by your security team. These cases may include security incidents, ongoing investigations or response actions to previous incidents. The history provides a useful reference for evaluating the progress and effectiveness of case responses.

 

• Case filtering:

The Cases Dashboard allows you to filter information using the ID of specific cases. This allows you to focus on a particular case and get a detailed view of its status, actions taken and related information. We can also by Status whether they are resolved or open (still under investigation). The Resolution, which indicates whether it is false positive or correct positive. And finally, the impact status, which indicates whether the case has been affected and has taken effect or not.

 

• Real-time information:

The Dashboard is updated in real time, which means you always have access to the latest information on case management and response to critical alerts. This allows you to stay on top of developments and make informed decisions in a timely manner.

 

• Case Detail:

This section will show us concretely what happens with our case and all its information when we filter with a case id. If we analyze that a case is being treated, or we want to see information about its resolution, what it is and how it has affected; in this section we can check how to act and what happened.

 

• Observable and tasks:

In this section we can see the list with the information of all the cases for more depth in our analysis.

Remember that the Case Dashboard is an essential tool for managing and tracking critical alerts received by your company. Use the available functionalities to monitor and evaluate case management progress, as well as to identify patterns and improve incident response practices.

 

4. Alerts Dashboard #

The Alerts Dashboard provides a detailed and visually comprehensive view of security alerts generated by Apollo Analytics software. It provides essential information to understand the state of the infrastructure and the business in relation to security incidents. The following is a description of the features and functionality available in this dashboard.

The Alerts Dashboard displays detailed information about security alerts generated by Apollo Analytics software. These alerts may include intrusion detection, anomalous behavior, unauthorized access attempts, and other relevant security incidents.

The Dashboard provides a complete visual reconstruction of the work performed by the Apollo Analytics software. It provides a clear and visual understanding of how each alert has been detected and analyzed, giving an overview of the security landscape.

 

• Advanced alert filtering:

The Alerts Dashboard provides a wide range of filtering options to customize the display of alerts. You can filter by parameters such as Rule Level, Rule ID, Agent Name, Role Group, Devname, Remote Ip. This allows you to get a detailed and accurate view of what is happening in the infrastructure and the enterprise. We can filter in this dashboard with the variables located above or inside the tables.

• Alerts table:

If we click on an alert ID, we will be able to see its information below in the Alert Detail section, but it will not change the upper graphs. This is because if you are looking for a specific alert, it does not make sense to modify the graphics of a single alert.

If we click on other parameters that encompass a group or type of Alert, we will be able to see how it is modified in the graphs for that group or type.

 

• Alerts Level:

We have a graph in the form of cheese that indicates in proportion the total amount of alerts with which level they are related. If we want to know its evolution, the affected users, file, network or host alerts; we will be able to click on the cheese level to see in which they are distributed and when. It can indicate us when a type of alert has increased compared to other types and also when it happens. The most interesting ones will be HIGH and CRITICAL. Because we will be able to see how each type of these alerts evolve by criticality and if there is any unusual peak that indicates some anomaly.

 

¡Keep exploring and take your time to understand how to analyze the graphs, as you will be able to understand if, when and what kind of anomalies occur!

 

• Modificable graphics:

 

• Firewall Alerts:

Here we have only alerts filtered by firewall. If you want more detail of them with the upper filtering of 1 you will be able to see their modification.

 

• Alert information:

It is a drop-down to be able to analyze in detail the information of the alert. You can select the alert and observe its details. Analyze calmly when you detect any anomaly.

By using the Alerts Dashboard, you can perform an in-depth analysis of your infrastructure and enterprise in relation to security incidents. The detailed information provided allows you to identify patterns, trends and areas for improvement in the security of your environment.

Remember that the Alerts Dashboard is a powerful tool for understanding and managing security alerts generated by Apollo Analytics software. Use the filtering and analysis capabilities to gain a complete and detailed view of your infrastructure security and take proactive steps to mitigate security risks.

 

5. Resources Dashboard #

The Resources Dashboard is a key to understanding your company’s network. It provides real-time information about the different infrastructure resources, such as firewalls, PCs and switches. The features and functionalities available in this dashboard are described below.

All the information that is underlined is interactive, you can redirect and increase the detail or filter of what you want to obtain information. For example, Agent Name, Device Name, Device IP… It will redirect us to a dashboard with its analysis.

 

• Detailed Resource Information:

The Resources Dashboard provides detailed information on the different resources of your company’s network infrastructure. You can get up-to-date data on firewalls, PCs, switches and other critical network components.

 

• Alerts Generated by Resources:

The Dashboard shows the alerts generated by each infrastructure resource. This includes alerts related to security, performance and other relevant aspects. These alerts help identify potential problems and take preventive or corrective action.

• Last Resource Connection:

In this section, information about the last connection of each resource is provided. This allows you to track the status of connectivity and detect potential problems, such as network interruptions or device failures.

 

• Information Generation Status:

The Dashboard also shows the information generation status of resources. It can identify when a resource stops generating information, which may be an indication of a potential problem in the infrastructure. This information is valuable for detecting potential points of failure and taking preventive measures.

Remember that the Resources Dashboard is an essential tool for understanding your company’s network and detecting potential infrastructure problems. Use the real-time information, generated alerts and resource status tracking to maintain a secure and functional network.

Explore the Resource Panel and keep your network infrastructure in good shape!

 

6. Others Dashboard #

In the Dashboard folder you will find many more dashboards prepared for much more analysis of what is happening in your company. If you need help understanding your data, contact the Apollo Analytics technical team.