Home | Blogs
Home - News - Download - Docs - Screenshots - Developers - Blogs - Forums - Contact

 
Table of Contents

Dashboard > Executive Panel

The OSSIM Executive Panel is the de facto starting point of the OSSIM application. Once you log in to OSSIM, the Executive Panel appears, as indicated in Figure 2 – Dashboard > Executive Panel.

:user_manual:image002.png
Figure 2 – Dashboard > Executive Panel

A general “welcome” page, the Executive Panel lets you do a number of things:

  • Access the online help.
  • Perform one of eight often used system tasks.
  • Find additional information at the ossim.net web site.


Click the “Edit” hyperlink to customize the OSSIM Executive Panel. The Executive Panel may have multiple sub-panels. The panels may be configured to display information from modules throughout OSSIM (see Figure 3 – Panel Configuration).

:user_manual:executive_sample01.png

Figure 3 – Panel Configuration

Dashboard > Aggregated Risk

The Aggregated Risk panel displays metrics, or dashboards, that graphically display system levels of attacks and compromises, as shown in Figure 4 – Dashboard > Aggregated Risk.

:user_manual:image004.png
Figure 4 – Dashboard > Aggregated Risk

Attack and compromise are two indicators that OSSIM monitors independently due to the potential severity of their nature. Both are the result of aggregated risk represented by the events affecting monitored assets. In the Metric page, an Attack represents the potential machine risk due to incoming attacks on your machine. In other words, this represents the possibility of an attack, but does not actually indicate that the attack was successful. The Compromise section indicates that an attack was successfully committed against your machine.

The Aggregated Risk page is divided into four distinct sections:

  • The top panel lets you select the duration of your metrics: the last 24 hours, the last week, the last month, or for the past year.
  • The middle panel provides graphical representations, or dashboards, that display Global admin Metrics, a Riskmeter, and Service Level.
  • The bottom left panel provides Compromise information.
  • The bottom right panel provides Attack information.


You can click on the Global admin Metrics graph and it will appear in a new window for easier viewing. This graph notes any attack or compromise instance at the specific time and date it occurred.

The Riskmeter graph, which can also be clicked for easier viewingshould be clicked for viewing, displays the attacks and compromises on a global, network, and host level. This display is a real-time C & A monitor.

The Service level graph displays the current level of service on your machine. The graph information is obtained from the same place than the Riskmeter to let you see the C & A historical measurements. You can click the displayed percentage and view Level admin metrics. This graph allows you to select the duration of time displayed in the graph (past day, week, month, or year), as well as select whether or not to show attacks or compromises.

The Compromise and Attack section in the bottom panel display similar information for the two events. Each event is divided in two type types: global and networks outside groups.

The Global section contains four pieces of information: the Global Score, the maximum date, the maximum and current levels.

The Global Score features two icons: a graph and an information insert symbol. By clicking the graph symbol, the Global admin Metrics window appears (exactly like the one in the top panel). The Information insert icon allows you to configure settings for the metric incidentinsert that specific metric into a new incident. You can modify the suggested information with another (if needed). For example, you can apply a title to the incident, set priority, set the type, target, metric type and value, as well as start and end times for related events.

The Network outside groups section contains similar information for networks not within a group defined under Network Group Policy (see Network groups). Each outside network also contains a graph icon and an information insert icon as detailed in the previous paragraph.

At the bottom of the Metrics page, a legend appears illustrating the percentage threshold and its corresponding risk using a color code.

Dashboard > Alarms

The alarm panel shows all those events, having being correlated or not, that exceed a certain risk level, 1.0 by default.It displays information about any intrusions or attempted intrusions of your network, as shown in Figure 5 – Control Panel > Alarms. <note> Remember: risk = asset * priority * reliability / 25 (Asset 0-5, Priority 0-5, Reliability 0-10)
Explanation: Result is between 0 and 250, so if we want to get a risk between 0 and 10 we divide by 25) </note>


:user_manual:image005.png
Figure 5 – Control Panel > Alarms

Each of the alarms can consist of one or more individual events.

There are four main types of alarms.

  • Simple alarms that consist of a single event whose risk value has exceeded the risk threshold, either because one of the involved assets was high enough, the event's importance was high enough (i.e. it's priority was set to a high value) or that particular event's reliability was very high.
  • Logical correlation directives where one or more events (often thousands of events) get correlated together resulting in various alarms which in turn get aggregated into a single one.
  • Cross correlated events which get “blessed” into alarms by the fact that an ids event has been detected against a host with a previously identified vulnerability.
  • Alarms generated by events correlated against inventory information whose reliability has been rised because we identified an event arriving against a possibly vulnerable OS/Service version.

Below is a sample screenshot of a multilevel logical correlation alarm:

:user_manual:alarm_multilevel01.png

The Alarms page is divided into two distinct panels; the upper panel is a search panel that allows you to set specific alarm or intrusion criteria. The returned results appear in the bottom panel of the Alarm page.

The Search panel gives you four distinct options for locating alarms or intrusions:

  • The Filter checkbox, if selected, hides any re turned alarms whose status is set to Closed.
  • The Date text box lets you set a specific date range for the desired alarm(s). By clicking the calendar icon to the right of the text box, you can select the start and end date using the pop-up calendar. When setting a date, keep in mind that your date must follow the year-month-date format.
  • The IP Address text box lets you set a source and destination IP address range for the alarm.
  • The Num. alarms per page text box lets you set the maximum number of alarms to display per page.

Once you have set your search criteria, click Go and the results appear on the fly in the bottom panel of the page. These returns alarms are first sorted by date; you may opt to delete all alarms for a certain date by clicking Delete next to the date for the block of alarms. Alternatively, you can individually delete an alarm by clicking the aforementioned link that is also located next to the alarm entry in the search results. The third way to delete all alarms in your search results is by clicking Delete All Alarms at the bottom of the search panel results panel.

In the bottom panel of the Alarms page, there are a number of sections that provide helpful information when working with alarms or intrusions:

  • The Alarms column displays the name of the alarm, intrusion, or event that occurs. This can be a specific name, or simply a description of the event; for example, a “possible intrusion against vmossim.”
  • The Risk column displays a number indicating the potential threat to your machine and network. For example, a risk of 2 poses minimum risk to our system. On the other hand, a risk of 6 not only poses significant likelihood to danger to your machine, it also has a color-coded label indicating a higher threat.
  • The Sensor column indicates the IP address of the device that detected the alarm. OSSIM sensor where the events that generated the alarm arrived.
  • The Since column indicates the date that OSSIM first recorded that particular attack or intrusion. It contains the complete date, followed by the time.
  • The Last column indicates the date that OSSIM last recorded an event regarding that particular attack or intrusion. It contains the complete date, followed by the time.
  • The Source column displays the IP address and port number where the first event of the attack or intrusion appeared, as well as an icon with the source O.S.(if its known).
  • The Destination column displays the IP address and port number where the first event of the attack or intrusion appeared.
  • The Status column displays whether or not the alarm is set to Open or Close. You can set an Open status alarm to Closed by simply clicking the link on Open. The link then displays as Closed.
  • The Action column lets you perform two distinct actions from this column: first, you can delete an alarm as mentioned earlier by clicking Delete. For each alarm we've got some sample summarized information, like events involved in that alarm, sensors involved, source and destination and so on. It's worth noting that for each alarm there's a link symbolized by the :user_manual:info_i.png icon that you can use in order to open a new incident with that alarm. Some of the information will get automatically added upon creation:

:user_manual:alarm_incident01.png


* Written By: Jason A. Minto, Dominique Karg

* Reviewed By: Alberto Roman, Dominique Karg

* Contributors: Juan Blanco

Please add your name to the list above if you make significant improvements to this document

 
user_manual/dashboard.txt · Last modified: 2009/11/28 21:59 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki