Overview
Customers that have the relevant license can create their own Analytics Dashboards to visualise and analyse the incoming log data. This functionality is available from Snare Central v8.6.0.
Follow the 2-step process to create your own dashboard:
Step 1: On the Events Search page, create and save the queries that you are interested to visualise. Use either Basic or Advanced search.
Step 2: On the Analytics Dashboards page create a dashboard, add widgets (pie charts, bar charts, line charts, cards, tables), and add drill-down links between the widgets.
Dashboards Actions
Action items on the Analytics Dashboards page allow to:
Create a new empty DashboardProvide the following details in the dialog: Name - dashboard name (up to 254 characters) Grant full access to - select at least one of the groups the User belongs to, so that the User can access the Dashboard after its creation. Click Create. The dashboard will be added in the desired location. | ||
Add New DirectoryProvide the following details in the dialog: Name - directory name (up to 254 characters) As of version 8.6.2, a container can be created at any hierarchical level as long as the user has Change permissions to the parent container. A new directory is a temporary item that only exists for the duration of the session of the current logged in user (i.e. two hours by default), and will not be visible to other users of Snare Central. It will not become permanent, or visible to other users, until a Dashboard is added to the directory. | ||
Import DashboardsImport dashboard(s) from previous export from another Snare Central | ||
Search dashboards and directories by nameClick x in search window to clear search results. After navigating into a found directory, use Back to Search Results link in the Reports breadcrumbs area to return to your search results. | ||
Sort all dashboards and directories by nameClick sort button to toggle sorting in Ascending or Descending order. | ||
Rename, Move, Export or Delete a dashboardby clicking the ellipsis (...) in the custom dashboard line. Rename opens a dialog that allows to change custom dashboard’s Name and Description, and move it to another parent directory Export Dashboard opens a dialog that allows to generate an export file with the dashboard definitions or send this file by email to a desired recipient (email setup needs to be configured in the Wizard) Delete opens a confirmation dialog, and if confirmed, proceeds with deletion of the dashboard and its widgets. The container/folder will be removed if it is the last dashboard to be removed. | ||
Rename, Export or Delete a directoryby clicking the ellipsis (...) in the directory line. Rename opens a dialog that allows to rename the directory Export Directory opens a dialog that allows to generate an export file with the definitions of all the dashboards in the directory, or send this file by email to a desired recipient (email setup needs to be configured in the Wizard) Delete All opens a confirmation dialog, and if confirmed, proceeds with deletion of all the dashboards in this directory. Non-admin users with change permissions to an Analytics Dashboard owned by Administrator, are able to change dashboard content, but not allowed to rename or delete the dashboard. |
Creating Dashboard Content
After the dashboard is created with pre-set layout, small empty layout items are placed on the canvas. These items can be resized, dragged and drop, added or deleted.
Add Layout Item
This button on top-right of the dashboard allows to add additional empty dashboard layout items on the canvas.
Maximum of 50 items are allowed on one dashboard.
Resize Layout Item
Item can be resized using the mouse: press on the bottom-right corner of the layout item and drag to the desired size. The item will snap to the underlying grid.
Click Save Layout floating button in the bottom-right corner to save layout changes.
Drag & Drop Layout Item
Item can be dragged and dropped to any place on the dashboard layout using the mouse: press on the header area of the layout item and drag it to the desired location. The item will move to the new location, and other items will move aside to make space for it.
Click Save Layout floating button in the bottom-right corner to save layout changes.
Delete Layout Item
Click at the top-right corner of the item to open the Action Menu.
Select Delete Item.
In the confirmation dialog, select either Delete or Cancel.
Add Widget
It is time to put some content on the dashboard!
Click at the top-right corner of the layout item to open the Action Menu.
Select Add Widget.
Provide the following details in the dialog:
Name - that will be displayed in the title of the widget
Widget Type - select from the list of supported types:
Bar Chart
Line Chart
Pie Chart
Table
Status Card
After selection of the Widget Type, additional fields will appear. Configure the widget as described below.
Click Add to add the widget.
Configure Bar / Line / Pie Chart
Bar and Line Charts plot number of events matching the query, grouped by a certain field.
X axis represents event time, with granularity of 15 minutes.
Pie Chart plots number of events matching the query, grouped by a certain field.
When adding or editing these widget types, the following parameters are configurable in the configuration dialog:
Select Saved Query - select from the list of available saved queries.
To create a new query, navigate to Events Search page, create a new query using either Basic or Advanced search, and save it.
After the query is selected, raw query in Snare Query Language is displayed under the selector.
Select Time Period - select time range of data to display, based on log time. Available options:
Today
The Last N days (N is between 1 and 7)
The Last X hours Y minutes (X is between 1 and 24, Y is between 0 and 59)
After the Time Period is selected, raw query in Snare Query Language is displayed under the selector, adjusted to the selected time range.
Select Group By - relevant log fields to group the data by.
For example, System, Log Type, User, etc.
Each value of the field will become a separate data series.
Available selection depends on the logs available for the selected query and time period.
Display Top N - limit the number of values of the field selected as Group By to top N values only.
This is useful for example to see only top 10 systems or top 10 users satisfying the query. Allowed range is top 5 to 100.
Link to Already Created Widget - allows to link to another child widget. Clicking on data point in current widget will apply a filter on the linked widget, thus refining the data. For example, when a pie chart is linked to a table, clicking on a pie segment will cause the table to display the relevant event/log data.
To create a link, select this checkbox, then select existing widget(s) to link (drill down) to.
Configure Status Card
Status Card displays a color-coded counter of events matching the query.
When adding or editing a status card, the following parameters are configurable in the configuration dialog:
Select Saved Query - select from the list of available saved queries.
To create a new query, navigate to Events Search page, create a new query using either Basic or Advanced search, and save it.
After the query is selected, raw query in Snare Query Language is displayed under the selector.
Select Time Period - select time range of data to display, based on log time. Available options:
Today
The Last N days (N is between 1 and 7)
The Last X hours Y minutes (X is between 1 and 24, Y is between 0 and 59)
After the Time Period is selected, raw query in Snare Query Language is displayed under the selector, adjusted to the selected time range.
Select Group By - relevant log fields to group the data by.
For example, System, Log Type, User, etc.
Available selection depends on the logs available for the selected query and time period.
Configure Threshold - value in the status card is colour-coded according to the configured “Warning” and “Problem” thresholds:
red - value is equal to or exceeds the “Problem” threshold
orange - value is equal to or exceeds the “Warning” threshold, but is lower than the “Problem” threshold
green - value is under the “Warning” threshold
Link to Already Created Widget - allows to link to another widget. Clicking on the value in current widget will apply a filter on the linked widget, thus refining the data. For example, when a card is linked to a table, clicking on a value will cause the table to display the relevant event/log data.
To create a link, select this checkbox, then select existing widget(s) to link (drill down) to.
Configure Table
Events Table has no query of is own. Its purpose is to display log data from other widgets, based on user selection. Action items on top of the table allow to configure visible columns and export table data to CSV.
Pagination controls are found at the bottom of the table.
Click on the table row to expand event details.
When adding or editing a table, the following parameters are configurable in the configuration dialog:
Link to Already Created Widget - allows to link to other widgets. Clicking on data points in the linked widgets will display relevant data in the able. For example, linking pie chars, line chart and a card to the table means that clicking on a data point in any of those charts will display relevant logs in this table.
To create a link, select this checkbox, then select existing widget(s) to link (drill down) from.
Edit Widget
Click at the top-right corner of the created widget to open the Action Menu.
Select Edit Widget. This will open the widget configuration dialog with options specific to the widget type, as described above. Edit the options and click Edit button to save changes.
Delete Widget
Click at the top-right corner of the created widget to open the Action Menu.
Select Delete Widget. This will open the confirmation dialog, and if confirmed, will proceed with deletion of the widget, leaving an empty layout item.
Efficient Dashboards Design
Dashboards are a powerful tool for visualising incoming data in near-real time, recognising threats and issues early and acting on them. However, types and volumes of incoming logs may affect dashboard efficiency.
For example, low volume of incoming data of certain type may cause the graphs to have no data. For such systems / log types a longer period of time can be used in the charts configuration
On the other hand, high volume of incoming data may mean slower loading of initial data in the charts. In this case it is advisable to try the following approaches:
Configure widget’s monitored time period to be shorter, for example “Last 1 hour” instead of “Last 7 days”
Configure chart's Top N categories to be smaller, for example “Display top 5 systems”
Narrow down the search query with more precise search parameters
Optimise query syntax
Queries Optimization
When using the event search queries you can be generic with searching for data or more precise. The more precise you are the faster the query will be. Running a query using the basic mode maybe fine for some searches but others will require an advanced search to be constructed. Using a more precise search can be orders of magnitude faster as it will use the indexes and cache information better and also incur less regex searching along the event strings to look for the target information.
An example of a good query is as follows.
DATE='TODAY' AND TABLE INCLUDES 'MSWinEventLog2,WinSecurity' AND EVENTID INCLUDES '4625,4740,4773' AND SNAREDATAMAP REGEXI 'FailureReason=%*Locked|FailureReason=%*2307'
Using INCLUDES of a specific field with a comma separated list of values is much faster than doing a generic search for the eventid in the whole string as it means less disk IO and CPU overhead.
Some key tips
be specific on the date range
be specific on the systems and/or log type. No point searching Cisco ASA logs for windows events and vs versa as it wastes disk and cpu resources
if the value is in a specific field then use that field with the relevant INCLUDES values
when needed use things like REGEXI to search other parts of the data string for specific values. Many of the Snare log formats have a JSON type structure like SnareV2 which enriches the data to make it easier to parse out and find the specific values. Not all event types have all fields hence the usage of what is called SNAREDATAMAP which can contain variable JSON based fields and values that come from the relevant sources like Windows Event Logs.
The SnareArchive contains data is a natural index that helps with most queries and dashboards for near real time display. The basic structure is DATE/Machine/Log File based on (Log type-time-segment-sequence.log.gz). Other meta data and indexes cache around this based on frequently used queries. Snare Central uses an optimized query engine so only does additional indexing on data that is used often which helps to reduce the disk requirements of the system. Depending on the nature of the usage of the system then you may want to add additional disk capacity to the SnareIndex and SnareCache locations. For a small system then the defaults of 50 GB maybe ok but for larger systems with 1 or more TB of data then these locations can benefit from additional disk capacity to additional meta and index data can be created to help speed up queries and reduce IO for data searches. EG a system with 5 TB of Snare compressed data and high usage of reports each day and frequent use of Analytics dashboards may benefit from 1 TB of SnareIndex location. The system self manages the index and cache locations so it is normal for them to run at or near 100%. What you want to do is minimize the flushing of the data in these locations with fresh data over and over for the same time periods. Performance tuning is part of another topic and will be covered in some other material.
In summary the Snare Event Search is very powerful with finding and matching data but like many features there can be efficient and non efficient methods to run a query and ways to tune the system to help optimize the performance.