In this installment of the Tips and Insights series, Chris Schreiber shares how a user can utilize the custom dashboard feature in FireEye Helix to build a report about alerts in an environment over time to better manage reporting.
Hi I’m Chris Schreiber and I’m a Solutions Architect with FireEye’s Global Pursuit Specialists Team. Today we’re going to talk about how you can use the custom dashboard feature in FireEye Helix to build a report about alerts in your environment over time, really useful for management reporting. Oftentimes you might be asked by management to provide reports about what kind of alerts you’re seeing, trends in history over time. There are some that are built right into the user interface but you might need something that’s more static or is preserved over time. That’s really where Helix’s custom dashboard feature comes into play. So let’s go ahead and make a custom dashboard. And we’ll call this the Demo Alert Dashboard. Now when you create a dashboard you actually pull in different data elements that we call widgets. And basically a widget can show any type of data that you can generate by running a query within Helix. So we want to focus on the alerts which is a particular type of data that we can pull out. So let’s do alert trend over the last three months. And we’re going to make that into a nice bar chart. So let’s do a query to actually build this chart. So we’ll start with class= alerts. And we’ll start three months ago. So that we can pull that nice history again. And one of the transforms that you need to apply when building a widget with a bar chart is a histogram. And so we do a histogram by meta time stamp and day. And here you see a history of all the alerts generated in your environment not just over the last couple of weeks but over the last 12 months. And you could actually go back a whole 13 months if you wanted to do a one year trend you could do that right in your widget here. Let’s add one more widget. One of the interesting things that we track is what stage of the kill chain a particular alert is associated with. So for this one we’re going to do another three months summary so it matches the time span of the bar chart underneath and we’re going to make a pie chart. And here again, we’ll use the class=alerts. We’re going to start three months ago. And here instead of a histogram we’re going to do a “groupby” so that we can actually clump these together based on the actual kill chain stage. And kill chain is the name of the data element inside there. And this is just going to be a pie chart, so let’s make this 50 percent of the width instead of 100 percent and that leaves us room for another widget. And here you see a summary of the kill chain stage broken down by the top five categories. That might not be quite what you want to show. Maybe you want to show all stages of the kill chain. And do that really easily by going in and editing the widget. So by changing that value to show the top 10 results you can see all stages of kill chain rather than just the top five. So that’s a quick introduction of how you can use custom dashboards to build reports about your alert trends over time. Definitely dig deeper and see other ways that you can tweak it to your particular environment needs. Stay tuned for more FireEye product tips and tricks.