1 of 5

Analytics

The Analytics module provides one central location to obtain valuable metrics and view findings, assets, runbooks, and SLA trends. This module consists of four sections: Findings, Assets, and Trends & SLAs.

Users with data from the legacy Runbooks V1 solution will see a fourth tab for Runbooks.

Analytics filter values and data sets are updated every minute. If a tag or field was updated but does not appear as expected, wait one minute and try again.

Overview

The Analytics module defaults to the Findings tab.

Only data for findings from published reports (a status of "Published") that the user has permission to view are displayed.

Data can be refined using one or more filters in the right column. When filters are selected, the data displayed refreshes, and the active filters are listed at the top of the page.

The number of active filters is displayed next to "Active Filters." Click Clear All to reset filters.

Filter options are specific to the type of data being queried, and the facets and values available dynamically change when navigating through the Findings, Assets, and Trends & SLAs tabs.

Search Filter Presets

A search filter set is a collection of search filters grouped to provide a more comprehensive set of options for search results. Effective search filter sets can improve the user experience by reducing the time and effort required to find relevant search results and increasing the likelihood of a successful search.

Preset filters are available for all tabs in the Analytics module.

Creating a Filter Preset

Step 1: Select the filters that will make up the preset.

Step 2: Click Create Preset at the top of the filter column.

Step 3: Enter a value for "Filter Name." This value will be used to select the query later, so it should be intuitive.

To make this preset the default filter, check the box next to "Make Default Filter."

Step 4: Click Create Filter.

The filter preset now appears in the pulldown menu as an available option.

Updating a Filter Preset

This process can be used to rename an existing filter preset, adjust the filter parameters, or use it as a clone to create a new filter preset.

Step 1: Select the filter preset to delete from the pulldown menu.

Step 2: Adjust the filter parameters.

Step 3: Click Update Selected Filer.

Step 4: A modal appears. Rename the filter to keep the original filter unchanged, or click Update.

Deleting a Filter Preset

Step 1: Select the filter preset to delete from the pulldown menu.

Step 2: Click Delete Selected Filter.

Step 3: A modal appears confirming action. Click Delete Filter.

Findings

The Findings tab has two containers of information that can be expanded or collapsed:

Findings: an overall view of all findings that the user has access to view and have been published
Findings By Client: a view of findings filtered by the client

Only published findings from reports with a "Published" status are included in the analytics module. In the Admin Dashboard, administrators can default findings to "Published" upon creation.

When filters are selected, the data displayed refreshes, and the active filters are listed at the top of the page.

Findings Filters

Search filters allow users to refine and narrow their search results based on specific criteria or parameters.

Analytics filter values and data sets are updated every minute. If a tag or field was updated but did not appear as expected, wait one minute and try again.

A list of all filters and values for the Findings tab exists below:

Client(s)
Client Tags
Date Range
Asset(s)
Asset Tags
Finding Severity: Unchecking a severity will hide any asset with only findings of that severity.
- Critical
- High
- Medium
- Low
- Informational
Asset Severity
- Critical
- High
- Medium
- Low
- Informational
- Unspecified
Finding Tags
Finding Status
- Open
- In Process
- Closed
Report
Report Tags
Graph View
Assignees: This field only relates to Clients, Client Tags, Finding Tags, Reports, and Report Tags. If other fields are selected, the pulldown menu for Assignees will be blank. Similarly, if a report with no assignees is set, the pulldown menu for Assignees will be empty.
CVE ID
CWE ID

The CVE and CWE filters use an “and” query condition that requires both of the specified search terms or conditions to be present in the results. In other words, the search results must meet all of the specified conditions to be included in the results. For example, if two CVE values are added as a filter, the results will only display findings that contain both values.

Findings Container

The Findings container displays the status, severity, client breakdown, and most critical findings for all tenant findings within defined query parameters and user permissions.

Findings By Clients Container

The Findings By Client container breaks down findings per client. Scroll down to see additional clients in the tenant.

Finding Information

More details about a specific finding can be obtained in the "Most Critical Findings" table.

Clicking the row of a finding brings up the finding details modal. From this modal, the user can:

Access the Findings tab of the Report module for further editing by clicking the "Finding ID" value.
Modify the finding status by clicking the "Status" value.
View information on an affected asset by clicking the table row of the asset.
View information on the CVE ID by clicking the link provided (when applicable).

Assets

The Assets tab has two containers that can be expanded or collapsed to display all assets that the user has access to view:

Asset findings overview: an overview of all assets
Assets: a table view of assets with sortable headings

Only assets from reports with a "Published" status are included in the analytics module.

Asset Filters

Search filters allow users to refine and narrow search results based on specific criteria or parameters.

Analytics filter values and data sets are updated every minute. If a tag or field was updated but did not appear as expected, wait one minute and try again.

A list of all filters and values for the Assets tab exists below:

Client(s)
Client Tags
Asset Types
Asset(s)
Asset Tags
Ports
Finding Severity
- Critical
- High
- Medium
- Low
- Informational
Asset Severity
- Critical
- High
- Medium
- Low
- Informational
- Unspecified
Finding Tags
Report
Report Tags
Operating System
Data Owner
System Owner
Physical Location

Asset Findings Overview Container

This container graphically displays the number of assets that have findings and provides a breakdown of the severity of findings (for those assets with findings).

Assets Container

This container displays a table that lists the asset name, client, criticality, type, and finding count. Column headers can be clicked to change the sort order and how the data is displayed.

Click an asset row for more information and a list of associated findings.

Assets can be edited directly by clicking Edit Asset at the top right of the page.

Runbooks

This tab only supports the legacy Runbooks V1 solution.

The Runbooks tab allows the ability to view success at remediating issues over time by displaying data from all published runbooks a user has permission to view. It reveals trends to see how blue and red team outcomes change (or not) over time to ensure that blue team success increases as red team success decreases.

Each runbook is separated by a container that can be expanded or collapsed.

Clicking a container for a runbook provides a graphical view of the following information:

Runbook Stats: overviews clients impacted, findings generated, and tactics covered.
Tactics Covered: shows how many procedures in a runbook were created as findings and how effective a security program was at stopping a technique.
Red Team Outcomes: provides a view and percentage breakdown of red team outcomes; moving the cursor around the pie chart provides additional information.
Blue Team Outcomes: provides a view and percentage breakdown of blue team outcomes; moving the cursor around the pie chart provides further information.
Client Engagement Analysis: provides a bar chart graph visual of blue and red team outcomes by date to measure progress over time

When filters are selected, the data displayed refreshes, and the active filters are listed at the top of the page.

Filters

Search filters allow users to refine and narrow their search results based on specific criteria or parameters.

Analytics filter values and data sets are updated every minute. If a tag or field was updated but did not appear as expected, wait one minute and try again.

A list of all filters and values for the tab exists below:

Client(s)
Date range (values selected shown in query bar)
Runbooks (values selected shown in query bar)
Methodologies (values selected shown in query bar)
Engagements (values selected shown in query bar)
Engagement Tags
Tactics (values selected shown in query bar)
Red Team Outcome
- Success
- Partial Success
- Failed
- Unknown
Blue Team Outcome
- Blocked
- Alerted
- Logged
- No Evidence
Included as Finding
- True
- False

Trends & SLAs

The Trends & SLAs tab displays how a security program is meeting goals from an SLA perspective and provides trending data about findings in a security program. It allows the configuration of SLAs based on specific criteria and allows visual data to determine if those criteria are being met.

The Trends and SLAs tab contains multiple containers:

Mean time to remediate by severity: This includes only closed findings. The MTTR number is derived from the following calculation: Total Sum of Creation to Closure Time / Total Number of Findings Closed.
Trend of findings opened vs closed: This graph shows progress over a period of time. To better utilize space, days with zero findings opened or closed are hidden.
Service-Level Agreements (SLAs): This section will list every SLA that has been enabled for the tenant.

Admins can set up SLAs through the Admin Dashboard (Tenant Settings>Service-Level Agreements) or by clicking SLA Settings.

Filters

Search filters allow users to refine and narrow search results based on specific criteria or parameters.

Analytics filter values and data sets are updated every minute. If a tag or field was updated but did not appear as expected, wait one minute and try again.

A list of all filters and values exists below:

Client
Client Tags
Date Range
Finding Severity
- Critical
- High
- Medium
- Low
- Informational
Finding Tags
Report
Report Tags
CVE ID
CWE ID

Mean Time to Remediate by Severity

The MTTR number is derived from the following calculation: Total Sum of Creation to Closure Time / Total Number of Findings Closed.

This graph includes only closed findings.

Trend of Findings Opened vs. Closed Container

This container displays a bar graph showing the monthly trend chart of open and closed findings over the period specified in the filter for findings that match the criteria.

A trending blue line shows the total number of open findings. A green bar identifies the number of closed findings, while a red bar identifies the number of opened findings.

To make the graph easier to view, days with zero findings opened or closed are hidden.

Service-Level Agreements (SLAs) Containers

These containers provide visual representations and snapshots of findings based on enabled SLAs and selected query parameters.

A total count for all findings that exceed, are nearing or are within one day of the SLA.
A view of the mean time to remediate, plus any findings nearing one day of SLA over time.
A view of how many findings by a percentage of overall findings exceeded SLA over a period of time.

Further details and the ability to directly edit any findings that apply to the SLA can be obtained by clicking on the appropriate box under "CURRENT SNAPSHOT."

Trends & SLAs

The Trends and SLAs tab contains multiple containers:

Mean time to remediate by severity: This includes only closed findings. The MTTR number is derived from the following calculation: Total Sum of Creation to Closure Time / Total Number of Findings Closed.
Trend of findings opened vs closed: This graph shows progress over a period of time. To better utilize space, days with zero findings opened or closed are hidden.
Service-Level Agreements (SLAs): This section will list every SLA that has been enabled for the tenant.

Admins can set up SLAs through the Admin Dashboard (Tenant Settings>Service-Level Agreements) or by clicking SLA Settings.

Filters

Search filters allow users to refine and narrow search results based on specific criteria or parameters.

Analytics filter values and data sets are updated every minute. If a tag or field was updated but did not appear as expected, wait one minute and try again.

A list of all filters and values exists below:

Client
Client Tags
Date Range
Finding Severity
- Critical
- High
- Medium
- Low
- Informational
Finding Tags
Report
Report Tags
CVE ID
CWE ID

Mean Time to Remediate by Severity

The MTTR number is derived from the following calculation: Total Sum of Creation to Closure Time / Total Number of Findings Closed.

This graph includes only closed findings.

Trend of Findings Opened vs. Closed Container

This container displays a bar graph showing the monthly trend chart of open and closed findings over the period specified in the filter for findings that match the criteria.

A trending blue line shows the total number of open findings. A green bar identifies the number of closed findings, while a red bar identifies the number of opened findings.

To make the graph easier to view, days with zero findings opened or closed are hidden.

Service-Level Agreements (SLAs) Containers

These containers provide visual representations and snapshots of findings based on enabled SLAs and selected query parameters.

A total count for all findings that exceed, are nearing or are within one day of the SLA.
A view of the mean time to remediate, plus any findings nearing one day of SLA over time.
A view of how many findings by a percentage of overall findings exceeded SLA over a period of time.

Further details and the ability to directly edit any findings that apply to the SLA can be obtained by clicking on the appropriate box under "CURRENT SNAPSHOT."

Findings

The Findings tab has two containers of information that can be expanded or collapsed:

Findings: an overall view of all findings that the user has access to view and have been published
Findings By Client: a view of findings filtered by the client

Only published findings from reports with a "Published" status are included in the analytics module. In the Admin Dashboard, administrators can default findings to "Published" upon creation.

When filters are selected, the data displayed refreshes, and the active filters are listed at the top of the page.

Findings Filters

Search filters allow users to refine and narrow their search results based on specific criteria or parameters.

Analytics filter values and data sets are updated every minute. If a tag or field was updated but did not appear as expected, wait one minute and try again.

A list of all filters and values for the Findings tab exists below:

Client(s)
Client Tags
Date Range
Asset(s)
Asset Tags
Finding Severity: Unchecking a severity will hide any asset with only findings of that severity.
- Critical
- High
- Medium
- Low
- Informational
Asset Severity
- Critical
- High
- Medium
- Low
- Informational
- Unspecified
Finding Tags
Finding Status
- Open
- In Process
- Closed
Report
Report Tags
Graph View
Assignees: This field only relates to Clients, Client Tags, Finding Tags, Reports, and Report Tags. If other fields are selected, the pulldown menu for Assignees will be blank. Similarly, if a report with no assignees is set, the pulldown menu for Assignees will be empty.
CVE ID
CWE ID

Findings Container

The Findings container displays the status, severity, client breakdown, and most critical findings for all tenant findings within defined query parameters and user permissions.

Findings By Clients Container

The Findings By Client container breaks down findings per client. Scroll down to see additional clients in the tenant.

Finding Information

More details about a specific finding can be obtained in the "Most Critical Findings" table.

Clicking the row of a finding brings up the finding details modal. From this modal, the user can:

Access the Findings tab of the Report module for further editing by clicking the "Finding ID" value.
Modify the finding status by clicking the "Status" value.
View information on an affected asset by clicking the table row of the asset.
View information on the CVE ID by clicking the link provided (when applicable).