Skip to main content

Cloud SIEM Heads Up Display

This topic describes Cloud SIEM Heads Up Display (HUD), the landing page for the Cloud SIEM UI. The HUD provides an at-a-glance overview of Insight status and activity.

note

Data on the HUD is generated by internal searches that may result in slightly different results than a log search query for the same time period, because of the way each method calculates time periods. But these differences cancel out over time. So while there may be a small variance between numbers of Records, Signals, and Insights in a given time frame, the effect is only noticeable when viewing very small time slices, for example, under 30 minutes. If you need to get exact tracking for reporting or other use cases, use dashboards in apps like the Enterprise Audit - Cloud SIEM app.

HUD overview

The left side of the HUD is a compact view of Insight activity and status in your environment. You can see the volume of Records being processed and how many Signals and Insights those Records result in. The HUD tells you how long it’s taking your team to spot, respond, and close Insights. You can see how many Insights are open, in progress, and closed. You can adjust the time range of the display depending on your interest. 

The middle part of the HUD—the radar—visualizes the Record, Signal, and Insight volumes that are summarized on the left side of the page. It’s a circular timeline. The outer blue ring shows Record volume. Just inside the ring of Records is a histogram-like view of Signal volume. Nearest to the center are triangles that represent Insights. As you mouse around the radar, small popups provide a count of the Records, Signals, or Insights in that timeslice, depending on your focus.

The right side of the HUD contains a list of recent Insight activity. The card above the list shows key information about the latest new Insight with the highest severity. 

See the sections below for more details on each element of the HUD.

Heads up display

1. Records / Signals / Insights

This section shows the count of Records ingested, Signals fired, and Insights generated during the currently selected time range, along with the percentage change compared to the previous time period. For example, if the currently selected time range is 24 hours, the percentage change is compared to the counts for the 24 hours previous to that.

The default time range is 24 hours. You can change the time range using the dropdown to the right of the currently selected time range; the options range from 4 hours to 7 days. When you change the time range, the counts and metrics in the left and middle columns of the HUD update accordingly.

2. Insight Metrics 

The Insight Metrics section displays the following metrics for the currently selected time range:

  • Detection. The average period of time between when the first event happened (when the first Record in the Insight occurred) and when the Insight was generated, in days. (This differs from "dwell time", which is the time between when the first Record and the last Record occurred in an Insight.)
  • Response. The average response time, which is the average time between when an Insight was generated and when its status was set to In Progress, in seconds. 
  • Remediation. The average remediation time, which is the average time between when the Insight was created and when its status was set to Closed, in seconds. 

If you use an HTTP POST V2 Action to send Insights to the Sumo Logic platform or another system, the Insight metrics are included in the Insight JSON object. The fields are timeToDetection, timeToResponse , and timeToRemediation

3. Insights by Status 

The Insights by Status section provides a quick view of what analysts are working on. The counts are a breakdown by current status of the Insights created during the currently selected time range. To create new statuses, see Managing Custom Insight Statuses.

4. Insights created and closed

This section contains a stacked bar chart that shows the count of Insights opened and closed over time during the time range. When you hover over a bar, you’ll see the breakdown.

5. Insight Radar

In the middle of the display is the Insight Radar, the HUD’s key feature. The radar visualizes the volume of Records, Signals, and Insights over time in a bulls eye-like view. Like the panels on the left side of the HUD, the radar updates when you select a different time range. The radar automatically refreshes every 60 seconds.

In the circular visualization the three outermost rings represent Records, Signals, and Insights.

The blue ring around the outside of the Radar represents Records. The selected time range is broken down into intervals, and as you hover over the outer border of the ring, traversing the time range, the count of Records created during each interval is displayed. 

Within the blue ring is another ring that contains light blue bars, each of which represents the Signals that fired during a time interval. The height of a column corresponds to the number of Signals that fired. If no Signals fired during an interval, no column appears. As you hover over an interval, the count of Signals that fired is displayed. If you click a column, the Signals page appears, and displays the corresponding Signals.

The third ring contains triangles, each of which represents one or more Insights. As you hover over an interval, the count of Insights that fired is displayed. If you click a triangle, the Insights page appears, and displays the corresponding Insights.

6. Recent Activity

The Recent Activity pane shows recently created Insights and recent Insight activity.

The card at the top of the pane provides key information about the latest new Insight with the highest severity. The card provides the following information:

  • The Insight ID and name, separated by a dash character. The name is typically formed from the MITRE stage(s) associated with the Signals in the Insight. In the case of a custom Insight, the name is the one supplied when the Insight was configured.  
  • The Insight description, typically formed from the MITRE stage(s) associated with the Signals in the Insight. In the case of a custom Insight, the description is the one supplied when the Insight was configured.
  • The Entity the Insight fired on. You can click on the Entity to view its details. Note that there is a six-button context menu that has options for searching for the Entity in other Insights and in Signals and Records. It also has the built-in Add to Match List and Add to Suppressed List actions, along with any custom Context Actions defined in your environment.
  • The analyst assigned to the Insight, if the Insight has been assigned to one.
  • Detection Time. The time between the moment of first activity observation (when the oldest Signal in the Insight was fired) and when the Insight was created. (This differs from "dwell time", which is the time between when the first Record and the last Record occurred in an Insight.)
  • Signals. The number of Signals in the Insight.
  • Severity. The severity of the Insight.
  • Global Confidence. Global Confidence for the Insight, if available.
  • Most Active Entities. Entities that are currently appearing the most in activity. Hover your mouse over an Entity and click View Timeline to see the Entity timeline.
  • Today. Shows changes made today, such as Insights created, status changes, and comments. Items are listed in chronological order, with the newest first.
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.