Exploring the User Interface

 

The user interface of the Arista NDR Platform is based on three major components:
  1. A Search area extending across the top of the window.
  2. A vertical Main Menu in the left-most column, holding six Primary Tabs and one Overlay Tab labeled by icons and mouse over hints.
  3. A central Main Screen which displays the contents of one of the six Primary Tabs of the Main Menu.

Overview of the Navigation Structure

The top level Main Menu is the core of the Awake user interface. It has six Primary Tabs and one Overlay Tab. Each primary tab opens in the Main Screen, Exploring the User Interface except for the Situation Overlay which is displayed semi-transparently over the current primary tab.

The following image represents the top level Dashboard of the Awake user interface.

Figure 1. Dashboard

The left side of the Awake user interface contains the seven top level Tabs.

Figure 2. Main Menu

The seven top level Tabs are:
  1. Platform Dashboard.

    The Platform Dashboard tab is shown when you first log into the Arista NDR Platform. It shows you summaries of threats and risks, the network environment, and the status of the platform itself.

  2. Workbench.

    The Workbench tab provides interactive exploration of the Security Knowledge Graph (SKG), network activity, and packet capture data and relationships. For more on the Workbench, see: Exploring Activity in the Workbench.

  3. Detection Management.

    The Detection Management tab lets you view and configure elements of your threat detection: Skills, Adversarial Models, and Indicators of Compromise (IOCs).
  4. Help Resources.

    The Help Resources tab is where you can learn about Adversarial Modeling Language (AML), including Common Model Building Blocks, Advanced Model Case Studies, and Tuning Models. You also can access the User’s Guide there, including the complete AML Reference, and the Release Notes.
  5. System Management.

    The System Management tab is for managing users, roles, and action rules governing notifications. For details, see: Configuring Awake Using System Management Tools.

  6. My Account.

    The My Account tab lets you view or edit your personal account profile (including password), role, or access policies, or log out.

  7. Situation Overlay.

    The Situation Overlay lets you view and work with Situations. Here, you can view investigation and resolution records for in-progress and previous situations, and create your own situations. For details, see Situations. Note that this is not a primary tab, but a transparent overlay, through which you can see the tab that is currently open. This allows you to quickly act on situations without interrupting or hiding whatever you were working on or viewing.

Accessing Visualizations

Each dashboard's visualization tiles provide a broad range of graphically categorized, customizable information about your current threat environment.

Figure 3. Dashboard with Visualizations

Each visualization tile provides the following common options:
  • The Bullet list icon to view the data in a pivot table.

  • The Gear icon to either open or close settings for visualization modifications.

  • The Open or Close full screen icons to expand the visualization tile.

Pivot Table

To sort the data or filter a table:
  1. Click a column title or Filter icon to open a dialog box to sort and filter the list of user accounts.
  2. Click the Reset Column Filters link to reset the column filter settings to their defaults.
To configure a table view:
  1. Click the Settings icon to open a dialog box to select the columns to display, or reset to system default.
  2. Click on the Settings icon again to close the dialog box.
Figure 4. Pivot Table

Note: You cannot sort the data for adversarial models and IOC matches.

Trend Summary: Statistical

The Arista NDR Platform provides Trend Summary: Statistical and Trend Summary: Detail summary datasets that present the summary data collected on an hourly basis.

A visualization tile with a Trend Summary: Statistical dataset provides Current, Trend, and Time Threshold as options to customize the data presentation.
Figure 5. Trend Summary Statistical Dataset

The Current option displays the current data as obtained by APIs used throughout the product for Activity, SKG, situations, etc.

Note: In a statistical summary dataset, only the Current option displays the data in a pivot table.
To customize the data display:
  1. Click the Gear icon to open the Visualization Settings dialog.
  2. In the left column, select the settings group to customize. You can modify Current Settings, Trend Settings, and General Settings.
    Figure 6. Visualization Settings

  3. Make the desired changes.
    Note: The settings in each group vary according to the selected dataset.
  4. Optionally, you can select another settings group to modify next.
  5. When you are finished, click the Close button or the Gear icon to apply your changes, or click Discard to revert to the default settings.
  6. Admin users can click the Save button to retain updated changes.

Trend Summary: Detail

A visualization tile with a Trend Summary: Detail dataset provides the trend and time threshold as options to customize the data display.
Figure 7. Trend Summary Detail Dataset

The visualization tile displays Current/Trend or time threshold options based on the selected visualization type. In a detailed summary dataset, both the Current and Trend options display the data in a pivot table.

To customize the data display:
  1. Click the Gear icon to open the settings dialog.
  2. In the left column, select the settings group to customize. You can modify Visualization Settings and General Settings.
  3. Make the desired changes.
    Note: The settings in each group vary according to the selected dataset.
  4. Optionally, you can select another settings group to modify next.
  5. When you are finished, click the Close button or the Gear icon to apply your changes, or click Discard to revert to the default settings.
  6. Admin users can click the Save button to retain updated changes.

Using the Help Resources Topic to Kick-Start Your Searching

The Resources screen is a collection of resources to help start your investigation, and also your link to the Release Notes and the online help documentation.

To open the Resources topic, click the Help Resources icon in the left column of the Awake Console window.
Figure 8. Help Resources

You will see tables of contents for four main topics:
  • an introduction to the Adversarial Modeling Language,
  • common model building blocks,
  • advanced model case studies, and
  • tips on how to tune your models.

The resources here provide examples of Awake's features in action, including Awake's use of Boolean operators, regular expressions, lists, and combining device and activity queries. You can pick from a list of ready-to-use example queries, or immediately try your own queries using the search bar at the top of every Awake screen. In all cases, you can customize and save to your own collection of favorite queries.

When you click on an example query, you get an expanded display of key concepts and the query itself, as shown above for device type under Model Format. The AML model is shown as it would be entered into the query panel, and there is the option to copy the query directly into the query panel and run it for you, by clicking Run Model as shown above.

You can click Search to run the query again, or edit the query further. For more on queries, see Fine Tuning Your Searches and AML Queries and Using the Query Language.

You can also modify your queries and skills by using the Result Summaries, and by adjusting your timeline. For more details, see:

AML Documentation, Help Documentation, and Release Notes

At the upper right, there are buttons which take you to AML documentation, help documentation, and the release notes.

Figure 9. Release Notes Help Links

The help documentation is also available as a PDF file at: Awake Security Guide.

Searching and Query

Awake provides a query panel that appears at the top of every page. This is used for both quick searches and for powerful Awake Modeling Language (AML) queries.

You can choose the type of query using the dropdown menu at the top right of the window:

Figure 10. Query Type

For details on quick searches, see Quick Search.

For details on advanced queries, see Using the Query Language.

Quick Search

The Quick Search feature allows the users to start their search by typing at least three characters of a term into the search bar. The search results provide some detail about the entity or the categories; clicking on it will show the details page for that entity. Apply the filters to only view results for a particular entity. By default, none of the categories is selected, meaning you will view all results. The user can set the time range of the results to the past day, week, or month. By default, it is one week.

  1. Set the query panel to Search using the dropdown menu at the upper right.
  2. Begin typing your search term.

    As soon as you have entered the first three characters of the term, Awake displays a list of matches.

    You can filter the list by selecting one or more categories in the Search Filters box.
    Note: If you do not select any categories, you may see results for all of them: device names, emails, usernames, domains, IP addresses and situations.
  3. The default time window is Last Week. To change the time range of the search, use the dropdown menu in the Search Filters box at right, to choose from Last Day, Last Week, or Last Month:
  4. Now, hover on a line to see a short list of details about that item.
  5. Click on that line to open the Workbench and see that item's full details. (Situations are shown in the Situation Overlay instead of the Workbench.)

Investigation and Analysis with Workbench and Query Language

This section teaches you how to use the Console to investigate devices and their activities on your network.

In your investigation, the Workbench and query language give you precise control, but the Dashboard and Search are more accessible ways to explore your network’s security situation. In addition, the Help Resources tab gives you access to comprehensive documentation and release notes. For more, see:
When you click the Workbench tab, you will see a column of tabs on the left where you can select Devices, Domains, or Activities. The main panel shows a list of the chosen category. The bar graph at top shows the time frame. Selecting the gray background of a line in the list opens a details pane on the right, with annotations, tags, and risk level highlighted.
Figure 11. Workbench Map

You can use the query bar at the top of the window to search for devices, domains, or activities. Your search must include a time frame and can also include parameters for device, domain, and activity characteristics, as well as artifacts turned up by the Arista NDR Platform's risk analysis. Several underlying features of the Arista NDR Platform support this investigative ability:
Note:The Arista NDR Platform Console requires that you use a recent version of Chrome. It has been tested with versions 64.x through 88.x.

For more on risk level computation, see: How Risk Levels are Computed.

Activities Tab

This section covers the Activities tab in the Workbench. You will see how to find and work with the activities identified by Awake.

For an overview, see Investigating with Activities.

Finding Activities

To find activities, the two best methods are by search (covered in the Searching and Query and Using the Query Language sections), or using the Workbench's Activities tab.
  1. Click on the Workbench icon to open the Workbench screen.
  2. Click on the Activities tab to open the Activities page.
By default, the activities tab lists all activities that started in the last hour. You can adjust this time window with the time controls, explained in the Time Controls section.
Figure 12. Activities List

In addition to time, you can also filter the results by adding device.* or activity.* parameters.
  1. At the top right, select AML from the dropdown menu.
  2. Click in the text field to the left of the Refresh icon.
  3. Type in a parameter such as device.ip == 192.168.2.14.
  4. Hit Enter or click on the Search icon.

    If your query specifies a particular device.ip, only activities that have that IP address as the Source or Destination value are listed.

Figure 13. Activities/Device Session

Similarly, in the Devices tab, if you use activity.* query parameters, the Devices list only shows the devices with activities that meet those parameters. Both parameters impact the Activities results, the Domain artifacts results, and also the Devices results.

It is possible for the Activities list to capture activity data that is not associated with a device. DHCP is a class of traffic that Awake captures but that is not easily associated with devices. Also, Activities can appear for devices that are pending profiling by the Entity Tracker.

There are two ways to see the details view for an activity:
  • Click anywhere on that line except on an underlined link. This will open a sidebar on the right showing the activity details, so that you can see them while still seeing other activities that occurred in that period of time. These timewise correlations can be significant.
  • Click on this activity's Details link in the first column of the table, or on the hexadecimal ID number at the top of the activity details sidebar, to open a more complete details page that allows you to further investigate that activity.
Figure 14. Activities View

Figure 15. Activities Detail

Column Descriptions

The Activities list has the following columns.
Table 1. Column Descriptions
Column Description
Activity Link to details of the activity.
Start Time Time and date when the activity started.
Source Source IP and port.
Destination Destination IP and port.
Protocols Protocols involved in the activity.
Details Key details summarized for the highest protocol parsed within the activity.
MP ID Sensor number.

The contents of the Details section is protocol-dependent. View the specialized Details templates for each protocol in the Activity Protocol Templates reference section.

Devices Tab

The Devices tab displays devices that match the current query.

To view the devices associated with a query:
  1. Click on the Devices icon to open the Devices tab in the Workbench.
The number of devices in the current query appears under the Devices icon to the left of the workbench screen; if the number is unexpectedly large, try narrowing your query. If there is no current query, the tab will show all devices on the networks.
Figure 16. Device Results Review

By default, the list is ordered by the Risk Level field, appearing at the far left. To customize the display:
  1. Sort by a different field by clicking the arrow to the right of the desired sort criterion.
  2. Choose the direction of the sort: either Ascending or Descending.
  3. Click the Table View icon at the far right of the column headings to customize which fields are displayed.
Each item in the list represents a device entity profiled on your network. The following table describes the display fields and their meanings.
 
Field Description
Risk Level The risk level is the computed value of all of a device’s attributes and activities. The system assigns a score to each, then combines these scores to reach an overall score for the device, displayed as Low, Medium, or High. The last time risk values were calculated for the result set is displayed at the top of the page.
Device Name A unique identifier for a device. This value can be one of these:
  • username:hostname
  • hostname
  • Awake-assigned id from Entity Tracking

The actual value depends on the communication data available for that device. For example, if Entity Tracking is able to identify the unique hostname, that value is shown.

Below the name is a list of IP addresses the device has held on the network.

Type Type of device, e.g., DNS server, Windows device, Macintosh, etc.
Operating System Name and version of the OS running on the device.
Activities Total number of activities recorded for this device.
Similar Number of devices that are similar to this one.
Time Active The duration that this device has been active on the network.
Last Seen A timestamp indicating when the device was last seen on the network.
Sensors The number of monitoring points gathering data about this device.

How to Read Device Results

In this section, you form a query using a timestamp that you create. You will also learn more about devices and how Awake defines them.

Practice your timestamp skills by typing in a specific timestamp, following the steps that follow:

  1. Enter a timestamp into the query bar with a timezone that is +1:00 beyond the current UTC time. For example:
    device.last_seen > 2019-09-10T21:48:49.763+01:00

    You must enter all the components of a timestamp. The sub-seconds are optional, and wildcards are not supported.

  2. Press ENTER or click Search.

    The Workbench returns the results displayed in equivalent UTC time.

  3. Review the Devices list entries now.
    Figure 17. Device Results

    Take a moment to understand how Awake organizes the device results in relation to the timestamp you used. Each row in Devices represents a single device entity.

    Review the results your query returned. What do you notice about each entry? Look for what they have in common and how they differ. For example, consider these results:

    Each Devices entry always has three pieces of data:

    These fields are defined as:

     
    Field Description
    Device Name A unique identifier for a device. This value can be one of these:
    • username:hostname
    • hostname
    • Awake-assigned id from Entity Tracking

    The actual value depends on the communication data available for that device. For example, if Entity Tracking is able to identify the unique hostname, that value is shown.

    Time Active The length of time the traffic lasted. This value has the hh:mm:ss format.
    Last Seen A timestamp indicating when the device was last seen on the network.

The remaining fields for an entry may or may not contain values. The relative completeness of the different devices depends on whether device summarization has run and how much Awake’s Entity Tracking could profile a particular device. Device summarization runs every one hour to pick up new devices and every 5 minutes to add data to existing devices.

Although time is involved, much of what shows in Awake has been calculated over all time. For example, IP addresses, device names, operating systems, and so on are time independent. However, once you see activities, the time element becomes significant. For details, see Using Time to Focus Query Results.

New devices only have the three default pieces of information. Existing devices have more information. There can be several reasons Awake knows little about a device:
  • The device is new to the network.
  • The device communicates infrequently so its profile is very sparse.
  • The device is communicating on the network but it is not using protocols Awake is currently parsing.
  • Whether Risk analysis has run (more about this later).

At any point in time, only a single device has a particular IP. Devices rarely communicate continuously; they go idle, or users do not initiate actions that result in network traffic. Moreover, devices come and go from your network. As a result, it is very common to see the same IP but in multiple devices in the Devices column.

Sometimes, Entity Tracking cannot determine that two entities are in fact the same device. In this case, while the devices may have identical IPs, Type, and Operating System values, they will have different device IDs and Risk score indicators.

Domains Tab

The Domains tab displays domains that match the current query.

To view the domains associated with a query:
  1. Click the Domains icon to open the Domains tab in the Workbench.
The number of domains in the current query appears under the Domains icon to the left of the workbench screen; if the number is unexpectedly large, try narrowing your query. If there is no current query, the tab will show all domains on the networks.
Figure 18. Domain Results Review

By default, the list is ordered by the Risk Level field, appearing at the far left. To customize the display:
  1. Sort by a different field by clicking the arrow to the right of the desired sort criterion.
  2. Choose the direction of the sort: either Ascending or Descending.
  3. Click the Customize icon at the far right of the column headings to customize which fields are displayed.
Each item in the list represents a domain entity profiled on your network. The fields in the list have the following meanings:
 
Term Description
Risk Level The risk level is the computed value of all of a domain’s attributes and activities. The system assigns a score to each, then combines these scores to reach an overall score for the domain, displayed as Low, Medium, or High. The last time risk values were calculated for the result set is displayed at the top of the page.
Domain The domain name that is registered.
Registered The date that the domain was registered
Registrar The holder of the domain name registration.
Name Server The name server for the domain.

Details from the Domains Profile

To see details of a domain:
  1. Click on the domain name in the second column. This will open the Domain Profile page for that domain name, including a list of devices accessing the domain.
  2. Click the Details button at the bottom of the left panel to see external IP addresses for the domain. You may need to scroll down to see the button.
Figure 19. Domain Details

Time Controls

Every query applies to a specific time interval or window. Many variables in Awake have been calculated over its entire history since it was installed on your network, but you are only shown a small window within that span. The default window is one hour.

On the Workbench tab, you can use the timeline controls to edit this default window in several ways:
  • select a time range from the time-range picker menu; for example, Last 1 Hour and click on the Search icon,
  • manually adjust the time range fields to create a custom range and hit Enter or click on the Search icon, or
  • adjust the timeline window using the left arrow or right arrow.

Understanding "Now" and the Timeline Controls

When you use the time-range menu to set the time window, your queries cover the period ending the moment you click Search to submit the query. But that endpoint does not update automatically, and though data keeps flowing in, your query is limited to the interval ending at that endpoint. In effect, query results are frozen at the moment you click Search or hit Enter. To get the latest results, you can refresh your browser view, or click on the round blue Refresh icon on the right of the Search field.

What the Timeline Displays

The timeline shows a device count (the default), a domain artifacts count, or an activity count. You can verify by hovering over a column with the pointer, which will bring up a tooltip showing the time span of that column, the type of data, and the quantity.

When you select a device in the table, its details are shown in a new pane on the right, including a timeline showing when that device was seen. The duration of the device or the timeline may exceed the boundaries of the timeline you have displayed.