System Dashboards
Intel Exchange supports predefined dashboards to monitor threat data related to key platform entities. These dashboards provide a standardized view of the threat data analytics. For example, the Rules dashboard monitors the progress of rules configured in the platform.
The Intel Exchange dashboard supports the following predefined dashboards :
Analyst Dashboard
Use the Analyst dashboard to monitor relevant actionable items and gain insights into the threat intel sources. The data displayed in these widgets is based on the default time frame, which you have the option to customize for viewing specific statistics.
The Analyst dashboard includes the following summary widgets:
Domain Objects: View the number of domain objects received in the platform in the selected time frame of the dashboard.
TLP Red - Domain Objects: View the number of domain objects with TLP red received in the platform in the selected time frame of the dashboard. TLP red signifies that the intel must be kept among limited analysts as the objects may involve potential risk.
TLP Amber - Domain Objects: View the number of domain objects with TLP amber received in the platform in the selected time frame of the dashboard. TLP amber signifies that the intel must be limited to the organization’s analysts.
High Confidence Indicators: View the number of indicators with high confidence scores received in the platform in the selected time frame of the dashboard. A high confidence score indicates the high severity of the maliciousness of the objects. This ranges from 70 to 100 and is indicated by the colour red on the platform.
Deprecated Indicators: View the number of indicators marked as deprecated in the platform in a specific time frame.
Allowed Indicators: View the number of indicators marked as allowed in the platform in a specific time frame.
False Positive Indicators: View the number of indicators marked as false positive in the platform in a specific time frame.
Top Geography - IP: View the name of the country that received the most IP addresses in the platform in the selected time frame of the dashboard.
An Analyst dashboard includes the following information widgets:
Feed Sources vs IOCs: View the number of IOCs received in the platform from various feed sources, such as API feeds, STIX sources, RSS feeds, and email accounts. You can choose a specific feed source to view on the dashboard and change it as per your requirements.
Domain Objects vs Source: View the number of STIX domain objects received in the platform from various sources.
IOCs timeline vs Countries: View the timeline of the number of IOCs of a specific type. For example, the number of Ipv4 IOCs reported in the United States. You can view it for a particular country or all countries.
TLP vs IOCs: View the number of IOCs by their TLP type.
Top 5 Recurring tags: View the five most frequently observed tags across the platform and object types by their count.
IP distribution by countries: Displays the IP addresses by countries on a world map.
Rules Dashboard
Use the Rules dashboard to monitor the rules configured in the platform to automate your tasks. The widgets in the Rules dashboard include metrics that help you understand the different types of configured rules and their performance.
The Rules dashboard includes the following summary widgets:
Allowed Indicators: View the number of indicators marked as allowed in the platform in a specific time frame.
Manual Review (Threat Data): View the number of indicators marked for manual review in Threat Data in the specified time frame of the dashboard.
Deprecated Indicators: View the number of indicators marked as deprecated in the platform in a specific time frame.
High Confidence Indicators: View the number of indicators with high confidence scores received in the platform in the selected time frame of the dashboard. A high confidence score indicates the high severity of the maliciousness of the objects. This ranges from 70 to 100 and is indicated by the color red on the platform.
False Positive Indicators: View the number of indicators marked as false positive in the platform in a specific time frame.
Not Started Tasks: View the number of tasks that are yet to be picked by analysts in the platform.
The Rules dashboard includes the following information widgets:
Rule Performance by Domain Objects: View the performance of a particular rule based on the number of STIX domain objects.
Domain Objects Processed by Rules: View the number of rules executed for STIX domain objects.
IOCs Processed by Rule Actions: View the number of actioned IOCs based on the configured rules.
Rule Performance by IOC Types: View the performance of a particular rule based on different IOC types.
Feeds ROI Dashboard
Use the Return of Investment (ROI) dashboard to get comprehensive information and analysis about the key performance of threat intel received from various sources. This dashboard empowers Threat Intel Analysts and SOC Managers to continuously evaluate and reassess threat intel providers and make informed decisions about the feeds your organization is actively using or subscribing to.
This dashboard allows the key budget decision-makers to subscribe to the feed providers that are relevant and trustworthy to your organization. It allows security teams and organizations to gain true business value from threat intelligence data. It also enables the security teams to spend more time looking into the threats that impact their organization and reduce unplanned downtime.
The Feeds ROI dashboard includes the following summary widgets:
Allowed Indicators: View the number of indicators marked as allowed in the platform in a specific time frame.
Medium Confidence Indicators: View the number of indicators with medium confidence scores received in the platform in the selected time frame of the dashboard. A medium confidence score indicates the medium severity of the maliciousness of the objects. This ranges from 40 to 70 and is indicated by the color orange or yellow on the platform.
Deprecated Indicators: View the number of indicators marked as deprecated in the platform in a specific time frame.
False Positive Indicators: View the number of indicators marked as false positive in the platform in a specific time frame.
High Confidence Indicators: View the number of indicators with high confidence scores received in the platform in the selected time frame of the dashboard. A high confidence score indicates the high severity of the maliciousness of the objects. This ranges from 70 to 100 and is indicated by the color red on the platform.
Manual Review (Threat Data): View the number of indicators marked for manual review in Threat Data in the specified time frame of the dashboard.
The Feeds ROI dashboard includes the following information widgets:
Confidence Score vs IOCs: View the range of confidence score of indicators reported by various feeds configured in the platform.
Early Reporters: View the metrics of the feed sources that are the early reporters of threat intel. These metrics help you determine which feed sources are providing relevant and timely threat intel. This information allows you to choose the feed providers for relevant and timely feeds consciously.
For example, you have subscribed to three feed sources A, B, and C that provide similar relevant threat intel. Source A provides information in two days, source B in one day, and source C in four days. Since source B provides the most relevant threat intel in the shortest time, source B is the early reporter for the required intel.
This widget showcases this information in the form of a curved timeline or table making it easy to comprehend and decide the sources to invest in. However, the early reporter widget is not compatible with the timeline graph view.
Source vs IOCs: View the statistics of IOCs received from different sources.
IOC Analysis Status: View the number and type of IOCs based on their deprecation and allowed list status.