7.5. Use of NDR dashboards

7.5.1. Introduction

When an attack on an information system is confirmed, analyst teams must be able to quickly understand the origin of the attack, its target, and its overall impact.

The NDR dashboards of the GCenter will facilitate these inquiries by making available a wealth of essential information.

They will enable:

• Analysing the alerts for each type of engine

• Viewing information and alerts specific to the network's equipment

• Viewing information and alerts specific to the network's users

• Viewing the relationships between the different equipment and users

See Overview of the WEB UI

For	go to the
Retrieving information related to an alert	Procedure to retrieve information related to an alert
Processing equipment	Procedure to process the equipment
Processing a user	Procedure to process the users
Managing association rules	Procedure to manage association rules
Relation between equipment and users	Procedure to analyse the relationship between equipment and users

---

7.5.2. Prerequisites

• User : member of Operator group

---

7.5.3. Preliminary operations

• Login to GCenter via a browser (see Connection to the GCenter web interface via a web browser)

---

7.5.4. Procedure to retrieve information related to an alert

• From the navigation bar, click on the `Home` button.

  In the Message Area of the `Home` screen, alerts are displayed classified by risk level.

• Click on an alert requiring investigation.

  The `Alerts` screen of the web UI is displayed.
  
• If the `Aggregated` button is ticked, click again on the alert again in the page that appears.
• Once the alerts are not aggregated, click on the alert requiring investigation.

  A popup appears with the alert details.
  

  This window displays important information:

  • The details of the alert

  • The name of the equipment concerned or impacted by this alert

  • The IP addresses concerned or impacted by this alert

  Note

  This window is detailed in paragraph Alert information window.

• Click on the name of one of the devices in question in the popup to display the device's file.

  The following are displayed:

  • Its risk score

  • IP address

  • Its mac address

  • The metadata generated

  • Alerts generated

• From the equipment IP, search on it in the `Users` page (example: IP:192.168.0.1).

• Click on the user to display the user record.

  The following are displayed:

  • Its risk score

  • IP address

  • Its equipment on the network

  • The metadata generated

  • Alerts generated

  • Its relationship with other equipment or network users

• Continue investigations, as above, if other equipment is present in the alert being processed.

---

7.5.5. Procedure to process the equipment

• From the navigation bar, click on the `Assets` button.

The active equipment management interface provides a list of the different equipment on the network listed by risk score.

The equipment with the highest risk score are those that have raised the most high criticality alerts. It may therefore be necessary to carry out an in-depth analysis of the equipment in question.

It may therefore be necessary to perform a thorough analysis on the equipment in question.

• Click on the desired equipment.

• Analyse the various alerts (1) noted for this equipment.

• If necessary, add a tag (8) that will give status to the equipment.

• If necessary, add a note (9) to indicate the different analyses performed.

---

7.5.6. Procedure to process the users

• From the navigation bar, click on the `Users` button.

The active user management interface provides a list of the different users on the network listed by risk score.

The user with the highest risk score are those that have raised the most high criticality alerts.

It may therefore be necessary to carry out an in-depth analysis of the user in question.

• Click on the desired user.

• Analyse the various alerts noted for this user.

• If necessary, add a tag to give the user a status.

• If necessary, add a note to indicate the different analyses performed.

---

7.5.7. Procedure to manage association rules

• From the navigation bar, click successively on :

• The `Config` button

• The button `Assets/Users Association rules`

  The interface for managing association rules `Assets/Users association rule` allows to set up rules concerning equipment and users present on the network.

• In the Asset detection network range section:

  
  • Click on the `Network variables can be configured for each gcap` link to add internal networks via the GCap profile customization feature.

    For more information, see `Asset detection network range` section of the `Assets/Users Association rules` sub menu.

• In the `Ignored IP for users association` section:

  
  • Declare IP addresses that cannot be associated with a user to avoid wrong associations.

    For more information, see `Ignored IP for users association` section of the sub menu `Assets/Users Association rules`.

• In the `Ignored MAC for assets association` section:

  
  • Declare MAC addresses that cannot be associated with equipment to avoid wrong associations

    For more information, see `Ignored MAC for assets association` section of the sub menu `Assets/Users Association rules`.

• In the `Forbidden users` section:

  
  • Declare users not to appear in NDR dashboards (example: CEO, administrator)

    For more information, see `Forbidden users` section of the sub menu `Assets/Users Association rules`.

• In the `Forbidden assets` section:

  
  • Declare the equipment not to appear in the NDR dashboards (example: sensitive equipment, irrelevant equipment)

    For more information, see `Forbidden assets` section of the sub menu `Assets/Users Association rules`.

---

7.5.8. Procedure to analyse the relationship between equipment and users

• From the navigation bar, click on the `Relations` button.

• Choose the desired period using the timeline at the bottom of the page.

• Locate a user or equipment flashing red (risk score > 75%).

• Click on it, its interactions with other users and equipment are activated and a popup is displayed.

• Move the mouse over the activated links (interactions) to see what they mean.

• In the popup, the elements enabling further investigation are shown:

  • The main information about the item

  • Alerts raised by the item

---