Document toolboxDocument toolbox

Viewing Insight Summary

Owned by Gary Leicht
Last updated: Sept 17, 2024
6 min read

Insight Reports summary provides a brief description of the selected Insight, including its priority level (High, Medium, Low, or Info) and the date and time of its first detection and most recent detection. It also allows you to view the full-length Insight ID number and provides options to edit the Insight's status, share and export the Insight, and view the associated indicators of compromise. Additionally, the summary includes information about the threat category, the feed the given knowledge base where the Insight was detected, and any comments related to the Insight. 

The Insight Summary provides a brief description of the Insight along with the following key features.

  • Insight Description: The Insight Summary includes a brief description of the Insight, providing an overview of the reported threat's category type along with its confidence level.
  • Priority Rating: The priority rating card displays the priority level of the Insight, which can be High, Medium, Low, or Info.
  • Detection Date and Time: The Insight Summary shows the date and time of the first detection of the Insight, as well as the most recent detection. All times are adjusted to the local time zone.
  • The full-length Insight ID number.
  • Interactive charts to assist with threat investigations, monitoring, and mitigations. 

A detailed view of the SOC Insights - Viewing Insight Summary dashboard used for managing SOC insights. The Viewing Insight Summary dashboard is designed to give cybersecurity professionals detailed insights into DNS Tunneling threats, providing actionable recommendations and visual representations of the threat's active period, as well as the ability to manage and mitigate the risks associated with the identified threat.

Image: A detailed view of the SOC Insights - Viewing Insight Summary dashboard used for managing SOC insights. The Viewing Insight Summary dashboard is designed to give cybersecurity professionals detailed insights into DNS Tunneling threats, providing actionable recommendations and visual representations of the threat's active period, as well as the ability to manage and mitigate the risks associated with the identified threat.

The Dashboard

call-out A

Insight SummaryThe Insight Summary includes a brief description of the Insight including the type of threat associated with the insight. 

call-out B

Priority Notification: The priority rating card displays the following information about the Insight:

  • Priority: The Insight's priority level (High, Medium, Low, or Info).
  • Date and time: The Insight's date and time of first detection and for its most recent detection. All times are adjusted to the local time zone. 

call-out C

Insight IDRoll over the truncated Insight ID displayed on the page to view the full-length Insight ID number in a tool tip.

call-out D

Copy Insight: Click the copy icon to copy the insight to the clipboard. 

call-out E

Edit insight: Click the edit icon to change the status of an insight. The Insight Change Status window will appear. In the window, you can change the Insight status from Insight Open to Insight Close or Insight Close to Insight Open by toggling the status switch. Optionally, you can leave a comment in the text field at the time of the status change. Finally, you can read prior comments associated with the Insight. Click Save & Close to complete the Insight status change. Do note that the Save & Close button will not be accessible (it will be grayed out) until such time a status change has been made for the Insight.    
 
Image: A detail view of the Edit window.

call-out F

Share & Export OptionsClick Share & Export to share a selected Insight within your organization. The Share Insight window will appear, allowing you to choose any or all information associated with an Insight. Raw logs can be downloaded in zip format while the Summary can be downloaded as a PDF by clicking Download


Image: A detail view of the Share Insight window.

call-out G

Active Period: The active period displays the following information:

  • Active Days: The number of days the insight has been active. Additionally, 
  • First Observed: The date and time the insight was first observed on the network.
  • Last Observed: The date and time of the last observation of the insight on the network. 

call-out H

Assets: The Assets section of the Summary page provides the following information:

  • Total Number of Assets: Displays the total number of assets associated with the insight. Click View All Assets to view all assets on the Assets page.
  • Unblocked Indicators: This displays the number of unblocked threat domains associated with the asset. Click on the link to view information about unblocked assets on the Assets page.
  • All Impacted Assets chart: The All Impacted Assets interactive chart displaying information about all impacted assets associated with the insight. Click on an entry on the chart to view additional information on the Assets page.

call-out I

Environmental Observations: This section provides information on the insight observed in your network. The information provided includes a brief description of the insight along with information about  its class and family. 

call-out J

Indicators/Events: This section provides interactive charts and related information on threat domains and/or events associated with the asset. Click View All Threat Domains to view additional information on the Indicators page. You can also click on the number of Blocked/Not Blocked threat domains/events to view additional information on the Indicators page. This section also shows the number of blocked domains/events versus those domains/events that are unblocked. 

call-out K

Insight Recommendations: This section provides recommendations on mitigating the asset. Click Block this domain(s) to add the asset to a custom list.


Image: A detail view of the Add to Custom List window.

For information on custom lists, see Creating  Custom Lists

You can also do the following on the page: 

  • Background TasksClick the hourglass icon to open the side panel to view a list of all running background tasks. 

  • Search: Click the search icon in the Search text box, then enter your search criterion. 

  • Pagination Controls: At the bottom left, there are controls for navigating through different pages of insights, indicating that there is more data available beyond what is displayed on the current page. Click on the number of insight records to display on the page. The options include, 25, 50, or 100.
  • Click <Back to Console of Insights to return to the Open Insights console.


Threat Feed Missing

If a threat feed is missing from your configuration, you will receive the following notification on the Summary page. The notificaton will provide the policy name along with the ignored feed name. To add the missing feed to your policiy, click Update Policies. It may take up to 24 hours for the system to reflect the updated feed configuration

Issue:

Threat Feed Missing Notification

Please note that after adding the missing feed to your configuration as indicated by a "Threat Feed Missing" notification, it may take up to 24 hours for the system to reflect the updated feed configuration, as Insight re-checks every 24 hours.



Image: The Threat Feefd Missing page. 


Triggered Events (applicable to specific DNS tunneling insights only) 

 SOC Insights will provide information on DNS tunneling insights.  When this scenario occurs, a trigger event will be reported. The information is reported as part of the summary report. The information will contain all pertinent facts about the detection, including what and why the event was triggered. In the screenshot below, the information about the triggered event is displayed in the purple-colored box located in the bottom left-hand corner of the UI screen.  

The SOC Insights Summary page displaying triggered events and why the event was detected.
Image: The SOC Insights Summary page displaying triggered events and why the event was detected.