Dashboard
The Dashboard displays statistics related to the amount and type of files that have been submitted and processed on the appliance within a specified time range.
Dashboard UI
UI element | Description |
---|---|
Advanced Search box | |
Time range filter | |
Download Report button |
Advanced Search box
The Advanced Search box is a text field where users can enter search queries and get a list of all supported keywords. Recent search queries are preserved across the Dashboard and Search page.
Advanced search also supports non-keyword searches, allowing the users to quickly build queries without using keywords.
Time range filter
The time range filter allows users to set the period for which the data is displayed on the dashboard page. All time values refer to UTC time. By default, the time range filter is set to Last Week.
Download Report button
Clicking the Download Report button exports the current state of the dashboard page into a PDF file.
Analysis Statistics
Analysis Statistics breaks down the number of files submitted to the appliance into the total number of submitted files, total number of files extracted from submitted files, and total size of all submitted files. These are further categorized into analyzed emails, archives, apps and other file types.
Finally, this section also displays the classification distribution of analyzed files in the selected time range and their corresponding graphs. Hovering over the graphs displays the number of samples with that classification at specific points in time.
Top Malicious Family Detections by Malware Type
Top Malicious Family Detections by Malware Type displays the most common malware types detected in files analyzed in the specified time range. The most prevalent threat families for each malware type are listed with the count of samples they were detected in. Clicking any of the entries in this section opens the advanced search page with local search results for the selected threat name and time range criteria.
YARA Matches
YARA Matches show an overview of YARA hunting activities on the appliance and in the Spectra Intelligence cloud. Users can see a list of their Favorite YARA rulesets or Last Matched rulesets. If there are no favorited YARA rulesets, the table defaults to the Last Matched view.
Both table views can be further filtered by match sources. Filtering can be configured to show All, Local, Cloud, Local Retro, or Cloud Retro matches.
Each table row shows the YARA ruleset name, its owner, one or more match sources, the number of matches per classification, the latest match time, and the number of new matches in the last 24 hours/7 days/30 days. Rules with matches in the last 24 hours have the label NEW.
Clicking a specific ruleset name opens the ruleset on the YARA page.
Timeline Analysis for Detected Malware Samples
Timeline Analysis for Detected Malware Samples displays all malicious samples present on the appliance, highlighting the difference between their local and cloud classification times. This section always shows all available information as it is not affected by the time range filter at the top of this page.
The data set displayed here includes all malicious samples on the appliance, regardless of whether they were submitted to the appliance by the users or downloaded from Spectra Intelligence.
Depending on the time difference between the local and cloud classification times, all malicious samples available on the appliance fall into one of the following categories.
Category | Description |
---|---|
Never Seen | Samples classified as malicious by the appliance that were never seen in the Spectra Intelligence cloud. If the appliance is not connected to Spectra Intelligence, all malicious samples are categorized as Never Seen. |
More Than 30 Days | Samples that were first seen in the Spectra Intelligence cloud more than 30 days after local classification as malicious. |
30 Days Prior | Malicious samples that were first seen in the Spectra Intelligence cloud 7-30 days after local classification as malicious. Apart from the aggregate number of samples on top, this section is broken down into columns with daily totals. |
7 Days Prior | Malicious samples that were first seen in the Spectra Intelligence cloud up to 7 days after local classification as malicious. Apart from the aggregate number of samples on top, this section is broken down into columns with daily totals. |
Same Day | Samples that were locally classified as malicious and first seen in the Spectra Intelligence cloud on the same day. |
7 Days After | Malicious samples that were first seen in the Spectra Intelligence cloud up to 7 days prior to local classification as malicious. Apart from the aggregate number of samples on top, this section is broken down into columns with daily totals. |
30 Days After | Malicious samples that were first seen in the Spectra Intelligence cloud 7-30 days prior to local classification as malicious. Apart from the aggregate number of samples on top, this section is broken down into columns with daily totals. |
More Than 30 Days | Malicious samples that were first seen in the Spectra Intelligence cloud 30-90 days prior to local classification as malicious. |
More Than 90 Days | Malicious samples that were first seen in the Spectra Intelligence cloud more than 90 days prior to local classification as malicious. |
Top Email Threats Collected During Sample Analysis
Top Email Threats Collected During Sample Analysis shows the list of email samples grouped by email address or email subject. It can be filtered and exported using the following options:
- Classification filter: by default, the table shows email samples classified as malicious, but it can be filtered to show goodware, suspicious, or samples with no threats found. Setting this filter to All Classified shows all email samples regardless of classification. If this filter option is selected, some table columns are left empty because every extracted email address/subject can originate from samples with varying classifications, and data can’t be aggregated in a meaningful way.
- Filter by Email Address/Subject and Threat Name: text fields that can be used to filter results by threat name and, depending on the option selected under Pivot by, either email address or subject. Both fields support autocompletion, and suggest only those options that exist in the table. Filtering by threat name is possible only when the table is filtered to show malicious or suspicious samples.
- Pivot by: drop-down list which controls the contents of the Pivoting Information column in the table (email address or email subject), and affects what can be filtered using the email filter text field.
- Email address type filter: available only when you select Pivot by Email address. This filter can be used to display samples that have the extracted email address in either the To or From field. This filter is disabled when the table is filtered to Pivot by Email Subject.
- Export: export the entire table as a CSV file. To export a single page, select it by clicking the checkbox on the far left, and then click Export. Selecting and exporting individual table rows is currently not supported.
The table data is organized into the following columns:
- Checkbox: click to select a single page when exporting data. Selecting and exporting individual table rows is currently not supported.
- Risk Score: all emails are assigned a risk score that corresponds to the severity value of the most prevalent threat name detected in samples containing the extracted email address or subject.
- Last Seen: indicates when the appliance last recorded the sample(s) containing the threat.
- Threat Name/Threat Count: the name of the threat with the most detections related to each entry, and the number of samples containing both the pivoting information and the detected threat. Click the threat name in this column to perform an Advanced Search query.
- Total Classified: shows the number of classified email samples that contain the listed pivoting information. The title of this column dynamically changes to match the classification selected in the Classification filter.
- Type: this column is visible when using Pivot by Email Address and shows the type of email.
- Pivoting Information: contains the email addresses/subjects, depending on the option selected in the Pivot by filter. To see a list of samples containing a specific address/subject, click the links. Email-related tags are displayed below each of the entries. Click any of the links or tags to perform an Advanced Search query.
- Total Emails: total number of samples containing the pivoting information.
Top URIs Collected During Sample Analysis
Top URIs Collected During Sample Analysis shows a list of malicious and/or interesting URIs extracted from files analyzed in the specified time range. It can be filtered and exported using the following options:
- Filter by Threat Name: select a threat name from the drop-down list, or type a threat name into the text field. This field supports autocompletion, and suggests only those threat names that can be found in the table. To reset the filter, select “–” from the drop-down list.
- Type: from the drop-down list, select Domain, Link or IP to show URIs recognized as domains, links or IPv4 or IPv6 addresses. Click All to reset the filter to show all URIs.
- Origin: from the drop-down list, select whether to see URIs extracted as a result of static analysis, dynamic analysis, and/or those that have been extracted from malware configuration files. All three origin sources are enabled by default.
- Export: export the entire table as a CSV file. To export a single page, select it by clicking the checkbox on the far left, and then click Export. Selecting and exporting individual table rows is currently not supported.
The table data is organized into the following columns:
- Checkbox: click to select a single page when exporting data. Selecting and exporting individual table rows is currently not supported.
- Risk Score: all URIs are assigned a risk score that corresponds to the severity value of the most prevalent threat name detected in samples containing the extracted URI.
- Last Seen: indicates when the appliance last recorded the sample(s) containing the URI.
- Threat Name/Threat Count: if any threats are found within samples containing a specific URI, this column lists the most prevalent threat name, and the number of samples containing both the URI and the detected threat. Click the threat name in this column to perform an Advanced Search query.
- Total Count: shows the number of samples containing the URI. Click the URI in the Pivoting Information column to perform an Advanced Search query.
- Type: categorizes the URI as Domain, Link, or IP. URIs recognized as links have a Download button next to them, allowing the user to download and submit the URI for analysis. If the URI points to a web page, the appliance crawls its contents and downloads the web page as a compressed file. The page is crawled one level deep, regardless of the domain. URIs pointing to files are treated as single file downloads/submissions. All downloaded URIs can be found on the Advanced Search page.
- Pivoting Information: contains all or specific URIs extracted from files on the appliance, depending on the option selected in the Type filter. To see a list of samples containing a specific URI, click the links. URI-related tags are displayed below each of the entries. Click any of the tags to perform an Advanced Search query to find all files tagged with the same System Tag in the time range selected on the dashboard.
- Origin: indicates the source from which the appliance extracted each URI. Supported sources are static analysis results, dynamic analysis results, and malware configuration files.