Risk Analytics User Guide

User Guide

Updated Jan 18, 2023

Risk Analytics User Guide

Overview Direct link to this section

Arctic Wolf Analytics is an interface that you can use to view and organize Managed Risk and Agent information in your environment. This interface allows you to adjust criteria and create specific views to see in-depth information about your assets and risks.

Analytics is built using Metabase, an open-source business intelligence tool. See the external Metabase documentation for information on the underlying functionality.

Analytics uses Metabase functionality to fetch, display, and visualize data from your environment, using Internal Vulnerability Assessment (IVA), External Vulnerability Assessment (EVA), and Agents. The engine allows you to view raw data tables, narrow results to specific subsets of data using filters, aggregate results to answer questions, and combine multiple data views into interactive dashboards.

There are two ways to organize data in Analytics:

Accessing Arctic Wolf Analytics Direct link to this section

To access Arctic Wolf Analytics:

Getting started with Arctic Wolf Analytics Direct link to this section

There are two high-level report dashboards accessible from the homepage:

The questions in these dashboards can be useful starting points for creating new questions. You can also view all existing dashboards under Our analytics.

Creating and editing questions Direct link to this section

Note: See the external Metabase documentation for more information on questions.

Questions are the basic way of visualizing data in Analytics. A question is a query that takes a set of data, applies filters and summarizations, then presents the result in your chosen visualization.

Creating a new question Direct link to this section

To create a new question:

  1. In the Arctic Wolf Analytics navigation bar, click Ask a question.
  2. Based on the editor you want, click one of the following question types:

    Note: Both options create the same kind of question.

    • Simple question — Allows you to view a real-time visualization of your data.
    • Custom question — Allows you define columns and work with data more directly.
  3. Choose Arctic Wolf Data as your data set and select a table within that data set, such as Agent Assets.
  4. (Optional) If you are using the simple question editor, you can click the play icon to visualize the information.
  5. Edit the question criteria to visualize the desired information. Typically, you want to define a filter and summarize your information by a metric and a grouping.

    Tip: You can switch between the simple and custom editors by clicking the Show editor icon Show editor or the Hide editor icon Hide editor.

  6. Click Save.
  7. Enter a name and description for the question and choose the collection you wish to save it in.

    Tip: Other users cannot see questions that you save to your personal collection.

  8. Click Save.
  9. If you want to:
    • Add your question to a dashboard — Click Yes please!.
    • Remain editing the question — Click Not now.

Editing an existing question Direct link to this section

Editing an existing question uses the same tools as creating new questions. Any changes you make are not automatically saved to the original question, which allows you to make alterations without altering existing work.

To save the question and either replace the original question or save it as a new question, click Save.

To discard any work you have done and return your view to the original question, click Started from <question name>, where <question name> is the name of the original question.

Removing and reorganizing columns Direct link to this section

To remove or reorganize displayed columns in a question, click Settings. You can drag the columns to reorder them and click the x to remove columns. Click the gear icon to change the column names.

To remove or reorganize displayed columns in a question:

  1. In the Arctic Wolf Analytics navigation bar, click the gear icon Settings.
  2. (Optional) Drag the columns to reorder them.
  3. (Optional) Click the x to remove columns.
  4. (Optional) Click the gear icon to change the column names.

Filtering data Direct link to this section

Filters allow you to narrow the results of your question for more specific data. This is useful for viewing data for a specific date range or user among other things.

To display a list of additional filters:

  1. In Arctic Wolf Analytics, while viewing a question, click Filters.
  2. (Optional) Select Custom Expression to create your own calculated field based on the existing question.
    See the external Metabase documentation for more information on creating a calculated field.

Tip: If your search is processing slowly, you may be able to set filters to speed it up. Some suggestions include:

Grouping and summarizing information Direct link to this section

To use a metric and a grouping to summarize your data:

Tip: It is useful to summarize Agent data because Agent can report multiple times a day. When you summarize Agent data by Count and Name, you can see all content from the same Agent grouped together.

  1. In Arctic Wolf Analytics, while viewing a question, click Summarize.
  2. If desired, add a value to measure:
    1. In the Summarize by section, click + Add a metric.
    2. Select a metric from the list.
    3. If required, select a metric criteria from the list.
    4. (Optional) Add additional metrics.
  3. If desired, define what the metric is measured by:
    1. In the Group by section, in the Find field, enter a group criteria.
    2. Click the required group.
      On the bar graph, these are plotted to the Y and X axes respectively.
  4. Click Done.
    See the external Metabase documentation for more information on summary options.

Changing how data is displayed Direct link to this section

Different types of graphs and charts are available to view your selected data in. You can also customize the data, display, axes, and label options.

Note: Some visualization types can only be used with certain types of data. For example, a progress bar can only be used for numerical fields.

To view different settings for displaying the information:

  1. In Arctic Wolf Analytics, while viewing a question, click Visualization.
  2. Click the desired visualization.
  3. If required, choose your desired options.
  4. Click Done.

See the external Metabase documentation for more information on each option.

Exporting results Direct link to this section

To download the results of a question:

Creating and editing dashboards Direct link to this section

You can use dashboards to view data from multiple questions simultaneously. You can add text boxes and alter the size of questions with a dynamic workspace for better presentation of questions. It also allows you to add filters that change the data displayed in each question.

See the external Metabase documentation for more information on dashboards.

Creating a new dashboard Direct link to this section

To create a new dashboard:

  1. In the Arctic Wolf Analytics navigation bar, click the Create icon Create > New dashboard.
  2. Enter a name and description for the dashboard.

    Tip: Other users cannot see dashboards that you save to your personal collection.

  3. Click Create.
  4. Click the Edit dashboard icon Edit dashboard to begin adding items to the dashboard.
  5. Click Add a question to add a new question to your dashboard.
    For more information on how to work with questions, see Editing a dashboard.
  6. Click Save.

Tip: You can click Duplicate while viewing an existing dashboard to create a duplicate of the dashboard.

Editing a dashboard Direct link to this section

To edit a dashboard, click the Edit dashboard icon Edit dashboard. These are the tools you can use for editing:

Task Action
Add a text box Click the Add a text box icon Add a text box.
Create a filter Click the Add a filter icon Add a filter.
Tip: Dashboard filters allow you to change your view of all questions in the dashboard without changing the questions themselves.
Move a question or text box Click and drag the corners of a question or text box.
Change what happens when you click a column in a question While hovering over a question, click Click behavior. By default it sorts the column, but you can have it link to another question, dashboard, or external URL.
Allow formatting options, such as:
  • Highlighting a column in a table when it meets certain conditions
  • Showing values on bar graphs
  • Creating goal lines
    		•  While hovering over a question, click Visualization options.

    Enabling auto-refresh on a dashboard Direct link to this section

    You can enable a dashboard to automatically refresh after a certain time period. This is useful when you have a dashboard open throughout the day to be regularly referenced.

    Tip: Use this along with the goal line or column highlighting visualization options to see when benchmarks are met in real time.

    To enable auto-refresh:

    1. In Arctic Wolf Analytics, while viewing a dashboard, click the Auto-refresh icon Auto-refresh.
    2. Select a refresh interval between 1 and 60 minutes.

    Viewing Arctic Wolf Data Direct link to this section

    Arctic Wolf Data provides a list of data, organized into categories, that you can use when creating questions.

    To view Arctic Wolf Data:

    1. In the Arctic Wolf Analytics navigation bar, click the Browse data icon Browse data.
    2. Click Arctic Wolf Data.
    3. Click a desired category.

    Common fields Direct link to this section

    These fields are included in every data set:

    Field Description
    Customer Your customer ID.
    Customer UUID Your unique identifier.
    Deployment ID The ID of the Arctic Wolf appliance that detected this.

    Risks Direct link to this section

    This table is a register of the security risks that Arctic Wolf detects through vulnerability and configuration scanning. Data within this table is sourced from one or more of these scan types:

    Note: This does not contain data gathered from account takeover scans. Account takeover data can be found in the Account Takeover table.

    Arctic Wolf retains this data up to the last year.

    Note: The City, Country, and Scan ID fields do not populate in this table.

    Field Description
    Age The age of a vulnerability in days.
    Asset Category The type of asset that the risk was detected on.
    Note: This only populates for risks discovered by an IVA scan.
    Asset Name The name or IP address of the asset that the risk was detected on.
    Attack Vector The relative location where the risk originated from. Possible values are Adjacent, Local, or Network.
    Note: This only populates for risks discovered by an IVA scan.
    CVE The CVE identifiers of associated risks.
    Date The date that this entry was generated.
    Device ID The identifier of the asset that the risk was detected on.
    First Detected Date The date when the risk was first detected.
    First Identified Whether this was the first time this was the risk was detected. Possible values are true or false.
    Found By The category of scan type used to find the risk. Does not populate with Agent scans. Possible values are openvas, webserver, cloudscan|aws, cloudscan|azure, or cloudscan|gcp.
    IP Address The IP address of the asset containing the risk.
    Issue Description A description of the identified risk.
    Issue Family The associative group of the Issue Name.
    Note: This only populates for risks discovered by an IVA scan.
    Issue Name The name of the risk.
    Latitude The longitude of the asset that the risk was detected on. This is derived from the IP address of the asset.
    Longitude The latitude of the asset that the risk was detected on. This is derived from the IP address of the asset.
    Resolution Date The date when the risk was resolved.
    Risk Score The Risk Score at the time that this risk was detected.
    Tip: See the Risk Dashboard for more information on Risk Score.
    Scan Type The type of scans Arctic Wolf performs from outside the network, inside the network, and on a device with the Arctic Wolf Agent installed. Possible values are eva, iva, or agent.
    Source The origin of the scan. Possible values are agent, sensor, or reach.
    State The state of the risk. Possible values are Open, Acknowledged, In-Planning, Mitigation/Fix in Progress, Mitigated, Unsuccessful Validation, False Positive, or Accepted.
    Tip: See the Risk Dashboard for more information on scan states.
    Status The status of the scan. Possible values are Active, Inactive, or Obsolete.
    Note: The Mitigated status is not supported in Analytics.
    Tip: See the Risk Dashboard for more information on scan statuses.
    Threat The severity of the threat. Possible values are Low, Medium, or High.
    Note: The severity may not be the same value that is displayed in the Risk Dashboard. Risks in the Risk Dashboard can also have a value of Critical.
    Asset Criticality A label that helps you prioritize risks based on how critical an asset is to your infrastructure. Possible values are:
    • Unassigned — The default value for all devices.
    • None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
    • Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact, if compromised.
    • Medium — Monitor for risk escalation. These assets have moderate negative impact, if compromised.
    • High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
    • Critical — Remediate risks immediately. These assets are likely targets for malicious activity.
    Tip: To change this field value, see Edit Asset Criticality in the Risk Dashboard User Guide.
    Asset Tags A set of labels that you apply to an asset to assist with risk mitigation planning. An asset can have more than one tag.
    A tag can be a custom value or one of the following preset options:
    • backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
    • gdpr — Any asset that, if compromised, would render a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
    • iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
    • internet_facing — Any asset that can be reached through the public internet.
    • network_infra — Any asset that makes communication between endpoints possible, including routers, switches, and firewalls.
    • pci — Any asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
    • pii — Any asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
    • remote_access — Any asset that is configured for remote access, including VPN gateways, and sign-in services such as RDP and SSH.
    Tip: To change this field value, see Edit Asset Tags in the Risk Dashboard User Guide.

    Account Takeover Direct link to this section

    This table contains third-party account takeover records based on data acquired from Arctic Wolf account takeover (ATO) monitoring service. These records provide details about third-party breach incidents and the user accounts involved.

    Arctic Wolf retains this data up to the last year.

    Field Description
    Breach Description The description of the event.
    Breach ID The five digit identifier of the breach.
    Breach Time The date that the breach was detected, formatted in UTC.
    Confidence Level Degree of confidence in whether the account was breached. Possible values are Unverified and Confident.
    Email The email address of the account that was taken over.
    Password Decryptable Describes whether the password is decryptable. Possible values are Yes or No.
    Password Type The type of password, such as plaintext. This is often N/A.
    Publicly Disclosed Time The date that the breach was detected, formatted in UTC.
    Timestamp The time that the breach was detected.
    Tip: This field uses the date functionality in Analytics. This makes it easier to use for filtering.

    Discovered Assets Direct link to this section

    This table is a register of the assets Arctic Wolf discovers through vulnerability and configuration scanning. Data within this table is sourced from one or more of these scan types:

    Arctic Wolf retains this data up to the last six months.

    Note: The Learned Category and Vendor fields do not populate in this table.

    Field Description
    Category The type of asset. Possible values are Desktop, Server, or Unknown.
    Device ID The unique identifier of the asset.
    Note: This only populates for assets discovered by an IVA scan.
    IP Address The IP address of the asset.
    MAC Address The MAC address of the asset.
    Name The name of the asset.
    Note: This only populates for assets discovered by an IVA scan.
    Ports The ports the asset is connected through.
    Note: This only populates for assets discovered by an EVA scan.
    Scan ID The seven-digit identifier of the scan.
    Softwares A list of common service names discovered on the asset.
    Note: This only populates for assets discovered by an EVA scan.
    Tags The type of scan that discovered the asset. EVA scans are marked with eva and external, and IVA scans are marked with iva.
    Timestamp The time that the asset was detected.
    Asset Criticality A label that helps you prioritize risks based on how critical an asset is to your infrastructure. Possible values are:
    • Unassigned — The default value for all devices.
    • None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
    • Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact, if compromised.
    • Medium — Monitor for risk escalation. These assets have moderate negative impact, if compromised.
    • High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
    • Critical — Remediate risks immediately. These assets are likely targets for malicious activity.
    Tip: To change this field value, see Edit Asset Criticality in the Risk Dashboard User Guide.
    Asset Tags A set of labels that you apply to an asset to assist with risk mitigation planning. An asset can have more than one tag.
    A tag can be a custom value or one of the following preset options:
    • backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
    • gdpr — Any asset that, if compromised, would render a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
    • iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
    • internet_facing — Any asset that can be reached through the public internet.
    • network_infra — Any asset that makes communication between endpoints possible, including routers, switches, and firewalls.
    • pci — Any asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
    • pii — Any asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
    • remote_access — Any asset that is configured for remote access, including VPN gateways, and sign-in services such as RDP and SSH.
    Tip: To change this field value, see Edit Asset Tags in the Risk Dashboard User Guide.

    Agent data Direct link to this section

    This are common fields to all Agent detections:

    Field Description
    Client UUID The unique identifier of the Agent that detected the asset.

    Agent Assets Direct link to this section

    This table contains information about endpoint devices, or assets, that Arctic Wolf Agent actively monitors.

    Arctic Wolf retains this data up to the last 12 months.

    Note: The Category field does not populate in this table.

    Field Description
    City The city name. This field is only populated if the Country field is available.
    Country The country that the asset is located in.
    Country Code The Alpha-2 code of the country that the asset is located in. See the external ISO documentation for more information.
    External IP Address The IP address of the asset.
    Latitude The latitude of the asset. This is derived from the IP address of the asset.
    Longitude The longitude of the asset. This is derived from the IP address of the asset.
    Name The name of the asset.
    OS Configuration The configuration of the OS. Possible values are Additional/Backup Domain Controller, Member Server, Member Workstation, Primary Domain Controller, Standalone Server, or Standalone Workstation.
    OS Manufacturer The manufacturer of the asset OS.
    OS Name The name of the asset OS.
    OS Version The version of the asset OS.
    Processor Name The name of the asset processor.
    System Manufacturer The manufacturer of the asset.
    System Model The model of the asset.
    System Type The type of the asset system. Possible values are x64-based PC, X86-based PC, or ARM64-based PC.
    Timestamp The time that the asset was detected.
    User The user that the asset is registered to.
    Asset Criticality A label that helps you prioritize risks based on how critical an asset is to your infrastructure. Possible values are:
    • Unassigned — The default value for all devices.
    • None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
    • Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact, if compromised.
    • Medium — Monitor for risk escalation. These assets have moderate negative impact, if compromised.
    • High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
    • Critical — Remediate risks immediately. These assets are likely targets for malicious activity.
    Tip: To change this field value, see Edit Asset Criticality in the Risk Dashboard User Guide.
    Asset Tags A set of labels that you apply to an asset to assist with risk mitigation planning. An asset can have more than one tag.
    A tag can be a custom value or one of the following preset options:
    • backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
    • gdpr — Any asset that, if compromised, would render a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
    • iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
    • internet_facing — Any asset that can be reached through the public internet.
    • network_infra — Any asset that makes communication between endpoints possible, including routers, switches, and firewalls.
    • pci — Any asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
    • pii — Any asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
    • remote_access — Any asset that is configured for remote access, including VPN gateways, and sign-in services such as RDP and SSH.
    Tip: To change this field value, see Edit Asset Tags in the Risk Dashboard User Guide.

    Installed Software Direct link to this section

    This table collects details about the software installed on the the endpoint devices, or assets, that Arctic Wolf monitors.

    Arctic Wolf retains this data up to the last 30 days.

    Note: The Device ID field does not populate in this table.

    Field Description
    Asset Name The name of the asset that the software is installed on.
    Install Date The date that the software was installed, in UTC format.
    Software Name The name of the software.
    Software Vendor The vendor of the software.
    Timestamp The time that the software was detected.

    Processes Direct link to this section

    This table collects details about the processes that run on the end-point devices, or assets, that Arctic Wolf monitors.

    Arctic Wolf retains this data up to the last 30 days.

    Note: The Asset Category, Device ID, and Process Ids fields do not populate in this table.

    Field Description
    Asset Name The name of the asset that the process is running on.
    Process Name The name of the process.
    Timestamp The time that the process was detected.

    Wireless Networks Direct link to this section

    This table collects data on the wireless networks within detection range of the endpoint devices, or assets, that Arctic Wolf monitors.

    Arctic Wolf retains this data up to the last 90 days.

    Field Description
    Asset Name The name of the asset that the network was detected from.
    Connected BSSID The Basic Service Set Identifier (BSSID) of the asset.
    Network Type Possible values are Adhoc, Computer to Computer Network, Computer-to-Computer, Infrastructure, and Wi-Fi Internet Sharing.
    Security The type of security on the network.
    Audit Time The time that the network was detected.
    Visible BSSIDs A list of BSSIDs on the network that are visible from this asset on the network.
    Visible SSIDs A list of Service Set Identifiers (SSIDs) on the network that are visible from this asset.