Arctic Wolf Analytics
Updated Sep 25, 2023Overview
Arctic Wolf Analytics is an interface that you can use to view and organize Managed Risk and Agent information in your environment. This interface allows you to adjust criteria and create specific views to see in-depth information about your assets and risks.
Analytics is built using Metabase, an open-source business intelligence tool. See the external Metabase documentation for information on the underlying functionality.
Analytics uses Metabase functionality to fetch, display, and visualize data from your environment, using Internal Vulnerability Assessment (IVA), External Vulnerability Assessment (EVA), and Agents. The engine allows you to view raw data tables, narrow results to specific subsets of data using filters, aggregate results to answer questions, and combine multiple data views into interactive dashboards.
There are two ways to organize data in Analytics:
- Questions — A view of data generated by ingesting queries and data.
- Dashboards — A set of questions organized on the same page that can be compared.
Access Arctic Wolf Analytics
To access Arctic Wolf Analytics:
- In the Risk Dashboard navigation pane, click Analytics.
Get started with Arctic Wolf Analytics
There are two high-level report dashboards accessible from the homepage:
- Assets Overview — This dashboard includes graphs and tables that display data about your assets.
- Risks Overview — This dashboard includes graphs and tables that display data about the risks that were detected in your environment.
The questions in these dashboards can be useful starting points for creating new questions. You can also view all existing dashboards under Our analytics.
Create and edit questions
Note: See the external Metabase documentation for more information on questions.
Questions are the basic way of visualizing data in Analytics. A question is a query that takes a set of data, applies filters and summarizations, then presents the result in your chosen visualization.
Create a new question
To create a new question:
- In the Arctic Wolf Analytics navigation bar, click Ask a question.
- Based on the editor you want, click one of the following question types:
Note: Both options create the same kind of question.
- Simple question — Allows you to view a real-time visualization of your data.
- Custom question — Allows you define columns and work with data more directly.
- Choose Arctic Wolf Data as your data set and select a table within that data set, such as Agent Assets.
- (Optional) If you are using the simple question editor, you can click
to visualize the information.
- Edit the question criteria to visualize the desired information. Typically, you want to define a filter and summarize your information by a metric and a grouping.
Tip: You can switch between the simple and custom editors by clicking
Show editor or
Hide editor.
- Click Save.
- Enter a name and description for the question and choose the collection you wish to save it in.
Tip: Other users cannot see questions that you save to your personal collection.
- Click Save.
- If you want to:
- Add your question to a dashboard — Click Yes please!.
- Remain editing the question — Click Not now.
Edit an existing question
Editing an existing question uses the same tools as creating new questions. Any changes you make are not automatically saved to the original question, which allows you to make alterations without altering existing work.
To save the question and either replace the original question or save it as a new question, click Save.
To discard any work you have done and return your view to the original question, click Started from <question name>, where <question name> is the name of the original question.
Remove and reorganize columns
To remove or reorganize displayed columns in a question, click Settings. You can drag the columns to reorder them and click the x to remove columns. Click to change the column names.
To remove or reorganize displayed columns in a question:
- In the Arctic Wolf Analytics navigation bar, click
Settings.
- (Optional) Drag the columns to reorder them.
- (Optional) Click the x to remove columns.
- (Optional) Click
Settings to change the column names.
Filter data
Filters allow you to narrow the results of your question for more specific data. This is useful for viewing data for a specific date range or user among other things.
To display a list of additional filters:
- In Arctic Wolf Analytics, while viewing a question, click Filters.
- (Optional) Click Custom Expression to create your own calculated field based on the existing question.
See the external Metabase documentation for more information on creating a calculated field.
Tip: If your search is processing slowly, you may be able to set filters to speed it up. Some suggestions include:
- Restrict the query to a specific time frame.
- If you know the capitalization of the filter text you are applying, enable the Case sensitive option for filters, where available, to improve search performance.
- Remove unnecessary filters.
Group and summarize information
To use a metric and a grouping to summarize your data:
Tip: It is useful to summarize Agent data because Agent can report multiple times a day. When you summarize Agent data by Count and Name, you can see all content from the same Agent grouped together.
- In Arctic Wolf Analytics, while viewing a question, click Summarize.
- If desired, add a value to measure:
- In the Summarize by section, click + Add a metric.
- Select a metric from the list.
- If required, select a metric criteria from the list.
- (Optional) Add additional metrics.
- If desired, define what the metric is measured by:
- In the Group by section, in the Find field, enter a group criteria.
- Click the required group.
On the bar graph, these are plotted to the Y and X axes respectively.
- Click Done.
See the external Metabase documentation for more information on summary options.
Change how data is displayed
Different types of graphs and charts are available to view your selected data in. You can also customize the data, display, axes, and label options.
Note: Some visualization types can only be used with certain types of data. For example, a progress bar can only be used for numerical fields.
To view different settings for displaying the information:
- In Arctic Wolf Analytics, while viewing a question, click Visualization.
- Click the desired visualization.
- If required, choose your desired options.
- Click Done.
See the external Metabase documentation for more information on each option.
Export results
To download the results of a question:
- In Arctic Wolf Analytics, while viewing a question, click
Download full results.
You can download the results as a CSV, XSLX, or JSON file.
Create and edit dashboards
You can use dashboards to view data from multiple questions simultaneously. You can add text boxes and alter the size of questions with a dynamic workspace for better presentation of questions. It also allows you to add filters that change the data displayed in each question.
See the external Metabase documentation for more information on dashboards.
Create a new dashboard
To create a new dashboard:
- In the Arctic Wolf Analytics navigation bar, click
Create > New dashboard.
- Enter a name and description for the dashboard.
Tip: Other users cannot see dashboards that you save to your personal collection.
- Click Create.
- Click
Edit dashboard to begin adding items to the dashboard.
- Click Add a question to add a new question to your dashboard.
For more information on how to work with questions, see Edit a dashboard. - Click Save.
Tip: You can click Duplicate while viewing an existing dashboard to create a duplicate of the dashboard.
Edit a dashboard
To edit a dashboard, click Edit dashboard. These are the tools you can use for editing:
Task | Action |
---|---|
Add a text box | Click ![]() |
Create a filter | Click ![]() Tip: Dashboard filters allow you to change your view of all questions in the dashboard without changing the questions themselves. |
Move a question or text box | Click and drag the corners of a question or text box. |
Change what happens when you click a column in a question | While hovering over a question, click Click behavior. By default it sorts the column, but you can have it link to another question, dashboard, or external URL. |
Allow formatting options, such as: |
While hovering over a question, click Visualization options. |
Enable auto-refresh on a dashboard
You can enable a dashboard to automatically refresh after a certain time period. This is useful when you have a dashboard open throughout the day to be regularly referenced.
Tip: Use this along with the goal line or column highlighting visualization options to see when benchmarks are met in real time.
To enable auto-refresh:
- In Arctic Wolf Analytics, while viewing a dashboard, click
Auto-refresh.
- Select a refresh interval between 1 and 60 minutes.
View Arctic Wolf Data
Arctic Wolf Data provides a list of data, organized into categories, that you can use when creating questions.
To view Arctic Wolf Data:
- In the Arctic Wolf Analytics navigation bar, click
Browse data.
- Click Arctic Wolf Data.
- Click a desired category.
Common fields
These fields are included in every data set:
Field | Description |
---|---|
Customer | Your customer ID. |
Customer UUID | Your unique identifier. |
Deployment ID | The ID of the Arctic Wolf appliance that detected this. |
Risks
This table is a register of the security risks that Arctic Wolf detects through vulnerability and configuration scanning. Data within this table is sourced from one or more of these scan types:
Note: This does not contain data gathered from account takeover scans. Account takeover data can be found in the Account Takeover table.
- IVA scans
- EVA scans
- Arctic Wolf Agent host-based vulnerability scans
- Cloud Security Posture Management (CSPM) scans
Arctic Wolf retains this data up to the last year.
Note: The City, Country, and Scan ID fields do not populate in this table.
Field | Description |
---|---|
Age | The age of a vulnerability in days. |
Asset Category | The type of asset that the risk was detected on. Note: This only populates for risks discovered by an IVA scan. |
Asset Name | The name or IP address of the asset that the risk was detected on. |
Attack Vector | The relative location where the risk originated from. Possible values are Adjacent, Local, or Network. Note: This only populates for risks discovered by an IVA scan. |
CVE | The CVE identifiers of associated risks. |
Date | The date that this entry was generated. |
Device ID | The identifier of the asset that the risk was detected on. |
First Detected Date | The date when the risk was first detected. |
First Identified | Whether this was the first time this was the risk was detected. Possible values are true or false. |
Found By | The category of scan type used to find the risk. Does not populate with Agent scans. Possible values are openvas, webserver, cloudscan|aws, cloudscan|azure, or cloudscan|gcp. |
IP Address | The IP address of the asset containing the risk. |
Issue Description | A description of the identified risk. |
Issue Family | The associative group of the Issue Name. Note: This only populates for risks discovered by an IVA scan. |
Issue Name | The name of the risk. |
Latitude | The longitude of the asset that the risk was detected on. This is derived from the IP address of the asset. |
Longitude | The latitude of the asset that the risk was detected on. This is derived from the IP address of the asset. |
Resolution Date | The date when the risk was resolved. |
Risk Score | The Risk Score at the time that this risk was detected. Tip: See the Risk Dashboard for more information on Risk Score. |
Scan Type | The type of scans Arctic Wolf performs from outside the network, inside the network, and on a device with the Arctic Wolf Agent installed. Possible values are eva, iva, or agent. |
Source | The origin of the scan. Possible values are agent, sensor, or reach. |
State | The state of the risk. Possible values are Open, Acknowledged, In-Planning, Mitigation/Fix in Progress, Mitigated, Unsuccessful Validation, False Positive, or Accepted. Tip: See the Risk Dashboard for more information on scan states. |
Status | The status of the scan. Possible values are Active, Inactive, or Obsolete. Note: The Mitigated status is not supported in Analytics. Tip: See the Risk Dashboard for more information on scan statuses. |
Threat | The severity of the threat. Possible values are Low, Medium, or High. Note: The severity may not be the same value that is displayed in the Risk Dashboard. Risks in the Risk Dashboard can also have a value of Critical. |
Asset Criticality | A label that helps you prioritize risks based on how critical an asset is to your infrastructure. Possible values are:
|
Asset Tags | A set of labels that you apply to an asset to assist with risk mitigation planning. An asset can have more than one tag. A tag can be a custom value or one of the following preset options:
|
Account Takeover
This table contains third-party account takeover records based on data acquired from Arctic Wolf account takeover (ATO) monitoring service. These records provide details about third-party breach incidents and the user accounts involved.
Arctic Wolf retains this data up to the last year.
Field | Description |
---|---|
Breach Description | The description of the event. |
Breach ID | The five digit identifier of the breach. |
Breach Time | The date that the breach was detected, formatted in UTC. |
Confidence Level | Degree of confidence in whether the account was breached. Possible values are Unverified and Confident. |
The email address of the account that was taken over. | |
Password Decryptable | Describes whether the password is decryptable. Possible values are Yes or No. |
Password Type | The type of password, such as plaintext. This is often N/A. |
Publicly Disclosed Time | The date that the breach was detected, formatted in UTC. |
Timestamp | The time that the breach was detected. Tip: This field uses the date functionality in Analytics. This makes it easier to use for filtering. |
Discovered Assets
This table is a register of the assets Arctic Wolf discovers through vulnerability and configuration scanning. Data within this table is sourced from one or more of these scan types:
- IVA scans
- EVA scans
Arctic Wolf retains this data up to the last six months.
Note: The Learned Category and Vendor fields do not populate in this table.
Field | Description |
---|---|
Category | The type of asset. Possible values are Desktop, Server, or Unknown. |
Device ID | The unique identifier of the asset. Note: This only populates for assets discovered by an IVA scan. |
IP Address | The IP address of the asset. |
MAC Address | The MAC address of the asset. |
Name | The name of the asset. Note: This only populates for assets discovered by an IVA scan. |
Ports | The ports the asset is connected through. Note: This only populates for assets discovered by an EVA scan. |
Scan ID | The seven-digit identifier of the scan. |
Softwares | A list of common service names discovered on the asset. Note: This only populates for assets discovered by an EVA scan. |
Tags | The type of scan that discovered the asset. EVA scans are marked with eva and external, and IVA scans are marked with iva. |
Timestamp | The time that the asset was detected. |
Asset Criticality | A label that helps you prioritize risks based on how critical an asset is to your infrastructure. Possible values are:
|
Asset Tags | A set of labels that you apply to an asset to assist with risk mitigation planning. An asset can have more than one tag. A tag can be a custom value or one of the following preset options:
|
Agent data
This are common fields to all Agent detections:
Field | Description |
---|---|
Client UUID | The unique identifier of the Agent that detected the asset. |
Agent Assets
This table contains information about endpoint devices, or assets, that Arctic Wolf Agent actively monitors.
Arctic Wolf retains this data up to the last 12 months.
Note: The Category field does not populate in this table.
Field | Description |
---|---|
City | The city name. This field is only populated if the Country field is available. |
Country | The country that the asset is located in. |
Country Code | The Alpha-2 code of the country that the asset is located in. See the external ISO documentation for more information. |
External IP Address | The IP address of the asset. |
Latitude | The latitude of the asset. This is derived from the IP address of the asset. |
Longitude | The longitude of the asset. This is derived from the IP address of the asset. |
Name | The name of the asset. |
OS Configuration | The configuration of the OS. Possible values are Additional/Backup Domain Controller, Member Server, Member Workstation, Primary Domain Controller, Standalone Server, or Standalone Workstation. |
OS Manufacturer | The manufacturer of the asset OS. |
OS Name | The name of the asset OS. |
OS Version | The version of the asset OS. |
Processor Name | The name of the asset processor. |
System Manufacturer | The manufacturer of the asset. |
System Model | The model of the asset. |
System Type | The type of the asset system. Possible values are x64-based PC, X86-based PC, or ARM64-based PC. |
Timestamp | The time that the asset was detected. |
User | The user that the asset is registered to. |
Asset Criticality | A label that helps you prioritize risks based on how critical an asset is to your infrastructure. Possible values are:
|
Asset Tags | A set of labels that you apply to an asset to assist with risk mitigation planning. An asset can have more than one tag. A tag can be a custom value or one of the following preset options:
|
Installed Software
This table collects details about the software installed on the the endpoint devices, or assets, that Arctic Wolf monitors.
Arctic Wolf retains this data up to the last 30 days.
Note: The Device ID field does not populate in this table.
Field | Description |
---|---|
Asset Name | The name of the asset that the software is installed on. |
Install Date | The date that the software was installed, in UTC format. |
Software Name | The name of the software. |
Software Vendor | The vendor of the software. |
Timestamp | The time that the software was detected. |
Processes
This table collects details about the processes that run on the end-point devices, or assets, that Arctic Wolf monitors.
Arctic Wolf retains this data up to the last 30 days.
Note: The Asset Category, Device ID, and Process Ids fields do not populate in this table.
Field | Description |
---|---|
Asset Name | The name of the asset that the process is running on. |
Process Name | The name of the process. |
Timestamp | The time that the process was detected. |
Wireless Networks
This table collects data on the wireless networks within detection range of the endpoint devices, or assets, that Arctic Wolf monitors.
Arctic Wolf retains this data up to the last 90 days.
Field | Description |
---|---|
Asset Name | The name of the asset that the network was detected from. |
Connected BSSID | The Basic Service Set Identifier (BSSID) of the asset. |
Network Type | Possible values are Adhoc, Computer to Computer Network, Computer-to-Computer, Infrastructure, and Wi-Fi Internet Sharing. |
Security | The type of security on the network. |
Audit Time | The time that the network was detected. |
Visible BSSIDs | A list of BSSIDs on the network that are visible from this asset on the network. |
Visible SSIDs | A list of Service Set Identifiers (SSIDs) on the network that are visible from this asset. |