Managed Risk


Arctic Wolf Analytics

Updated Feb 20, 2024

Arctic Wolf Analytics

You can use Arctic Wolf® Analytics to view and organize Managed Risk and Agent information in your environment. This interface allows you to adjust criteria and create specific views to see in-depth information about your assets and risks.

Analytics is built using Metabase, an open-source business intelligence tool. Analytics uses Metabase functionality to fetch, display, and visualize data from your environment, using Internal Vulnerability Assessment (IVA), External Vulnerability Assessment (EVA), and Agents. You can use Analytics to view raw data tables, refine results to specific subsets of data using filters, aggregate results to answer questions, and combine multiple data views into interactive dashboards. See the external Metabase documentation for information.

Analytics retains data for 365 days for all risks. To view older data for active risks, see the Risk Dashboard User Guide.

You can organize data in Analytics using these methods:

Requirements

Access Arctic Wolf Analytics

  1. Sign in to the Risk Dashboard.
  2. In the navigation menu, click Analytics.

View a high-level report dashboard

High-level report dashboards are useful starting points for creating new questions.

Note: To view all existing dashboards, click Our analytics.

Create and edit questions

Questions are the basic way of visualizing data in Analytics. A question is a query that takes a set of data, applies filters and summarizations, and then presents the result in your chosen visualization. See External Metabase documentation for more information.

You can do any of these actions to modify your questions:

Create a new question

  1. Sign in to the Risk Dashboard.

  2. In the navigation menu, click Analytics.

  3. In the menu bar, click Ask a question.

  4. Based on the editor you want, click one of these options:

    Note: Both options create the same kind of question.

    • Simple question — Allows you to view a real-time visualization of your data.
    • Custom question — Allows you define columns and work with data more directly.
  5. Select Arctic Wolf Data as your data set, and then select a table within that data set. For example, Agent Assets.

  6. (Optional) If you are using the simple question editor, click .

    A visual of the information appears.

  7. Edit the question criteria.

    Tip: On this page, you can:

    • Define a filter and summarize your information by a metric and a grouping.
    • Switch between the simple and custom editors by clicking Show editor or Hide editor.
  8. Click Save.

  9. Enter a name and description for the question, and then choose the collection you want to save it in.

    Note: Other users cannot see questions that you save in your personal collection.

  10. Click Save.

  11. If you want to:

    • Add your question to a dashboard — Click Yes please!.
    • Continue editing the question — Click Not now.

Edit an existing question

Changes you make are not automatically saved to the original question. You can make alterations without altering existing work.

  1. Sign in to the Risk Dashboard.
  2. In the navigation menu, click Analytics.
  3. In the Our Analytics section, click the folder where the question you want to edit is saved. If you do not see the folder, click Browse all items.
  4. Click the question you want to edit.
  5. After you edit the question, do one of these actions:
    • To either replace the original question with the edited version or save it as a new question, click Save.
    • To discard all edits and return to the original question, click Started from <question name>, where \<question name\> is the name of the original question.

Remove and reorganize columns

  1. Sign in to the Risk Dashboard.
  2. In the navigation menu, click Analytics.
  3. In the menu bar, click Settings.
  4. (Optional) Drag the columns to reorder them.
  5. (Optional) Click the X to remove columns.
  6. (Optional) Click Settings to change the column names.

Display data filters

Filters allow you to refine the results of your question for more specific data.

  1. Sign in to the Risk Dashboard.

  2. In the navigation menu, click Analytics.

  3. While viewing a question, click Filters.

  4. (Optional) Click Custom Expression to create your own calculated field based on the existing question.

    See External Metabase documentation for more information.

Tip: If your search is processing slowly, these filter options could reduce processing time:

  • Time frame — Select a specific time frame to limit your search results.
  • Case sensitive — If you know the capitalization of the filter text you are applying, enable the Case sensitive option, where available.
  • Remove unnecessary filters.

Group and summarize information

Tip: Arctic Wolf Agent can report multiple times a day. When you summarize Agent data by Count and Name, you can see all content from the same Agent grouped together.

  1. Sign in to the Risk Dashboard.

  2. In the navigation menu, click Analytics.

  3. While viewing a question, click Summarize.

  4. (Optional) Add a value to measure:

    1. In the Summarize by section, click + Add a metric.
    2. From the list, select a metric.
    3. If needed, from the list, select metric criteria.
  5. (Optional) Define the metric measurement:

    1. In the Group by section, in the Find field, enter a group criteria.
    2. Click the required group. On the bar graph, the groups are plotted on the Y and X axes, respectively.
  6. Click Done.

See External Metabase documentation for more information.

Change how data is displayed

You can view your selected data in different types of graphs and charts. You can also customize the data, display, axes, and label options.

Note: Some visualization types can only be used with certain types of data. For example, a progress bar can only be used for numerical fields.

  1. Sign in to the Risk Dashboard.
  2. In the navigation menu, click Analytics.
  3. While viewing a question, click Visualization.
  4. Click the desired visualization.
  5. If needed, choose your desired options.
  6. Click Done.

See External Metabase documentation for more information.

Export the results of a question

  1. Sign in to the Risk Dashboard.

  2. In the navigation menu, click Analytics.

  3. While viewing a question, click Download full results.

  4. Click .csv, .xlsx, or .json.

    Based on your preference, results are downloaded as a CSV, XSLX, or JSON file.

Analytics dashboards

You can use dashboards to view data from multiple questions at the same time using different visualization and filter options.

In the Risk Dashboard, you can modify dashboards using these actions:

See External Metabase documentation for more information.

Create a new dashboard

  1. Sign in to the Risk Dashboard.

  2. In the navigation menu, click Analytics.

  3. In the menu bar, click Create > New dashboard.

  4. Enter a name and description for the dashboard.

    Note: Other users cannot see dashboards that you save in your personal collection.

  5. Click Create.

  6. Click Edit dashboard.

  7. Click Add a question to add a new question to your dashboard.

    See Edit a dashboard for more information.

  8. Click Save.

Tip: Click Duplicate while viewing an existing dashboard to create a duplicate of the dashboard.

Edit a dashboard

  1. Sign in to the Risk Dashboard.

  2. In the navigation menu, click Analytics.

  3. Click Edit dashboard.

  4. (Optional) Use these tools to edit the dashboard:

    • Add a text box — Add a textbox.

    • Add a filter — Create a filter

      Tip: Dashboard filters allow you to change your view of all questions in the dashboard without changing the questions themselves.

    • Click behavior — Hover over a question, and then select Click behavior. By default, it sorts the column. But, you can link it to another question, dashboard, or external URL.

    • Visualization options — Hover over a question, and the select Visualization options to adjust formatting options. For example, highlight a column in a table when it meets certain conditions, show values on bar graphs, and create goal lines.

  5. (Optional) To move a question or text box, click and drag the corners of a question or text box.

Enable auto-refresh on a dashboard

You can enable a dashboard to automatically refresh after a certain time period.

Tip: Use auto-refresh with visualization options to see when benchmarks are met in real time. See Edit a dashboard for more information.

  1. Sign in to the Risk Dashboard.
  2. In the navigation menu, click Analytics.
  3. Select a dashboard.
  4. While viewing a dashboard, click Auto-refresh.
  5. Select a refresh interval between 1 and 60 minutes.

View Arctic Wolf Data

Arctic Wolf Data provides a list of data, organized into categories, that you can use when creating questions.

  1. Sign in to the Risk Dashboard.
  2. In the navigation menu, click Analytics
  3. Click Browse data.
  4. Click Arctic Wolf Data.
  5. Select a category.

Risks data

Risks data includes security risks that Arctic Wolf detected using one or more of these vulnerability and configuration scans:

Arctic Wolf retains this data for the last 12 months.

The Risks table includes this information:

Notes:

  • This table does not contain data gathered from account takeover scans. For a list of account takeover data, see Account Takeover.
  • The City, Country, and Scan ID fields do not populate in this table.
Column Description
Age The age of a vulnerability in days.
Asset Category The type of asset that the risk was detected on. Note: This only populates for risks discovered by an IVA scan.
Asset Criticality A label that helps you prioritize risks based on how critical an asset is to your infrastructure. Possible values are:
  • Unassigned — The default value for all devices.
  • None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
  • Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact if compromised.
  • Medium — Monitor for risk escalation. These assets have moderate negative impact if compromised.
  • High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
  • Critical — Remediate risks immediately. These assets are likely targets for malicious activity.
Tip: See Edit asset criticality for more information.
Asset Name The name or IP address of the asset that the risk was detected on.
Asset Tags A set of labels that you apply to an asset to assist with risk mitigation planning. An asset can have more than one tag. A tag can be a custom value or one of these preset options:
  • backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
  • gdpr — An asset that, if compromised, would make a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
  • iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
  • internet_facing — An asset that can be reached through the public internet.
  • network_infra — An asset that makes communication between endpoints possible, including routers, switches, and firewalls.
  • pci — An asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
  • pii — An asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
  • remote_access — An asset that is configured for remote access, including VPN gateways, and sign-in services. For example, RDP and SSH.
Tip: To change this field value, see Edit asset tags.
Attack Vector The relative location where the risk originated from. Possible values are Adjacent, Local, or Network. Note: This only populates for risks discovered by an IVA scan.
Customer Your customer ID.
Customer UUID Your unique identifier.
CVE The CVE identifiers of associated risks.
Deployment ID The ID of the Arctic Wolf appliance that detected this.
Date The date that this entry was generated.
Device ID The identifier of the asset that the risk was detected on.
First Detected Date The date when the risk was first detected.
First Identified Whether this was the first time this was the risk was detected. Possible values are true or false.
Found By The category of scan type used to find the risk. This does not populate with Agent scans. Possible values are openvas, webserver, cloudscan|aws, cloudscan|azure, or cloudscan|gcp.
IP Address The IP address of the asset containing the risk.
Issue Description A description of the identified risk.
Issue Family The associative group of the issue name. Note: This only populates for risks discovered by an IVA scan.
Issue Name The name of the risk.
Latitude The longitude of the asset that the risk was detected on. This is derived from the IP address of the asset.
Longitude The latitude of the asset that the risk was detected on. This is derived from the IP address of the asset.
Resolution Date The date when the risk was resolved.
Risk Score The risk score at the time that this risk was detected. Tip: See the Risk Dashboard for more information.
Scan Type The type of scans Arctic Wolf performs from outside the network, inside the network, and on a device with the Arctic Wolf Agent installed. Possible values are eva, iva, or agent.
Source The origin of the scan. Possible values are agent, sensor, or reach.
State The state of the risk. Possible values are Open, Acknowledged, In-Planning, Mitigation/Fix in Progress, Mitigated, Unsuccessful Validation, False Positive, or Accepted. Tip: See the Risk Dashboard for more information.
Status The status of the scan. Possible values are Active, Inactive, or Obsolete. Note: The Mitigated status is not supported in Analytics. Tip: See the Risk Dashboard for more information.
Threat The severity of the threat. Possible values are Low, Medium, or High. Note: The severity may not be the same value that is displayed in the Risk Dashboard. Risks in the Risk Dashboard can also have a value of Critical.

Account Takeover data

Account takeover data includes third-party account takeover records based on data acquired from the Arctic Wolf account takeover (ATO) monitoring service. These records provide details about third-party breach incidents and the user accounts involved.

The Account Takeover table includes this information:

Column Description
Breach Description The description of the event.
Breach ID The five digit identifier of the breach.
Breach Time The date that the breach was detected, formatted in UTC.
Confidence Level The degree of confidence in whether the account was breached. Possible values are Unverified and Confident.
Customer Your customer ID.
Customer UUID Your unique identifier.
Deployment ID The ID of the Arctic Wolf appliance that detected this.
Email The email address of the account that was taken over.
Password Decryptable Whether the password is decryptable. Possible values are Yes or No.
Password Type The type of password. For example, plaintext. This is often N/A.
Publicly Disclosed Time The date that the breach was detected, formatted in UTC.
Timestamp The time that the breach was detected. Tip: This field uses the date functionality in Analytics. This makes it easier to use for filtering.

Discovered Assets data

Discovered Assets data includes a list of assets that Arctic Wolf discovered using one or more of these vulnerability and configuration scans:

The Discovered Assets table includes this information:

Note: The Learned Category and Vendor fields do not populate in this table.

Column Description
Asset Criticality A label that helps you prioritize risks based on how critical an asset is to your infrastructure. Possible values are:
  • Unassigned — The default value for all devices.
  • None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
  • Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact if compromised.
  • Medium — Monitor for risk escalation. These assets have moderate negative impact if compromised.
  • High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
  • Critical — Remediate risks immediately. These assets are likely targets for malicious activity.
Tip: To change this field value, see Edit asset criticality.
Asset Tags A set of labels that you apply to an asset to assist with risk mitigation planning. An asset can have more than one tag. A tag can be a custom value or one of the following preset options:
  • backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
  • gdpr — An asset that, if compromised, would make a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
  • iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
  • internet_facing — An asset that can be reached through the public internet.
  • network_infra — An asset that makes communication between endpoints possible, including routers, switches, and firewalls.
  • pci — An asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
  • pii — An asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
  • remote_access — An asset that is configured for remote access, including VPN gateways, and sign-in services. For example, RDP and SSH.
Tip: To change this field value, see Edit asset tags.
Category The type of asset. Possible values are Desktop, Server, or Unknown.
Customer Your customer ID.
Customer UUID Your unique identifier.
Deployment ID The ID of the Arctic Wolf appliance that detected this.
Device ID The unique identifier of the asset. Note: This only populates for assets discovered by an IVA scan.
IP Address The IP address of the asset.
MAC Address The MAC address of the asset.
Name The name of the asset. Note: This only populates for assets discovered by an IVA scan.
Ports The ports the asset is connected through. Note: This only populates for assets discovered by an EVA scan.
Scan ID The seven-digit identifier of the scan.
Softwares A list of common service names discovered on the asset. Note: This only populates for assets discovered by an EVA scan.
Tags The type of scan that discovered the asset. EVA scans are marked with eva and external, and IVA scans are marked with iva.
Timestamp The time that the asset was detected.

Agent Assets data

Agent Assets data contains information about endpoint devices, or assets, that Arctic Wolf Agent actively monitors. Arctic Wolf retains this data for the last 12 months.

The Agent Assets table includes this information:

Note: The Category field does not populate in this table.

Column Description
Asset Criticality A label that helps you prioritize risks based on how critical an asset is to your infrastructure. Possible values are:
  • Unassigned — The default value for all devices.
  • None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
  • Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact if compromised.
  • Medium — Monitor for risk escalation. These assets have moderate negative impact if compromised.
  • High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
  • Critical — Remediate risks immediately. These assets are likely targets for malicious activity.
Tip: To change this field value, see Edit asset criticality for more information.
Asset Tags A set of labels that you apply to an asset to assist with risk mitigation planning. An asset can have more than one tag.A tag can be a custom value or one of these preset options:
  • backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
  • gdpr — An asset that, if compromised, would make a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
  • iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
  • internet_facing — An asset that can be reached through the public internet.
  • network_infra — An asset that makes communication between endpoints possible, including routers, switches, and firewalls.
  • pci — An asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
  • pii — An asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
  • remote_access — An asset that is configured for remote access, including VPN gateways, and sign-in services. For example, RDP and SSH.
Tip: To change this field value, see Edit asset tags.
City The name of the city. This field is only populated if the Country field is available.
Client UUID The unique identifier of the Agent that detected the asset.
Country The country that the asset is located in.
Country Code The Alpha-2 code of the country that the asset is located in. See External ISO documentation for more information.
Customer Your customer ID.
Customer UUID Your unique identifier.
Deployment ID The ID of the Arctic Wolf appliance that detected this.
External IP Address The IP address of the asset.
Latitude The latitude of the asset. This is derived from the IP address of the asset.
Longitude The longitude of the asset. This is derived from the IP address of the asset.
Name The name of the asset.
OS Configuration The configuration of the OS. Possible values are Additional/Backup Domain Controller, Member Server, Member Workstation, Primary Domain Controller, Standalone Server, or Standalone Workstation.
OS Manufacturer The manufacturer of the asset OS.
OS Name The name of the asset OS.
OS Version The version of the asset OS.
Processor Name The name of the asset processor.
System Manufacturer The manufacturer of the asset.
System Model The model of the asset.
System Type The type of the asset system. Possible values are x64-based PC, X86-based PC, or ARM64-based PC.
Timestamp The time that the asset was detected.
User The user that the asset is registered to.

Installed Software data

The installed software data contains information about the software installed on the endpoint devices or assets that Arctic Wolf monitors. Arctic Wolf retains this data for the last 30 days.

The Installed Software table includes this information:

Note: The Device ID field does not populate in this table.

Column Description
Asset Name The name of the asset that the software is installed on.
Client UUID The unique identifier of the Agent that detected the asset.
Customer Your customer ID.
Customer UUID Your unique identifier.
Deployment ID The ID of the Arctic Wolf appliance that detected this.
Install Date The date that the software was installed, in UTC format.
Software Name The name of the software.
Software Vendor The vendor of the software.
Timestamp The time that the software was detected.

Processes data

The processes data contains information about the processes that run on the end-point devices, or assets, that Arctic Wolf monitors. Arctic Wolf retains it up to the last 30 days.

The Processes table includes this information:

Note: The Asset Category, Device ID, and Process Ids fields do not populate in this table.

Column Description
Asset Name The name of the asset that the process is running on.
Customer Your customer ID.
Customer UUID Your unique identifier.
Deployment ID The ID of the Arctic Wolf appliance that detected this.
Client UUID The unique identifier of the Agent that detected the asset.
Process Name The name of the process.
Timestamp The time that the process was detected.

Wireless Networks data

The wireless networks data contains information about the wireless networks within detection range of the endpoint devices, or assets, that Arctic Wolf monitors. Arctic Wolf retains this data for the last 90 days.

The Wireless Networks table includes this information:

Column Description
Asset Name The name of the asset that the network was detected from.
Audit Time The time that the network was detected.
Client UUID The unique identifier of the Agent that detected the asset.
Customer Your customer ID.
Customer UUID Your unique identifier.
Deployment ID The ID of the Arctic Wolf appliance that detected this.
Connected BSSID The Basic Service Set Identifier (BSSID) of the asset.
Network Type The network type. Possible values are Adhoc, Computer to Computer Network, Computer-to-Computer, Infrastructure, and Wi-Fi Internet Sharing.
Security The type of security on the network.
Visible BSSIDs A list of BSSIDs on the network that are visible from this asset on the network.
Visible SSIDs A list of Service Set Identifiers (SSIDs) on the network that are visible from this asset.