All About Spyderbat Dashboards
Detailed overview of the Dashboard section of the console, including collected types of data, data management (sorting, filtering and grouping), and shortest path to investigating suspicious activity.
Published: July 20, 2023
The Dashboard section of the Spyderbat UI is located at the top of the left hand navigation panel, as shown below. If there is at least one source configured in the Spyderbat UI for your organization, you will be directed to the Dashboard homepage upon successful login into the console. If you have not yet set up any Sources (data collection) within your monitoring scope, please refer to our Documentation portal to access one of our How-To Guides for Spyderbat Nano Agent Install.
Dashboard section provides a consolidated at-a-glance overview of a variety of operational and security data points captured as a result of asset monitoring with active Spyderbat Nano Agents.
The Dashboard section comprises several default groups of dashboard cards. Each individual dashboard card represents a structured output of a Lucene search query crafted using a set of criteria set forth by Spyderbat security analysts.
Click to enlarge
As you can see, all dashboard cards are of the same default height, which means that there are only so many rows that can be displayed within the card even with the scroll bar. Spyderbat dashboard cards surface the top 100 rows, and indicate the total number of rows that meet the dashboard card criteria in the dashboard card header.
If you need to view or export all the data, you could do it through Search, by clicking “view all [total number]” or “view first 10K”, if there are more than 10K of rows being returned. In the latter case, it is highly advisable to apply additional search or filtering criteria to reduce the volume of data, which we will cover here shortly.
By default all dashboard cards are of fixed height and width. And while the height of the card cannot be adjusted, the width could be maximized to double the amount of available real estate and pull more columns into the immediate card view. To do this, you need to hover over the card you wish to expand and click on the “maximize” symbol:
You can also adjust the selection of columns displayed by clicking the Columns drop down and updating your selections to show or hide certain columns.
You can also hide a specific column by selecting “Hide” from the drop-down menu accessible via the ellipsis on that column header:
Finally, you can move columns around and change their order by dragging them by the column header to the left or right. You can also manually adjust the column width.
Please note that the changes you make to the formatting and appearance of your dashboard cards will not persist and will be limited to the duration of your user session, so if you were to refresh the page or leave and log back in later, the changes will revert back to the default view.
While the search queries behind the default dashboard cards cannot be modified within the default card itself, there are a number of data sorting and filtering options that will allow to fine tune the data output within the default card.
First feature to note is the option to adjust the time range for which the data is being pulled into the dashboard card. By default, the range is set to 24 hours, but the available options range from 1 hour back to 30 days back and can be applied in the drop-down. Your selection will persist unless you switch to a different organization or refresh the page.
The Filters option in the upper left part of the card will allow you to apply additional filters to existing columns to only display the data that meet the filtering criteria. To set up a filter, click the FIlters icon, select a column that you wish to filter the data for from the drop down and set up your filtering criteria. Make sure to click Apply Filters to save your filter settings:
You can apply multiple filters to different columns, using either an “AND” or an “OR” operand to combine them. The total number of filters applied to your dashboard card will be displayed in a little blue dot on the Filters option in the upper left corner of the screen. If there is a filter applied to a column, you will see a small filter icon on that column. If you hover over that icon, you will be reminded how many active filters you have set up against that column and will be able to edit them by clicking on the icon directly:
To remove the filters you will need to click the X next to the filter and then click Apply Filters button to save your changes:
You can also sort the data within the selected column in an ascending or descending order by hovering over the column header. The arrow will be then visible next to the header to indicate the filtering option applied - ascending or descending. If the arrow symbol is of light gray color (not white), the Unsort option is in place:
Alternatively, the sorting could be applied by clicking the ellipsis icon (three vertical dots) when hovering over the desired column and selecting the Sort ASC or Sort DESC from the menu.
Just like with rearranging the dashboard card columns, the sorting and filtering of data in the dashboard cards will not persist and will revert back to the default view if you navigate away from the dashboards section.
Additional filtering and sorting of the data with intent to reduce the noise and improve quality of data from the security perspective can be performed by tweaking and tuning the search query. This can be done by hovering over the desired dashboard card and clicking the “Run in Search” option, which will take you to the Search section of the UI:
In addition to filtering and sorting the data within the card, some dashboard cards allow grouping the data into summary rows by column values. By default, several cards have been selected by Spyderbat analysts to have Grouping feature enabled and all data grouped based on the specific criteria called out in the first column:
You can expand a select grouping by clicking on the accordion symbol:
If you turn off grouping by moving the slider on the right from “Grouping Enabled” to “Grouping Disabled”, all rows will be displayed in an unsorted order.
When “Grouping Enabled” is on, you can also apply nested grouping options based on the values within other columns, by clicking the ellipsis (three vertical dots), on the column which values you wish to use for the nested rows grouping, and select “Group by [column name]”:
To remove nested grouping, you will have to follow the same steps and choose “Stop Grouping by [column name]” from the drop down. To remove all grouping, just flip the “Grouping Enabled” slider to “Grouping Disabled”:
Besides offering you extensive observability options and holistic view of your security posture, Dashboard cards allow you to easily segway into investigating any suspicious or simply interesting activity in your monitored environment. All you need to do to start an investigation is select one or more rows in one or multiple dashboard cards and click “Start Investigation”.
Clicking the X in the “Start Investigation” pop-up, will automatically deselect all rows.
At any time during your investigation you can go back to the dashboards section to add more items to your existing investigation or start a brand new investigation:
If you choose to start a new investigation, the existing open investigation will get overwritten, unless you save an Investigation Link.
If you are focusing your investigation on K8s assets and inventory, rather than processes, the system will prompt you to run a K8s investigation.