Top Menu (1)

The console features are distributed in different areas or zones accessible from the top menu:

  • Dashboard

  • Indicators

  • Investigations

  • Settings

  • Product management

  • User account

Dashboard Area

The Dashboard area shows the console control panel from which analysts and SOC administrators can see all the information about completed investigations and indicators. The dashboard widgets are interactive: When you click the different areas of a graph, the console changes zones to show the data Cytomic Orion used when generating the graph.

For more information, see Activity Visibility in Cytomic Orion.

Indicators Area

The Indicators area shows the list of hypotheses generated by the real-time cyberattack radar for Tier 1 analysts to complete the triage and create the investigations to be carried out by Tier 2 technicians. The indicator module provides all the necessary tools for managing indicators (status change, filter, basic information about the computer that triggered the indicator, etc.).

For more information, see Indicators and Hunting Rules.

Investigations Area

This area contains a list of investigations created, basic tools for managing investigations, and information that describes investigations which Tier 2 analysts use.

For more information, see Manage Investigations.

Notifications Area

To access the general notifications that Cytomic provides to all console users, click the icon. Notifications are sorted by date and can include information about:

  • Scheduled maintenance.

  • Critical vulnerability warnings.

  • Security advice.

Each notification has a priority level:

  • Important

  • Warning

  • Information

The icon number indicates the number of unread notifications. When you open the notifications panel, all content is considered read and the notifications icon is set back to zero and is no longer visible.

Archive Notifications

To archive a web notification, click the cross icon . Archived notifications are no longer shown in the drop-down menu.

To access archived notifications, click the View all notifications link.

Notifications older than one month are considered expired and are deleted from the notifications area.

Persistent Notifications

These are important notifications that do not have a cross icon. You cannot archive them manually.

Always Visible Notifications

Some notifications are considered mandatory and are shown just below the top menu. These notifications are listed if there are more than one, and they take up the entire width of the page. The importance of the notification is indicated by the same color scheme as for normal notifications.

If an analyst closes an always visible notification by clicking the cross icon, it is automatically shown again whenever a user opens the analysis console.

Always visible notifications also appear in the notifications panel. You cannot archive them manually.

Settings Area

The left panel enables you to set parameters to regulate access to the console and the service as well as to configure the presentation of data:

  • Users: Manage the user accounts that access the console, along with their permissions and the visibility they have of SOC clients’ computers. See Access, Control, and Monitor the Analysis Console.

  • Authorized applications: Establish permissions for accessing the various APIs from third-party applications. See Cytomic Orion Integration with SOC Tools.

  • Clients: Manage and organize the clients the SOC can access into groups. See Client Visibility Settings.

  • IOCs: Shows a list of the indicators of compromise loaded using the Cytomic Orion API. See IOC API.

  • Hunting rules: Manage the rules that analyze the telemetry sent from monitored computers for patterns of events that could belong to the Cyber Kill Chain (CKC) of a cyberattack. See Manage Hunting Rules

  • Deletion rules: Manage rules that automatically delete indicators considered not useful for the analyst. See Delete Indicators Automatically.

  • Automated investigations: Create and publish notebooks that SOC analysts can then use to perform investigations. See Use Notebook Templates.

  • Quick answers: Create and publish small, reusable code snippets that SOC analysts can combine to speed up investigations. See Use Quick Answers with Notebooks.

  • Graph templates: Create and publish graphs that SOC analysts can then use to perform investigations. See Use Notebook Templates.

  • My preferences:

    • Notify me each time an investigation is assigned to me: Cytomic Orion sends an email message to the console user who has been assigned an investigation. This option is disabled by default.

    • Email me notifications about new versions, Cytomic communications, etc.

    • Email me when the data used in queries approaches the maximum quota.: See Assigned Data Dashboard.

    • Theme: Personalize the console appearance.

    • Default time zone: Set the time zone for the events shown in the console. Internally, all events monitored and managed in Cytomic Orion are timestamped in UTC+0. Because it is possible for a SOC to investigate computers in other time zones, analysts can set a different default time zone for the whole console. After you select it, the date data shown in the console is set for the chosen time zone, and the date data entered by analysts is translated internally to UTC+0 according to the time zone established. In addition, throughout the console you can select different time zones in each list or date-type text box to work with different time zones simultaneously.

  • Activity log: Stores the operations performed by the SOC user accounts. See User Account Activity Log.

Product Management Area

This area shows a drop-down menu with these options:

Option Description

Online help

Access to the product help file.

User guide

Access to the user guide.

License agreement

EULA (End User License Agreement).

Language

Change the language of the console.

About Cytomic Orion

Shows version information.

Product management menu

User Account Area

This area shows a drop-down menu with these options:

Option Description

Set up my profile

Change the information of the account you are using.

Change organization

List of the accounts that can be accessed by the administrator. Select an account to operate the console.

Log out

Logs you out of the console and takes you back to the IdP page.

User account menu