McAfee SIEM - How to use the new Stacked Distribution Charts in views and reports in McAfee SIEM 9.4

Version 1


    Overview

     

    The McAfee SIEM version 9.4 now offers stack bar, line, and area charts in views and reports so you can see the distribution of events related to a specific field. Stacked charts are a great addition that allows you to visualize the contribution of individual items to the total and to compare them against each other.

     

    In this document, you will take a first look at a stacked chart, using the powerful drill down and binding features of the McAfee SIEM console. You will then create your own view and add a stacked distribution chart component to it. Finally, you will create a report that includes a stacked chart. This is a useful document to review if you want to get familiar with stacked charts, and understand the basics of drill downs, binding and creating views and reports.

     

     

    Video

     

    You can also watch the steps described in this document by viewing the video below.

     

     

     

     

     

    Procedure

     

    1. First look at a Stacked Chart

     

    Below, you can see a custom view to which we’ve added a stacked event distribution component.

     

    image001.png

     

    Let’s expand this component so we can see it better. We’ll do that by clicking on the icon at the top right corner of the component. That component shows us at a glance that IRC and Instant Messaging events make up the majority of our events at any given time. That’s one of the benefits of stacked charts.  If you click on the edge of the chart, you’ll see a pop-up that gives you details about the section you are looking at. Here, we can see that the IRC instant messaging traffic made up exactly 48% of our events between noon and 2pm on June 17th for a total of 163,611 events.

     

    image002.png

     

    Stacked charts benefits from all the cool drill down and binding features available in the McAfee SIEM console. Let’s see a quick example. Let’s drill down on the IP addresses. For that, click on the menu on the top left side of the event pane, and select Event Drilldown, Network, and Source IPs.

     

    image003.png

     

    Now we can see the breakdown of the IP addresses that make up our chart.

     

    image004.png

     

    We are curious about the drops in activity and we want to drill down on those times, to see what is going on when everything seems to be quiet. Select that time frame with holding the right click of the mouse.

     

    image005.png

     

    All the elements of the view refresh and we are shown only the events for that time period and the IP address that are associated with those. This is thanks to the Data Binding feature of the McAfee SIEM, which can automatically filter the components of a view when you make a selection in one of them.

     

    We can see that the events are mostly identical. There are just fewer of them.

     

    image006.png

     

    2. Adding a Stacked Chart to a View

     

    Now let’s see how to add stacked distribution component to your views and reports. Let’s start with adding it to a view. First, we’ll create a new custom view, so we do not temper the ones that we have already created.

     

    In the top middle of the console, click on the "Create New View" icon.

     

    image007.png

     

    The View Editing Toolbar comes up.

     

    Then drag and drop the "Distribution" component. The query wizard opens.

     

    image008.png

     

    image009.png

     

    You are asked to select the type of query. Stacking is available for distribution and total severity per period queries. Here we are going to Distribution.

     

    Click next.

     

    Then click Stacking.

     

    This is where you define the criteria for what you want to stack and how you want to stack it.

     

    image010.png

     

    Under "Field to group bar segments by," select the field you want to stack. In our case, we would like to stack by source IP address.

     

     

    The "Number of bar segments per bar" lets you choose how many segments you want.  We’ll leave it at ten, which will stack our top 10 source IP addresses.

     

    Click OK.

     

    Click Finish.

     

    Our new view with our stacked distribution chart appears.

     

    image011.png

     

    Let’s save it by clicking Save As. You can chose under which folder to save our new view.  Here, we are going to save the chart as "Stacked Chart" under Executive Views. And if we want to use this view again, we’ll just navigate to Executive View, Stacked Chart.

     

    image012.png

     

    Once your view is open, you have the ability to change the chart type very quickly, like for any other view component, by clicking on the "Chart Type" icon at the bottom right of the distribution component. Here we are going to change it to a stacked column chart.

     

    image013.png

     

    You can also change your stacked chart properties on the fly by clicking on the "Chart Option" icon at the bottom left of your distribution component. You can change the stacking options, the number of segments, if you want to see how much other values contribute to the overall total, and if you want to see the legend. Under Time Interval Options, you can choose the time frame that each bar represents.

     

    Finally, under Chart Options, you can choose the chart type. To close the chart options window, click on the "Chart Option" icon again.

     

    image014.png

     

    3. Adding a Stacked Chart to a Report

     

    Now that we have seen how to add a stacked chart to a view, let’s see how to add one to a report.

    We can access the SIEM Reports from the Reports quick link at the top right of the console.

     

    image015.png

     

    The report property window opens. Click Add at the top right corner to open the Add Report Menu.

     

    image016.png

     

    In section 1, enter a Report Name, and a Description.

     

    In Section 2, click the dropdown and select "Manual."

     

    image017.png

     

    We’ll skip section 3.

     

    In section 4, select a Report PDF format, uncheck the email option and check ‘File saved to the ESM.’ Specify a name under which you would like the report to be saved. You can keep the default.

     

    image018.png

     

    Under section 5, Click Add. The report writer opens. Then Drag and drop the "Distribution" component.

     

    image019.png

     

    Just like for views, select "Distribution." Click Next. The query wizard opens.

     

    Click on Stacking, and you’ll notice that we have the same options as when we added a stack chart component to a view.

     

    image020.png

     

    Under "Field to group bar segments by," select the field you want to stack. In our case, we would like to stack by source IP address.

     

    The "Number of bar segments per bar" lets you choose how many segments you want. I’m going to leave it at ten, which will stack my top 10 source IP addresses.

     

    Again, we are going to group by "Source IP," and use the default for the other options.

     

    image021.png

     

    Click OK. We are back in the Query Wizard.

     

    We now need to give a time range for our component. Click on the Filters button.

     

    We are going to use "Current Day" as a the Time Range.

     

    image022.png

     

    Now, we need to give our new layout a name, description, and other options such as orientation. Here we’ll just give it a name and keep all the defaults. Click Save and close the window.

     

    image023.png

     

    You can see that our new layout has been added.

     

    image024.png

     

    Click Save again to save the report itself. The new report has been added.

     

    image025.png

     

    Click on Run Now to run it.

     

    image026.png

     

    The selected reports are being generated dialog box opens. Click OK. After a couple of seconds, the report file will be ready for download.

     

    Click the File button at the bottom of the window.

     

    image027.png

     

    image028.png

     

    Click Download. The download dialog box opens.

     

    image029.png

     

    Click Yes. Save the file and open it.

     

    image030.png

     

    Conclusion

     

    We’ve looked at the new stacked charts available in the McAfee SIEM 9.4. We've seen how they  help us discover what is going on even faster.  We’ve also seen how to add them to views and how to modify then on the fly, and finally, we've seen how to create a report that contains a stacked chart.

    Useful Links

     

    For more information about the McAfee SIEM, visit:

     

    McAfee SIEM Product page: http://www.mcafee.com/us/products/siem/index.aspx

     

    McAfee SIEM Community: https://community.mcafee.com/community/business/siem

     

    McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales