SIEM Foundations: Configure User-specific ESM Settings

Version 3

    Index

     

    Overview

    Each user who logs into ESM has a few settings that should be set to best match the user's needs.  User options can be accessed via the options link in the top-right corner.

    user-options.png

    There are a fairly wide range of different options here for the user to review, but two options are important to configure early in your work with ESM.

     

    Configure User Time Zone

    ESM allows each user to configure the time zone in which they would like to view events within the ESM UI.  Events are stored in the ESM database normalized to GMT, but are always displayed in the user's configured time zone.  This value defaults to GMT for each new user.  If it is not adjusted, then the timeframes displayed in the ESM UI may be confusing to some users.

    user-time-zone.png

    As a consistency check, the time shown in the lower-right corner of the ESM UI should typically match the time displayed on the local user's workstation, as shown in the screenshot below.

    time-match.png

     

    Configure User Default Views

    Each user also has a number of configurable views that should be set early on.  The default views (Default Summary) are helpful in some circumstances, but do not necessarily provide the best initial view into your enterprise data.  Over time, it is typical for users to craft their own views to meet their unique needs.  However, the selections shown below make a good starting point:

     

    Default System View: This is the view that is displayed when first logging into the ESM.  It's also the view that is displayed when the user selects the Home icon in the top-center if the ESM UI.  Suggested initial default: Dashboard Views/Incidents Dashboard.  This view highlights correlated events, which are often among the more interesting things that the SIEM can highlight.

     

    Event Summarize View: This view is displayed when the user pivots using the Summarize option on events.  See SIEM Foundations: Learn basic navigation for more details on the Summarize feature.  It's useful to have a view here that provides a great deal of event detail in a single pane.  Suggested default: Dashboard Views/Normalized Dashboard

     

    Flow Summarize View: This view is displayed when the user pivots using the Summarize option on flows.  See SIEM Foundations: Learn basic navigation for more details on the Summarize feature.  It's useful to have a view here that provides a great deal of flow detail in a single pane.  Suggested default: Flow Views/Default Flow Summary

     

    user-views.png

     

     

    « previousoutlinenext »