cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Configure User-specific ESM Settings

SIEM Foundations: Configure User-specific ESM Settings

Index

Overview

Each user who logs into ESM has a few settings that should be set to best match the user's needs.  User options can be accessed via the options link in the top-right corner.

user-options.png

There are a fairly wide range of different options here for the user to review, but two options are important to configure early in your work with ESM.

Configure User Time Zone

ESM allows each user to configure the time zone in which they would like to view events within the ESM UI.  Events are stored in the ESM database normalized to GMT, but are always displayed in the user's configured time zone.  This value defaults to GMT for each new user.  If it is not adjusted, then the timeframes displayed in the ESM UI may be confusing to some users.

user-time-zone.png

As a consistency check, the time shown in the lower-right corner of the ESM UI should typically match the time displayed on the local user's workstation, as shown in the screenshot below.

time-match.png

Configure User Default Views

Each user also has a number of configurable views that should be set early on.  The default views (Default Summary) are helpful in some circumstances, but do not necessarily provide the best initial view into your enterprise data.  Over time, it is typical for users to craft their own views to meet their unique needs.  However, the selections shown below make a good starting point:

Default System View: This is the view that is displayed when first logging into the ESM.  It's also the view that is displayed when the user selects the Home icon in the top-center if the ESM UI.  Suggested initial default: Dashboard Views/Incidents Dashboard.  This view highlights correlated events, which are often among the more interesting things that the SIEM can highlight.

Event Summarize View: This view is displayed when the user pivots using the Summarize option on events.  See for more details on the Summarize feature.  It's useful to have a view here that provides a great deal of event detail in a single pane.  Suggested default: Dashboard Views/Normalized Dashboard

Flow Summarize View: This view is displayed when the user pivots using the Summarize option on flows.  See for more details on the Summarize feature.  It's useful to have a view here that provides a great deal of flow detail in a single pane.  Suggested default: Flow Views/Default Flow Summary

user-views.png

« previousoutlinenext »

Comments
jo_impakt

That is great, however once we do a drilldown (Pancake > Event Drilldown > Evens) there is a table with some fields in it by default.

How can we change the fields shown by default in this kind of view (For all next drilldown on events)?

staschler

Unfortunately, I'm not aware of a way to change the default columns that show up when you do a drill down to event details in this manner.  Your best option would be to create a custom view with an Event Details panel configured the way you want it, and switch to that view when needed.  In most cases, I will include a panel like this in my default Summarize view.  If you choose "Pancake > Summarize" instead of "Pancake > Event Drilldown > Events" this would accomplish your goal without adding any extra clicks.

Scott

jo_impakt

Hi Scott,

Thx for looking into this. Too bad it isn't possible at this time. Sometimes users want different/other fields when running that command on any of the dashboards

Version history
Revision #:
1 of 1
Last update:
‎09-02-2014 01:40 PM
Updated by: