This article covers the basics of how to use the ContraForce Command page.
The Command Page is an essential component of the ContraForce portal. This page can be used as a guide to further understand your environment and the data being processed. The highest priority incidents can be addressed quickly and efficiently. You also have summary information to help visualize what is happening in your environment. This high level overview of the events, alerts, and incidents helps you as the security operator effectively monitor and protect your resources.
|Timeframe Dropdown||The Timeframe Dropdown is visible on the top right portion of the Command Page. Here you have options to select 24 hours, 48 hours, 7 days, 14 days, and 28 days.|
|Incident Response||The Incident Response card categorizes and counts incidents based on severity for a selected timeframe. The trend (up or down arrow) is against the previous timeframe of the same length. The symbols represent Endpoint, Network, Cloud, Identity, and App. If there is an incident for a category, the symbol will be highlighted.
This information is useful as it helps you better understand where incidents of different severity are originating from in your environment.
By clicking the Review button you are taken directly to the Incidents page.
For more information on the Incidents page, you can see that here.
|High Severity Incidents||High Severity Incidents is one of the cards a user should pay attention to at all times. This card prioritizes the incidents that require immediate review. By clicking on the Title of an incident, the Incident Response Report will open. You quickly have access to the incident summary as well as the timeline. To investigate the incident, click the Action button. This will open up the Investigate page where you will see a web graph of all related entities.|
|Open Incidents||Open Incidents allows the user to get a sense of the total amount of incidents generated in their environment within the selected timeframe. The time indicators on the x-axis will change depending on the timeframe selected. When hovering over any of the columns, a summary will appear showing the amount of New, Active, and Closed incidents.|
|Current Alerts||While Incident Response categorizes incidents based on severity, Current Alerts categorizes alerts based on the origination point (Endpoint, Network, Cloud, Identity and App). This information is very useful to the user because it can point to areas of weakness in your environment. For example, if you consistently have more Network alerts than any other category, you may want to harden that area of your environment further.
Similar to the Incident Response card, a trend line also compares each category against the previous timeframe.
|MITRE ATT&CK Threat Detectors||Here, incidents are categorized according to the corresponding MITRE ATT&CK technique. Similar to Current Alerts, if one category has more incidents than the others, you as the operator want to pay special attention that area of your environment as it could be more vulnerable than the others.|
|Security Events By Source||Security Events By Source shows the total amount of events generated within a specified timeframe. This information is useful as it gives an indication as to how much data is being ingested by the ContraForce portal. Events create alerts, which then create incidents. This information can also be used to further address weaknesses within your environment.|