Security incident treemaps

When the Security Incident Analytics plugin is activated, you can add the security incident - service impact and security incident - real-time treemaps to the Security Incident Response overview. After they have been added, you can configure the treemaps by modifying treemap categories and indicators.

Figure 1. Security incident treemap
Security incident treemap

Add treemaps to the Security Incident Response overview

Treemaps display hierarchical (tree-structured) data as a set of nested rectangles. Each branch of the tree is given a rectangle, which is then tiled with smaller rectangles representing subbranches. Treemaps allow you to display security incident information in a dynamic, engaging way.

Before you begin

Role required: sn_si.admin

Procedure

  1. Navigate to Security Incident > Overview.
  2. Click Add content in the top left corner of the page to open the widget selection control.
  3. In the first selection box, click Treemap.
  4. In the second selection box, select the treemap you want to insert from the following list:
    Note: The Business Impact treemap appears on the Security Incident Response homepage by default. The Service Impact and Real-time treemaps require that the Security Incident Analytics plugin is activated.
  5. In the third selection box, select the level of granularity of information you want retrieved for the selected treemap.
    Note: For the Security Incident - Service Impact treemap, select Security Incident in the third selection box. This selection provides a choice list with multiple data categories.
    Security Incident treemap category list
  6. At the bottom of the screen, click the location on the screen you want to add the gauge.
  7. Close the Add content box.

Create or update a treemap category

You can modify the predefined categories for the security incident treemaps or create categories as needed.

Before you begin

Role required: sn_si.admin

The treemaps use performance analytics as the data source. The Performance Analytics module requires a separate plugin.

About this task

In the base system, treemap categories such as Incident Risk, Denial of Service, and Incident Severity are included. You can modify these categories or define more categories as needed.

Procedure

  1. Navigate to Security Incident > Administration, and open the treemap definition you want to configure categories for:
    • Service Criticality Reporting Definition
    • Real-time Definition
  2. (Optional) Change the treemap definition name.
    In the base system, the default name for the service impact treemap definition is Security Incident. The default name for the real-time treemap definition is Security Incident - Real time.
  3. Unless you are using a custom-built treemap, do not change the PA Indicator Group value.
  4. To deactivate the treemap definition, clear the Active check box. If, for example, you deactivate the Denial of Service category from the system impact dashboard, that treemap category is not available.
  5. In the Treemap Categories related list, select a category to modify or click New to create a new category.
  6. Fill in the fields.
    Table 1. Treemap Category form
    Field Description
    Name The name that is displayed for the category in the Categories list above the treemap.
    Order The order that the category appears in the Categories list above the treemap.
    Treemap The name of the treemap that uses this category.
    Color The color displayed for this category in the treemap.
    Active Select to activate this category.
    Description A description of the category.
    Visible by all roles Select to make this category visible to all users regardless of their role.
    Roles If you did not select the Visible by all roles check box, select the roles able to view this category.
  7. Click Submit or Update.

Create or update a treemap indicator

You can modify the predefined indicators for a treemap category or create new indicators. For each indicator, you can configure its data source and specify how lists of security incidents are opened from treemaps that are viewed with the indicator.

Before you begin

Role required: sn_si.admin

The treemaps use performance analytics as the data source. The Performance Analytics module requires a separate plugin.

Procedure

  1. Open the treemap definition that you want to configure indicators for.
    Treemap definitionAction
    Service impact treemap Navigate to Security Incident > Administration > Service Impact Definition.
    Real-time treemap Navigate to Security Incident > Administration > Real-time Definition.
  2. In the Treemap Categories related list, select the category that you want to configure indicators for.
  3. In the Treemap Indicators related list, select an indicator to modify or click New to create a new indicator.
  4. Fill in the fields.
    Table 2. Treemap Indicator form
    Field Description
    Name The name that is displayed for the indicator in the Indicators list on the service impact dashboard.
    Short description A description that is displayed for the indicator in the Indicators list above the treemap.
    Result limit The maximum number of results allowed. The upper limit is 100.
    Result Precision The number of digits to display after the decimal point.

    This field is displayed for the real-time treemap definition only.

    Active Check box to activate this indicator.
    Category The category name entered on the previous screen.
    Direction Indicates whether the tile on the treemap is minimized or maximized.

    This field is displayed for the real-time treemap definition only.

    Unit The unit of measure to be used for the metric.

    This field is displayed for the real-time definition only.

    Automatic Refresh Interval How frequently to refresh the treemap.
    Order The order the indicator appears in the Indicators list above the treemap.
  5. Click the Data Source Configuration tab and configure one of the following data source options for the indicator.
    OptionAction
    Performance analytics Select Performance Analytics from the Data source field, then make the following entries:
    • Indicator: The indicator used to group the PA data.
    • Default breakdown: The default breakdown used to break the selected PA indicator into multiple parts.
    Custom script Select Custom Script from the Data Source field. Then use the HTML editor to customize the script as needed. The result of running the script must be an array in order for the information to display in the treemap.
    Query conditions Select Query Condition from the Data Source field, and then make the following entries:
    • Query table: The base table to be queried.
    • Aggregate type: The type of aggregate (SUM, COUNT, AVG, MIN, MAX) to be used.
    • Aggregate field: The field to be used by the query.
    • Group by: The field to sort the queried data.
    Note: To enhance the query, click Add Filter Condition and Add "OR" Clause.
  6. Click the Click Through tab, and specify how lists of security incidents are opened from the treemap.
    1. In the Click through URL navigation type field, select whether you want the list of security incidents to open in a new window, in the same window, or in a dialog box.
    2. (Optional) In the Click through URL script field, modify the sample script if needed.
  7. Click Submit or Update.