Sentinel Trails Dashboard¶
The dashboard is the main place for day-to-day usage of the product. It has several components:
Statistics - general statistics about your organization as well as charts of certain attributes
Main timeline chart - The main timeline of log entries
Reports - Reporting functionality in various formats
Custom charts - Additional custom, user-defined charts
Exports - Exporting functionality in various formats
Query bar - A way to query the logs with detailed search queries
Entries list - A list of all entries that satisfy the current search criteria and period
Time aggregations - Aggregated statistics over smaller time periods
Numeric aggregations - Perform aggregation functions on numeric parameters
Relationship graph - Visual representation of the relationship between the entries in the current result
The total number of log entries, distinct actors, actions and entities as well as the alerts recently triggered. Note that statistics is cached, so it’s not real-time.
The statistics row also contains information about background log verification - when was the last time log verification was performed and what’s he status. The green icon indicates that the log is intact. In rare cases of someone trying to manipulate the log, the icon turns red.
A little further down are the statistics charts which display the top actors, actions, entities and applications by number of log entries. The charts can be expanded to show the actual values. There’s also a link to the rankings pages to display the top actors/actions/entries for a selected period.
Both the statistics row and the charts are updated when the period of the main timeline is changed from the timepicker on the right.
Main timeline chart¶
The main timeline charts show the log activity over a selected period of time. The default period is three days.
The period can be changed in two ways: via the timepicker on the right or via slicing the chart with the mouse. Changing the period not only changes the visualized timeline but also the search period in the entries list below. That way you can visually inspect a certain period of time for the current search query. The currently sliced period can be reset via a button that appears ontop of the chart.
Additionally, you an click on a each point on the chart (points are placed at hourly intervals) which will select a 1-hour period starting from that point and apply it to the current search.
Custom charts that are defined in the “Charts” menu appears below the default statistics charts. Charts can be defined as aggregations on a specific field with or without an additional query. For example a chart can display the top actors that have performed one of particular set of actions.
Custom charts can be bar, pie, line, doughnut and can have custom or random colors defined. Custom charts are useful for displaying business-specific statistics.
Above the main timeline chart are reporting buttons. A high-level report for the currently selected period can be exported in either PDF or XLSX formats. Reports contain an overview of the log activity over the selected period of time.
Additionally, reports are generated periodically and sent via email. The reporting periods are defined from the “organization” page and can be “daily”, “weekly”, “monthly” and “yearly”.
The currently displayed log entries can be exported to various formats - CSV, XLSX, TXT. The export is done from the buttons right above the entries list.
The query bar is the way to define detailed queries to search through the logs. The queries are in the format
field:value, where field is either one of the predefined fields or
additionalParams specified in the log requests. The
details field allows full-text search using
details:*value*. Multiple query parts can be used with
There are buttons to help with query generation - each button appends additional part of the query. The additional params can be found in the “params” dropdown.
Queries are run over a search period. The period is defined from the timepicker on the right. This timepicker is usually in sync with the one for the main timeline chart, but does not have to be, i.e. you can display entries over 3 days and search only within the past 10 hours.
Queries can be performed over all applications (i.e. sources of logs) or to one or more of them. You can select them via a dropdown which appends the
applicationId parameter to the query.
Common queries can be saved from the dropdown next to the search button and then executed without the need to retype them.
Finally, if log details have been encrypted before sending them, you can perform search in the encryped data by specifying the symmetric (AES, base64-encoded) key in the encryption key field on the right. The key is never transmitted to the server so the decryption are performed entirely client-side on the results that are fetched based on the the encrypted keywords.
The entries list contains all entries that satisfy the current search query. If there is no search query, the latest processed entries are displayed. Note that there might be a slight delay between sending the logs and seeing them in the list, as forming the cryptographic blocks does not happen immediately. This does not mean that the logs are not securely stored in the meantime.
The list has the following columns:
Actor - the column contains the actor for the current entry. If there is an
actorDisplayNamespecified, it is shown instead of the actorId, which is assumed to not be human-readable. If there is no
actorIdis displayed. Additionally, if any roles have been specifed for the actor, they are displayed in parentheses
Action - the action that has been performed. In case the actor is a non-person (e.g. a system actor), the action is the event that occurred.
Entity - the entity about which the log is. The semantics depends on the type of logs, but usually an entity has an ID as well. Both are displayed in this column as “<entityType> #<entityId>”. In case a database is monitored, for example, this would be “<table>#<primary key>”.
Details - this is the body of the log and can contain anything. It is trimmed in the table so clicking each cell is required to show the entire content. You can define a formatting function for standard formats (JSON and XML) that would allow displaying the values as a table rather than as a raw message
Level - the log level, if one has been specified. Log levels can be: TRACE, DEBUG, INFO, WARN, ERROR, CRITICAL, FATAL.
Timestamp - when did the even occur. The time is shown in the current user timezone. The clock icon opens a dialog that displays details about the cryptographic timestamp over a block of events. The base64-encoded token is in a RFC3161-specified format.
Params - any
additionalParamsthat were specified as part of the requests
Hash - opens a dialog where a number of details are shown: the individual hash of the entry, the hash as part of the hash chain, the entry id as well as the previous entry id (previous in the hash chain). These values can be used for log verification, e.g. for obtaining merkle proofs.
From the list you can generate simple queries by clicking on one of the fields (actorId, action, entity).
Time aggregations show charts spit by hour, day, week, month or year, as well as the number of entries for the last periods of the selected type. Charts can be show for all applications or for a paricular application.
Certain parameters (
additionalParams) can be numeric. If there are such parameters, users can perform aggregations on them. The supported aggregations are: average, sum, min and max.
The relationship graph is a visualization aid for the current search results. The graph displays the relationships between actors, actions and entities. It can be useful for analyzing actor behavior.