Executive Overview report guidance
Introduction
What it is: The Executive Overview report is catered to CISOs and security executives who need to bring high-level metrics to their board or executive-level meetings. In this report, executives can see how Vectra’s AI technology reduces alert noise to generate a unified and relevant signal, the time saved through Vectra’s noise reduction, overall trends on the most prevalent attacker behaviors, and more.
The visualizations in this report depict: • Noise to signal funnel • Trends on attacker behaviors • Biggest potential threats
RUX vs QUX
While the Executive Overview report is available for both RUX and QUX deployments, there are some differences in reporting terminology between the two deployment types. This is due primarily due to the different scoring models used in RUX vs. QUX. For example, while RUX deployments utilize AI-driven Prioritization FAQ, where a host or account entity has a single urgency score, QUX deployments consider that a host or account entity is critical when it scores 50 or higher for both threat and certainty. As we explain the metrics included in the report below, we'll point out any difference for RUX vs QUX. Most customers will typically have either RUX or QUX and not both deployment types active at any one time.
Reporting Timeframe and Attack Surface Selector
Reporting Timeframe
There are two ways to pick a reporting timeframe:
Quick Presets - Allows you to select from 24 hours to 6 months in common increments.
Custom Timeframe - Allows you to choose a specific timeframe. After choosing the days, the time can also be edited if desired.
The difference between "Last 30 days" and "Prior month" is that for the former, we fix the report's end date to the current date, and the report's start date to 30 days before the current date.
For the "Prior month" option, the report's start date is the first day of the prior month, while the report's end date is the last day of prior month.
For example: If it is currently Jun 15, the report would include data for all of May.
Last 30 days is 30 calendar days back from current day.
For example: If is is the 15th, it will go back 30 days from there (including the 15th as part of the 30 count of days).
For last 30 days, the report includes the current time and detections ingested up until that time.
As for time, it goes from midnight on the starting date, ie 00:00 to 23:59:59 on the end date.
Attack Surface
This dropdown will allow you to choose which Attack Surface you would like the report to include data for or to see data for all attack surfaces.
This will only show products that you have configured as a data source for your deployment.
Noise to Signal Funnel
Data points displayed here will respect the chosen reporting timeframe and attack surface selections made at the top of the reporting page.
RUX example shown below:
Detections
The creation date of a detection is used to determine if it should be included in the count shown.
The creation date is an internal data point but this should track closely to the "First Seen" for the detection behavior.
"Info" detections are not included in the count.
Info detections report on new and novel events without directly impacting scoring.
New and novel events occur normally in most environments and in most cases are not directly linked to threats.
Awareness of new and novel events support better situational awareness and provide additional context when observed with other alerts.
Potential Attack Progressions (RUX) / Hosts & Accounts with Detections (QUX)
For both RUX and QUX reports, this represents the total number of hosts or accounts that had any detection created during the reporting timeframe.
Vectra tracks and prioritizes hosts and accounts automatically based on observed detections. This saves analyst time that otherwise might have to be spent analyzing each individual detection.
Prioritized Alerts (RUX) / Critical and High Hosts & Accounts (QUX)
For both RUX and QUX reports, this represents the total number of unique hosts or accounts that became prioritized during the reporting timeframe.
If a host or account entity was already prioritized prior to the reporting timeframe, it would not be counted here.
If a host or account entity was prioritized multiple times during the selected reporting timeframe (i.e. was prioritized, became deprioritized, and then was prioritized again), that host or account entity would be counted only once.
The count is reduced from the middle part of the funnel by AI-Triage, manually created triage rules, and the prioritization threshold (RUX) or threat score (QUX).
For RUX deployments
The customer configurable prioritization threshold will be used to determine if a host or account entity was prioritized.
To change the prioritization threshold, navigate to Settings > Prioritization Threshold in your Vectra UI.
For QUX deployments
If the threat score for a host or account entity became 50 or higher during the reporting timeframe it will be counted.
Noise to Signal Trends
RUX example shown below:
For this graph to show trend lines, there must be 2 months of data in the systems.
Until then, you can mouse over the month line in the middle to show the data points. QUX example shown below:
Clicking on items in the legend will enable/disable them from showing in the report.
Top Hosts and Accounts
RUX example shown below:
Included here will be the top 10 hosts or accounts that had the highest urgency score during the reporting time period.
This will show hosts or accounts that had remediated or benign detections vs other hosts or accounts that didn't have detections closed using the New Close Workflow.
If you aren't using the New Close Workflow or there aren't 10 hosts or accounts that had their detections closed as remediated or benign, then the chart will include other prioritized alerts.
These will be sorted by the urgency score (RUX) or the threat score (QUX) and the peaked on date.
If an entry is expanded with the arrow on the left, you can see the detections that were closed as Remediated or Benign.
If the New Close Workflow is not enabled, you will see a message about enabling it in the same area when looking at an expanded host or account entity.
Clicking on the link will navigate you to the Settings page where the New Close Workflow can be enabled if desired.
Detection Resolution Trends
RUX example shown below:
For this graph to show trend lines, there must be 2 months of data in the systems.
Until then, you can mouse over the month line in the middle to show the data points.
Clicking on legend items will disable/enable them in the graph.
All Prioritized Detections includes detections that were closed as remediated or benign, as well as detections that were not resolved within the reporting timeframe.
This does not mean that the detection had to be assigned to any analyst.
Essentially, it is a total of all detections that exceeded the prioritization threshold (RUX) or were greater than 50 threat score (QUX).
This number will not be the sum of Closed as Benign and Closed as Remediated unless all detections were closed as one of those outcomes.
Other Trend Graphs
RUX examples shown below:
Just like other trend graphs, there must be 2 months of data in the system for the trend lines to show.
Until then, you can mouseover the current month to see the data for that month.
Key Assets (QUX Only)
This report is similar to the Top Hosts and Accounts Report described above but it only reports for hosts that are marked as Key Assets in the system.
Last updated
Was this helpful?