CyTech AQUILA - Cyber Incident Management (CIM) Module

Overview:

Cyber Incident Management (CIM) is the end-to-end process of preparing for, detecting, analyzing, responding to, and recovering from cybersecurity incidents (such as malware infections, data breaches, insider threats, or DDoS attacks).

The goal is to minimize damage, reduce recovery time, and prevent future incidents.

Key Features:

• Dashboard - Real-time view of alerts, cases, and overall security status.
• Alerts - Notifications when suspicious activity is detected.
• Cases - Track and manage incidents from start to finish.
• Data Explorer - Investigate logs and find root causes.
• Reports - Summaries for management, compliance, and lessons learned.
• Alert Rules - Define what should trigger an alert (custom detection logic).
• Settings - Configure integrations, access, and workflows.

Pre-requisites:

1. Access to CyTech - AQUILA

   • Only users assigned the "Owner" or "Admin" role can access the Log Collector installation resources within the platform.

To navigate to CIM Module please follow the instructions below:

Step 1: Log in to CyTech - AQUILA. click here --> AQUILACYBER.ai
Step 2: In the left column click Cyber Monitoring -> Cyber Incident Management (CIM) -> Dashboard

Cyber Incident Management (CIM) Dashboard

The Main Dashboard serves as the central hub for viewing all critical and relevant data associated with this module. It provides a consolidated interface where key metrics, updates, and operational insights are displayed for quick reference and effective monitoring.

________________________________________________________________________________________________________________________________________________

Case Categories

This panel displays and categorizes all cases within your environment that are currently open or in progress. It presents a structured view based on case categories, offering a clear summary of ongoing activity. This allows for efficient tracking, prioritization, and management of active investigations.

Upon selecting a category, a new window will automatically open, displaying all cases associated with the selected category.

1. Search Bar: The search bar enables users to locate a specific case by entering the exact case title. Simply type the desired title into the search field to quickly retrieve relevant results.
2. Filter By & Clear Filter: This feature enables users to refine the list of cases by applying filters based on Severity and Case Status. Use the Filter By option to display only the cases that match specific criteria. To remove all applied filters and return to the full list of cases, use the Clear Filter option.
   

   

3. Case Details: To access the investigation section of a case, double-click on the case entry. This action will automatically redirect you to the detailed investigation interface for further analysis and review.

________________________________________________________________________________________________________________________________________________

Overall Risk

Displays system risk severity levels on a scale from Low to Severe (0 - 100), explaining the rationale behind risk classifications and showing the highest severity level present in the system. Clicking on the gauge allows you to view more details about.

________________________________________________________________________________________________________________________________________________

Open Cases

Displays the total number of open cyber incident cases, categorized by severity, that are currently being investigated.

When you click on a category, you will see all the cases that fall under that severity level. For example, as shown in the image above, selecting the “Guarded Severity” category will display all cases labeled as guarded severity.

________________________________________________________________________________________________________________________________________________

Cases Assigned to Me

Shows the number of cyber incident cases specifically assigned to you for investigation and resolution. Clicking on it will open up a small window that will show all the cases assigned under you.

________________________________________________________________________________________________________________________________________________

Logs Per Day

Displays daily system logs with a progress bar that tracks storage capacity usage, providing clear insights into daily logging volume and resource consumption.

When you click on it, a small window will appear displaying a graph.

________________________________________________________________________________________________________________________________________________

Alerts

Display the trends of the detections generated by the system, highlighting potential security incidents that require immediate attention. Clicking on it will open up a small window that will show all the alerts that was recently triggered.

________________________________________________________________________________________________________________________________________________

Log Rate

A real-time visualization to display system log generation frequency per second through a dynamic chart, enabling instant monitoring of system activity and resource utilization. Clicking on it will open up a small window that will show the detailed explanation.

________________________________________________________________________________________________________________________________________________

Log Collector Status

Indicates the current status of the log collector, ensuring that logs are being collected and monitored for any suspicious activity.

When you click on it, a small window will appear showing all installed log collectors along with their current status.

Click the eye icon next to the log collector name to go to the Log Collector List page.

________________________________________________________________________________________________________________________________________________

Cyber Incident Management (CIM) Alerts

Alerts Dashboard is a tool that provides real-time security alerts and notifications. It provides a unified view of different types of alerts, categorizing them by severity and type, and displays critical details such as the source of the alert, affected assets, and relevant information. This dashboard enables security teams to quickly assess, prioritize, and respond to potential threats by offering comprehensive insights and plays a crucial role in enhancing situational awareness and streamlining the incident response process.

Alerts Status Types

Open Alerts: Alerts awaiting assignment to an analyst for further investigation.

Acknowledged Alerts: Alerts currently in progress and assigned to an analyst for resolution.

Closed Alerts: Alerts that have been successfully resolved and closed.

Log Collector Health

Indicates the current status of the log collector, ensuring that logs are being collected and monitored for any suspicious activity.

When you click on it, a small window will appear showing all installed log collectors along with their current status.

Log Source

These are the various systems, applications, or devices that generate data sent into AQUILA for indexing, storage, and analysis. These sources provide visibility across infrastructure, applications, and security operations.

When selected, a dialog window is displayed showing all installed log collectors. You can switch between collectors to view the integrated log sources associated with each one, along with their respective versions and current status, including whether log ingestion is functioning properly.

 

 

Overview

It provides an overview of alert counts categorized by status type, including the total number of alerts and their distribution across severity levels.

Stack By Rule Name

This view displays a summary of alerts grouped by their corresponding detection rules. At the top of the panel, the total number of alerts is presented. Below this, each rule is listed alongside the count of alerts it has generated. Users can scroll through the list to view additional rules when the number of entries exceeds the visible space. This view enables quick identification of which detection rules are generating the highest volume of alerts, supporting prioritization and investigation activities.