Skip to content

Introduction

About CYBERQUEST

CYBERQUEST is an innovative Big Data Security Analytics Platform designed to provide total auditing and security coverage for your enterprise network. We have built CYBERQUEST to function as an agile, scalable business platform that intelligently collects and correlates data in the organization's IT infrastructure and works with it to address any type of present or future threat that the business can go through.

CYBERQUEST can be scaled to any organization specific and size, and easily integrates with all security solutions on the market, nomatter of their classification. CYBERQUEST is a true aggregator of security data coming from either security information and event management software, firewalls, intrusion prevention and detection platforms, or email security and endpoint security solutions. In addition, CYBERQUEST can collect, correlate and provide useful insights on heterogeneous data generated by network equipment, servers, databases and applications, which makes it an operational management tool for your administrative and security teams.

Core Capabilities:

  • Collect: gather all security and relevant data sources from your IT infrastructure;

  • Correlate: add threat intelligence security data for offline or online correlation;

  • Detect: quickly identify the most significant threats to your network;

  • Visualize: monitor accurately within a single point of access and get specific alerts;

  • Respond: Security Orchestration, Automation, and Response (SOAR features) capabilities are embedded in the solution;

  • Vulnerability assessment: with OpenVAS integration.

CYBERQUEST aggregates and monitors all activity taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who, what, where, when, why made a change, and then turn that information into intelligent, in-depth forensics enhanced with additional data from the entire environment, make that information available for auditors and security officers and reduce the risks associated with day-to-day modifications.

Access Web Interface

Web Interface is a consolidated web frontend hosting all administration and operation functionalities of CYBERQUEST. The web interface is compatible with all major browsers on the market.

To access Web Interface, open a web browser and type the application's address or DNS name. The default address initially assigned to Web Interface is https://CyberquestIPAddress (example).

The browser automatically redirects you to CYBERQUEST's authentication page:

Alt Image

Authentication

User authentication

Authentication can be accomplished in one of two ways:

  • Using a local user defined in the application;
  • Using a company's Active Directory user. This facility allows authentication with Active Directory credentials when LDAP integration has been configured within application. The user must belong to one of two Active Directory security groups: "CYBERQUEST Administrators" or "CYBERQUEST Users".

Type the default username and password, then select the interface language.

Alt Image

You will be prompted with a default message about accessing restricted information. This message is fully customizable.

Alt Image

Accept the responsibility by clicking the button Alt Image. ElseAlt Image and you will be redirected to the authentication page.

Alt ImageThe initial authentication is performed under the default administrative account. When authenticating as administrator, an additional confirmation box is displayed. This additional authentication step was introduced to notify on indiscriminatory access to the entire platform configuration and to require user confirmation of acknowledgement. Superadmin activity should be performed with maximum responsibility and knowledge of platform's administration. Wrongfully changing configuration, rules and retention policies can break access to analytics data, delete or damage objects, and more important, can cause permanently loss of history data.

Web Interface Overview

Once authenticated, CYBERQUEST Web Interface will open. By default, Dashboards module is displayed. Depending on each user's access permissions, the interface may differ. Below we are describing user experience and interface functionalities when authenticating as an administrator.

The Web Interface can be split in several areas:

Module Area

Alt Image

From top-left section of the Web Interface you can select the application module to be displayed in main operation area:

  • Dashboards is the default module that loads upon initial authentication to the application. It allows operators to quickly view information from the online repository and take action on the graphical objects it contains.
  • Reports is the application's proprietary reporting module. It includes all predefined and custom reports for general use, as well as reports specific to the authenticated operator.
  • Browser module is designed to display system log information in a structured and accessible format.
  • Alerts module is responsible for managing alerts and their correlations. It enables users to initiate comprehensive investigation processes starting from a base alert, which is displayed in the Main Operation Area.
  • Ueba (User and Entity Behavior Analytics), is a module that enables the analysis of user and entity activity within the enterprise. It helps identify abnormal or potentially malicious behavior by comparing current activity against established baselines, supporting threat detection, insider threat monitoring, and risk assessment.
  • Performance module displays real-time and historical statistics collected from monitored virtual machines. It provides insights into key performance metrics, including CPU usage history, memory usage history, and storage usage history - specifically for the C: drive. This data helps operators monitor system health, identify performance issues, and optimize resource utilization.
  • The Compliance module complements the Alerts module by leveraging alerts that are generated and mapped in real time according to the MITRE ATT&CK framework and associated alert tags, which represent standards such as ISO/IEC 27001:2022, CIS Control V8, GDPR, NIS2, and NIST 800-53. Using these alerts, the module evaluates the system’s compliance with these key regulations. All relevant data is consolidated and displayed within the Compliance module, offering a clear, up-to-date overview of the compliance status.
  • The MITRE ATT&CK module complements the Alerts module by utilizing alerts generated and mapped in real time according to the MITRE ATT&CK framework. Based on these alerts, the module provides a detailed analysis of the tactics and techniques used by potential attackers, facilitating a deeper understanding of threat behaviors. The mapped data is then used to support detection, investigation, and compliance assessment processes. In this way, the MITRE ATT&CK module helps quickly identify attack patterns and improves the efficiency of the security incident response.
  • The Vulnerability module integrates with OpenVAS, a full-featured vulnerability scanner, to provide comprehensive vulnerability assessment capabilities. It enables the identification, evaluation, and reporting of security weaknesses across the network and systems. By leveraging OpenVAS’s extensive database of known vulnerabilities, this module helps organizations proactively detect and address security gaps, enhancing overall risk management and strengthening the security posture.
  • CYBERQUEST includes an automation module that can be triggered to execute mitigation steps and other actions. These actions can be organized into a "playbook," which defines a specific sequence of tasks to effectively carry out mitigation. Playbooks can be easily created, modified, or removed through a graphical interface.
  • In the Assets module, details are automatically populated as data is collected, ensuring up-to-date information. Additionally, users can manually define new assets or modify existing asset details directly within the system, providing flexible and accurate asset management.
  • The Case Management module in CYBERQUEST is designed to help organizations create, manage, and track workflows for rapid incident response. Each case has an assigned owner who can involve collaborators to support decision-making and accelerate resolution. The module also allows attaching all relevant evidence related to the triggering event or alert, ensuring a comprehensive and organized investigation process.
  • The Case Overview module provides a graphical summary of all cases within the organization. It provides an intuitive visual summary of case statuses, priorities, and essential metrics, enabling users to easily monitor progress, manage workloads, and spot potential issues in incident handling.
  • The Anomaly module detects unusual patterns and behaviors within the system that may indicate security threats or operational issues. By continuously monitoring data and applying advanced analytics, it identifies deviations from normal activity to help organizations proactively uncover potential risks and respond swiftly. This module supports early threat detection and enhances overall situational awareness.
  • The Alerts Overview module provides a comprehensive graphical summary of alerts, featuring key insights including Riskiest Alerts, Latest Alerts, Status Distribution, Security Score Statistics and Ranges, as well as Top Users, Computers, and Source IPs. This visual dashboard enables quick assessment of alert priorities and trends, supporting efficient monitoring and timely response.

By clicking on Alt Image logo displayed in the top-left corner of the Web Interface, you will be taken to the "home" screen that is displayed after logging in to application.

Main Operation Area

The Main Operation Area is where users interact with the application to perform their activities. It is tailored to the specific module or mode being accessed, with available options determined by the user’s assigned permissions. Depending on the capabilities of each module, this area can also display personalized content for each user, including custom dashboards and reports.

Available content and options are detailed within each module chapter in Cyberquest 2.30 User's Guide.

Performance Area

Performance Area in the top-right side of the Web Interface maintains three indicators updated in real time:
Alt Image CPU -- displays the current CPU load of the CYBERQUEST Web Application Server. Hovering over the colored section of the graph reveals a tooltip with the exact current load value.
Alt Image Memory -- displays the current memory usage of the CYBERQUEST Web Application Server. Hovering over the colored area of the graph reveals a tooltip showing the exact current load value.
Alt Image Disk -- hows the current disk usage of the CYBERQUEST Web Application Server. Hovering over the colored section of the graph displays a tooltip with the precise current load value.

User Enabler Area

The User Enabler Area, located in the top-right corner of the Web Interface, contains four action buttons:

Events

PressAlt Imagebutton to open a quick pop-up displaying statistical information about processed data. The following details are provided:

Alt Image

  • Total events – total number of events currently stored in the online repository
  • Last hour events – total number of events collected in the last hour
  • Last day events – total number of events collected in the last day
  • Total alerts – total number of alerts currently managed by the Application Server
  • Last hour alerts – total number of alerts raised in the last hour
  • Last day alerts – total number of alerts raised in the last day

User

Press Alt Image button and will open User drop-down menu containing the options described below:

Alt Image

  • Add two factor authentication - enhances account security by adding an additional verification layer.
  • Change password opens the Change Your Password window, allowing the currently logged-in user to update their password.
  • Logout – Logs out the currently logged-in user from the application.
  • Alerts Notifications provide real-time updates on security alerts. Users can tailor the notifications they receive through configurable filters, ensuring that only relevant and high-priority alerts are displayed based on their preferences or responsibilities.

Dark Mode

Enable dark mode by clicking the Alt Image switch located in the top-right corner of the web interface.

Alt Image

Settings

Navigate to Settings, by pressing Alt Image button, in the left side of the web interface and the page will open the options described below:

1) Users and Groups:

  • Users and Groups > Users

  • Users and Groups > Groups - are options allowing an administrator to view, add, edit or delete users and groups. Additional actions are available for users: change password, activate or inactivate, copy dashgroups to users.

Alt Image

2) Application Settings

Each Application Settings option opens the Application Settings configuration page, allowing administrators to manage and fine-tune the core CYBERQUEST settings. For more details, see the Application Settings

The page presents configuration capabilities for:

Alt Image

3) Management

Alt Image

  • The Management > Event Dictionary option opens the Event Definitions configuration page, where an administrator can view all event definitions, create new ones, import definitions from external files, or perform bulk import of objects and update the event dictionary. Available actions on existing entries include exporting, editing, and deleting event definitions.

  • The Management > Dashboards option opens the Dashboards configuration page, where an administrator can view all defined dashboards, import dashboard definitions from external files, and manage existing dashboards with options to edit or delete them.

  • The Management > Filters option opens the Filters configuration page, where an administrator can view all defined filters, create new ones, and manage existing filters with options to edit or delete them.

  • The Management > Objects option opens the Object Management configuration page, where an administrator can view a list of objects or add new ones. Available actions for existing objects include editing and deleting.

  • The Management > AgentManager option opens the Agent Manager configuration page, where an administrator can register new Windows agents. Available actions include editing, deploying, and deleting agents.

  • The Management > DataSourceManager option opens the Data Source Manager configuration page, enabling an administrator to add new data sources.

  • The Management > Discovered Data Sources option opens the Discovered Data Sources page, allowing an administrator to view and manage data sources automatically detected by the system.

  • The Management > CredentialManager option opens the Configured Credentials page, where an administrator can add new credentials and manage existing ones. Available actions include editing and deleting credentials.

  • The Management > VulnerabilityManager option opens the Vulnerability Manager page, where an administrator can update and manage the list of identified vulnerabilities.

  • The Management > Tag Alias option allows events to be parsed using a custom parser instead of the default one provided by the data server. Available actions include editing and deleting tag aliases.

  • The Management > UEBA Manager option opens the UEBA Manager page, which defines the group membership of users, assets, and events based on their characteristics. Available actions include editing and deleting group configurations.

  • The Management > Data Storages option opens the Data Storages configuration page, where an administrator can create new data storage entries or manage existing ones. Available actions include activating or deactivating, editing, and deleting data storages.

  • The Management > Data Source Status option opens a report displaying all data sources along with their current status. Administrators can delete data sources, adjust alert timing, and customize the report to include or exclude specific details. The report supports column-based sorting, includes a search field, and can be exported in CSV format for further analysis.

  • The Management > Networks section allows administrators to configure and organize network segments within the infrastructure. It supports classification by zone and tenant context, enabling more precise monitoring and security scoring. Administrators can verify IP coverage, update network definitions, and manage the lifecycle of each network entry through intuitive actions. Possible actions include checking IP addresses, editing network details, and deleting network entries.

  • CYBERQUEST includes an automation module that can be triggered to execute mitigation steps and other actions. These actions can be organized into a "playbook," which defines a specific sequence of tasks to effectively carry out mitigation. Playbooks can be easily created, modified, or removed through a graphical interface.

  • The Management > PlayBooks Analyst Actions feature manages analyst interactions during playbook execution. When an Analyst Input or Analyst Confirmation block is reached, the playbook pauses and prompts the analyst with a question. Analysts can view and respond to all active questions in Settings > PlayBooks Analyst Actions to continue the process.

  • The Management > Execution History page provides detailed logs of each playbook and action execution, essential for debugging and troubleshooting. When errors occur, these logs help identify the root cause, ensuring smooth and error-free playbook operation. Users can view logs directly or download them in .txt format for further analysis.

  • The Management > Save Restore Database option allows administrators to export the current database for backup purposes and import a database backup to restore system data. These functions help ensure data integrity and facilitate recovery in case of system issues.

  • In CYBERQUEST, Service Level Agreements (SLAs) are defined based on Case Types to specify confirmation and response time targets for incident and case resolution. These SLAs help ensure timely acknowledgment and resolution of cases according to organizational requirements. After creation, SLAs can be managed through available actions to maintain effective incident handling.

  • The Management > User Classifications option allows administrators to define and manage categories or classifications for users within the system. These classifications help organize users based on roles, responsibilities, or other criteria, enabling tailored access control, reporting, and analysis across the platform.

  • The Internal Security Documents function serves as a repository for uploading, exporting, and deleting internal security documents. These documents play a key role in the Dora Journey process, providing essential information and resources used throughout the process.

  • The Management > DORA Journey function allowing to select internal security documents that serve as evidence for fulfilling the requirements of specific chapters and articles of the DORA Regulation. It integrates with the internal security documents repository to attach relevant materials, and if a document is not found in the repository, it can also be uploaded directly from the local computer. This function helps track the progress of associated actions while verifying that all compliance requirements have been met.

  • A Case Template offers the ability to build a reusable template used for creating new cases. This template provides the advantage of enabling investigations tailored to the specific needs and processes of the organization. By using case templates, consistency and efficiency are ensured throughout case management, helping standardize workflows and following of internal company documentation.

4) Alerts

Alt Image

  • The Alerts > Summary option opens the list of custom summary alerts within the Alerts module, allowing administrators to view alert templates, create new alert templates, or add new registered summary alerts. Available actions on existing summary alerts include activate/inactivate, edit, and delete.

  • The Alerts > Notification Templates option opens the Alert Templates configuration page, allowing administrators to create new alert templates or manage existing ones. Available actions on listed templates include edit and delete.

  • The Alerts > Realtime option opens the list of defined alerts within the Alerts module, allowing administrators to create new alert definitions or import alerts from external files. Administrators can also edit, export, clone, or delete existing alert definitions.

  • The Alerts > Anomaly Config interface allows administrators to define anomaly detection rules based on a report. This configuration enables the system to identify deviations from normal behavior patterns and trigger anomaly alerts accordingly. The module supports customization of detection parameters, offering flexibility in tuning anomaly sensitivity for different use cases.

5) Rules

Alt Image

  • Rules > Filter Rules option opens Filter Rules configuration page allowing an administrator to create a new filter rule, import a filter rule from an external file or perform actions on existing ones. Possible actions are activate/inactivate, export, edit and delete.

  • Rules > DTS Objects option opens DTS objects configuration page allowing an administrator to create and import a DTS object from an external file or perform actions on existing ones. Possible actions are activate/inactivate, export, edit and delete.

  • Rules > DA Rules option opens DA Rules configuration page allowing an administrator to create and import a data acquisition rule from an external file or perform actions on existing ones. Possible actions are activate/inactivate, export, edit and delete.

6) Jobs

Alt Image

  • Jobs > Jobs option opens Jobs configuration page allowing an administrator to create a new job or perform actions on existing ones. Possible actions are activate/inactivate, run, edit and delete.
  • The Jobs > Jobs Executions option opens the list of job executions. Job executions can be deleted, and the execution status is displayed for each listed job.

7) Tools

Alt Image

  • The Tools > Batch Fields Checker option opens the Batch Fields Checker window, allowing the upload of a text file to execute batch field validation. The results can be exported in CSV format.

  • The Tools > Documentation option provides a direct link to the technical documentation.

  • The Tools > About option provides access to system licensing and version information, as well as actions for updating and managing the CYBERQUEST license.

  • The Tools > JSON Modal option opens a window for viewing and temporarily editing JSON-formatted data.