Cogynt Workstation Setup Guide
The Cogynt Workstation setup guide covers the initial usage of Workstation, and is organized into these basic steps:
- Ingest data into Workstation.
- Review the unique and total ingested records.
- Verify data ingestion occurred.
About This Guide
This guide assumes you have met the prerequisites for using Workstation, and logged into your Cogynt Workstation URL with these minimum permissions:
- Ingest: WRITE
- Notification Settings: WRITE.
This guide also assumes your role is one of the following:
- Individuals responsible for the configuration and global administration of Workstation
- Intelligence / Threat / Data Analysts
Ingesting Data Into Workstation
Analysts can only work with data once that data has been ingested. Each event listed includes all event decorations associated with the event, and the number of Unique and Total records to be ingested.
To ingest data:
- At the top of Cogynt Workstation's home page, click the Admin tab.
- On the left side of the admin page, locate the Ingestion Settings column. This column lists each event created in Cogynt Authoring sorted by Type or Ingestion status.
- Toggle the Status switch in the right-most column in Ingestion Settings to ingest that data.
After your data is ingested, you can create views and use widgets to analyze it.
Optionally, configure tags to help organize events, or customize Event Notifications to raise awareness of events within a specific risk_score
.
Unique and Total Records
Each event type has a Total and Unique number of records that can be displayed when data is ingested.
Unique records should never exceed Total records.
- Total: represents the number of messages that exist within the Kafka topic that the event typed is ingested from.
- Total includes all versions of a unique event including the initial creation, as well as any records with a $crud value of update and delete.
- Unique: represents only unique events by ID that exist for the event type, rather than all the historical updates that may occur over time.
- Unique records represent the number of events that a user might expect to see for a particular event type in Workstation on widgets like the Events Stream widget.
Here is an example to help clarify Unique and Total records:
Assume that we ingest 100 records related to the employees of a company, each record containing a value representing the number of months that the employee has been with the company.
Each month, a new record is created for each employee who remains on payroll and 'number of months employed' increments by one. As the number of months and employees increase, the Total number of records increase, but the 100 employee records remain Unique.
Filtering Ingested Data
Use Ingestion Settings to sort events. Filter by Ingestion Status, Event Type, Project the Event belongs to, or search for a keyword within the Event's title.
Once data is ingested, you are ready to create a view and manage your data collections. To unlock Workstation's full potential, we recommend you customize event decorations.
Verifying Data Ingestion
Once data is ingested, it begins to populate the event stream. If certain events are not visible, verify those events have been ingested into Workstation and are not experiencing any issues.
To confirm Cogynt Workstation is ingesting data and ready for analyst work:
- From any Workstation screen, click the Admin tab.
- In the Ingestion Settings column, locate the Event Type to ingest.
- In the Status column, note the color associated with your event type.
- Generally, it should be possible to view events that are in Running or Suspended states.
An event can have any of the following Ingestion Statuses:
Status | Color | Description |
---|---|---|
Inactive | Gray | This event type has not been ingested. |
Running | Green | This event type is actively being ingested into Workstation from Kafka |
Suspending | Yellow w/ hashmarks | The live ingestion of this event type is in the process of being suspended. Any events already ingested will remain in the system unless deleted. |
Suspended | Yellow | The live ingestion of this event type has been suspended. Any events already ingested will remain in the system unless deleted. |
Topic Does Not Exist | Red | The Kafka topic that this event type is consumed from can no longer be found (the Kafka topic was possibly deleted). |