Cogynt Workstation Setup Guide
The Cogynt Workstation setup guide covers the initial usage of Workstation, and is organized into these basic steps:
About This Guide
This guide assumes you have met the prerequisites for using Workstation, and logged into your Cogynt Workstation URL with these minimum permissions:
- Workstation: Ingest: Edit.
- Workstation: Notification Settings: Edit.
This guide also assumes your role is one of the following:
- Individuals responsible for the configuration and global administration of Workstation
- Intelligence / Threat / Data Analysts
Ingesting Data Into Workstation
Analysts can only work with data once that data has been ingested. Unless an event history is present for the deployment, users will only see a column and option to ingest event data.
Each event listed includes all event decorations associated with the event, and the number of Records to be ingested.
To ingest data:
- At the top right of Cogynt Workstation's home page, click the Settings cog.
- From the left side drawer, click Data Ingestion. This is the default selection when clicking the Settings cog from the Workstation homepage.
- Locate the data stream of records to be ingested. Use the search or filter functions on the upper left side if necessary.
- To the right side of the data stream, click the More menu (⋮). The next steps change depending on the actions taken.
- For event data:
- Click Run to begin ingesting data. The Status of the data stream in the Ingestion Status column will change to Running.
- Click Stop to stop ingesting data. The Status of the data stream in the Ingestion Status column will change to Stopped.
- For event history data:
- Click Enable Event History to start recording event history. The status of the data stream in the Event History column will change to Running.
- Click Disable Event History to stop recording event history. The status of the data stream in the Event History column will change to Disabled.
- For event data:
After your data is ingested, you can create workspaces and use widgets to analyze it.
Optionally, you may configure tags to help organize events, or customize event notifications to raise awareness of events within a specific risk_score.
Filtering Ingested Data
Use the Data Ingestion table to filter by Ingestion Status, Project the event belongs to, the Event Types, or search for a keyword within the event's title.
Once data is ingested, you are ready to create a workspace and manage your data collections. To unlock Workstation's full potential, we recommend you customize event decorations.
Verifying Data Ingestion
Once data is ingested, it begins to populate the event stream. If certain events are not visible, verify those events have been ingested into Workstation and are not experiencing any issues.
To confirm Cogynt Workstation is ingesting data and ready for analyst work:
- At the top right of Cogynt Workstation's home page, click the Settings cog.
- From the left side drawer, click Data Ingestion. This is the default selection when clicking the Settings cog from the Workstation homepage.
- In the Data Ingestion table, locate the Event Type to check its status.
- In the Ingestion Status column, note the color associated with your event type.
- Events that are in Running state are viewable.
An event can have any of the following Ingestion Statuses:
| Status | Color | Description |
|---|---|---|
| Stopped | Gray | This event type is not actively ingesting into Workstation from Kafka. Previously ingested events are no longer receiving updates, and no new events are being ingested. |
| Running | Green | This event type is actively being ingested into Workstation from Kafka |
| Topic Does Not Exist | Red | The Kafka topic that this event type is consumed from can no longer be found (the Kafka topic was possibly deleted). |
Unsupported Authoring Data Types
The following data types are either unsupported, or only partially supported:
| Data type | Support in Workstation | Notes |
|---|---|---|
| Date Time with Timezone | Partial | These formats are ingested, displayed, and filterable as strings: Epoch Seconds, Epoch Milliseconds, Database Native |
| Date Time without Timezone | Partial | These formats are ingested, displayed, and filterable as strings: Cogynt Datetime, Cogynt Date, Database Native |
| Date Time Custom | Partial | Custom formats are ingested, displayed, and filterable as strings. |
| JSON Object | Not Supported | Data fields in this format are ignored on ingest. |
| JSON Array | Not Supported | Data fields in this format are ignored on ingest. |
These data types also include their array equivalents.