You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
dmbuchta edited this page Dec 1, 2014
·
8 revisions
So you've gone through the installation, created your account, started your web server, and made your way to the CRITs interface. Congrats! From here you might be amazingly confused as to what's going on. Hopefully this guide can help you make sense of what you are seeing, what it means, and how to navigate the system.
Before we get started, you might be wondering "What is CRITs?" The simplest answer is that CRITs is a system designed to house vast quantities of threat data. To expand on that, it is a system that allows you to import and generate rich metadata related to threats and threat defense. From there you can discover important data necessary for defending your network, feed that data through Services to enhance the richness of that data, discover correlations between existing data you never realized before, or export that data for sharing with other people/organizations.
The Login Screen
You are most likely staring at a screen that looks like this:
If you aren't and seem to be logged in it is possible your Admin has enabled Remote User Authentication and it has passed along your credentials for CRITs to authenticate you with.
Enter your username in the Username field.
Enter your password in the Password field.
CRITs supports basic authentication as well as LDAP authentication. Contact your admin to determine how they've configured the system and what you should be logging in with. CRITs comes with the capability to use TOTP authentication. When logging in for the first time, you'll most likely not have this enabled or you haven't set it up yet. Follow the instructions on the login page for your situation.
The Dashboard
You've logged in! The screen you are now looking at is called The Dashboard. It is a general overview of some of the more popular sections of CRITs. Don't worry too much about the specifics of what each section is, we'll get to that a bit later. One term you should be familiar with going forward is top-level object. What this refers to are things like Campaigns, Certificates, Domains, Emails, Events, Indicators, IPs, PCAPs, RawData, Samples, and Targets. They are the major sets of data that CRITs works with.
The Counts section is a general overview of the quantity of some of the data in the system. This data is driven by mapreduce jobs that run at times designated by the system admin. For more information on this check out the README.
The Top Backdoors section is also driven off of mapreduce. It shows the most popular backdoors assigned to Samples in your database.
The Top Campaigns section shows some of the more popular campaigns you've added to CRITs as well as how many of the top-level objects have been attributed to those campaigns.
The Recent sections show some of the new top-level objects added to CRITs that may be of interest to you.
From an interface perspective, you'll notice a bar at the top and bottom of the page. Let's go over the top bar first.
The top bar gives you access to many of the common things you'll need on almost every page.
The "gear" icon when clicked on brings out the Navigation Menu. This can also be brought up be pressing the n or m key while not typing in a textbox.
Your username is a link to your Profile Page.
In parenthesis next to your name is the role you've been assigned in CRITs.
The "exclamation" icon is your Notifications indicator. It will show up on the top bar if you have notifications about top-level objects you are subscribed to. You can click on it to go to your Profile page and review your notifications.
If you see a "checkmark" or an "X" icon, you are viewing a Details page. This icon allows you to subscribe and unsubscribe to the top-level object you are viewing. More info on this can be found below.
The "clipboard" icon is your CRITs clipboard. This is a place where you can store a top-level object's Type and ID for use in form input (we'll go over this later).
The "star" icon is your CRITs Favorites. When viewing table listings or Detail pages for top-level objects you have the ability to "Favorite" them. This gives you quick access to some top-level objects that you want to remind yourself to check out later or want to get back to in the near future. This is meant to be a short-term list. Longer-term tracking of top-level objects can be done through "Subscriptions" (we'll go over this later).
The "Global Quick Search" is a place where you can enter simple or complex search terms and search operators to find content in CRITs. By clicking in the textbox it will give you a dropdown which goes into more detail about how to use the quick search feature.
The "life preserver ring" icon gives you an overlay which gives a quick summary of the different parts of the interface you are seeing. It isn't meant to be comprehensive, just a quick tip about what some of the icons mean and do.
The "magnifying glass" brings up the "Advanced Search" feature. This is a group of different search features which allow you to customize and narrow down your search vectors to find specific pieces of data in the system. This can also be brought up by pressing the a key while you are not typing in a textbox.
If you press the ? key (shift + ?) it will bring up a Shortcuts help box showing you the different key bindings the interface allows you to use and what they are for.
The bottom bar is more informational. It shows you:
What version of CRITs you are running.
The name of the instance you are connected to (as well as the backend database it is using).
Your last login date.
Estimated time it took to render the page you are on.
Classification level of the content within this CRITs instance.
Copyright information.
The Navigation Menu has many options. Any time you see a blue + it is a quick-link to allow you to add a new top-level object of that type to the system. Clicking on it will bring up a modal form for you to fill out and add that new data. Any time you see a > it means there are sub-menu items that can be displayed by clicking on the > icon.
The "Search Menu Options" at the top allows you to type in a value and it will return to you any Navigation item that may match or contain a sub-menu item that matches what you entered.
Dashboards is a link to your default Dashboard page.
My Dashboards is a listing of all dashboards you have access to.
Configurations brings you to your dashboard configurations page (more info).
My CRITs is a link to your Profile page.
Bucket Lists is a link to the Bucket Listing page (more info on this later).
Campaigns brings you to the Campaign listing page.
Certificates brings you to the Certificates listing page.
Domains brings you to the Domains listing page.
Bulk Upload Domains brings you to an interface to upload multiple Domains at one time.
Emails brings you to the Emails listing page.
New Email (Outlook) allows you to upload a new email to CRITs that is in the .msg format.
New Email (YAML) allows you to upload a new email that is in YAML format.
New Email (EML) allows you to upload a new email that is in the .eml format.
New Email (Raw) allows you to upload the raw contents of an email to be parsed for you.
Events brings you to the Events listing page.
Indicators brings you to the Indicators listing page.
New Indicator Blob allows you to upload multiple Indicators in CSV format as text.
New Indicator CSV allows you to upload multiple Indicators using a CSV file.
IPs brings you to the IPs listing page.
Bulk Upload IPs brings you to an interface to upload multiple IPs at one time.
PCAPs brings you to the PCAPs listing page.
Raw Data brings you to the Raw Data listing page.
New Raw Data File allows you to upload Raw Data that is in a file on your computer already.
Samples brings you to the Samples listing page.
Samples brings you to the listing page for Samples from your assigned organization.
Source Samples brings you to a listing page of Sources and how many Samples they have provided.
Yara Hits brings you to a listing page of Yara Rule names and how many Sample match that rule.
Backdoors brings you to a listing page of Backdoors and how many Samples have been assigned that backdoor.
Exploits brings you to a listing page of Exploits and how many Samples have been assigned that exploit.
Bulk Upload MD5 Samples brings you to an interface to upload multiple Samples by MD5 and filename only (no binary needed).
Services is a container for sub-menu items that have been added by Services you've decided to enhance your CRITs install with.
STIX Import allows you to upload a STIX document and parse it for top-level objects.
Targets brings you to a Target listing page.
Timelines is a container for seeing a timeline of Domains, Emails, or Indicators.
Recent Activity is a live feed of Comments being added to CRITs by other users.
Add New Item is a container for adding new menu items to CRITs.
Backdoor add a new Backdoor to CRITs.
Exploit add a new exploit to CRITs.
Indicator Action add a new Indicator Action to CRITs.
Raw Data Type add a new Raw Data Type to CRITs.
Source add a new Source to CRITs.
NOTE: Once a source has been added, an admin still needs to assign users access to that source before they will see any data that came from them.
TLDs upload a new effective TLD list to CRITs to update the database.
User Role add a new Role to CRITs
NOTE: This feature currently is under heavy development and doesn't do anything.
CRITs Control Panel is how to configure your CRITs instance (only visible to admins).
About CRITs is a place to see a quick blurb about what CRITs is and the license it is provided under.
Reset Password is where users can go to reset their password (if they've forgotten it after logging in or feel that it has been compromised).
Help is a page that contains information about CRITs, how to use it, what everything means, as well as information on how to use the API to query the system for data.
Shortcut Keys Help is a menu item to bring up the shortcut keys help.
Log Out will log you out of CRITs.
NOTE: If you are using Remote User Authentication, it will redirect you to the login page which will automatically log you in again!
Listing Pages
The listing pages are designed using jTable. It allows you to sort, paginate, and limit results based on some of the column content. Some common columns you'll see are:
Details: Links you to the Details page for that top-level object.
Source: Quick list of sources that have provided that information.
Campaign: Quick list of Campaigns attributed to that data.
Favorite: A quick way to add that top-level object to your Favorites for easy access later.
Store ID: Store the top-level object type and ID to your clipboard for use in forms that support it.
Trashcan: If this is available, it allows you to delete that top-level object from the system.
Some of them also come with a list of buttons:
Add: Add a new top-level object of this type to CRITs.
CSV: Export the jTable content to a CSV file.
Reload: Reload the contents of the jTable with information from the database.
On your profile page you have the ability to set the default row count for jTables. It defaults to 25.
Details Pages
The Details pages are the places where you'll probably spend most of your time. It gives you access to all of the information about a single top-level object. Most Details pages are fairly similar and only deviate to give you special features unique to that top-level object. Some of the common content on a Details page are:
Details: A quick summary of some basic information. Things like hashes, filenames, ObjectIds, Status, Sources, and Releasability can be found and potentially modified here. Depending on the top-level object type the contents of this section may be extended to house unique metadata.
Status: Status is used to determine if this is a New, In Progress, Analyzed, or Deprecated top-level object. Deprecated is normally used to designate that something is no longer relevant, benign, incorrect, etc.
Sources: An interface to show you all the different sources that provided this information to you. You will only be able to see the sources that your administrator has given you access to see.
Releasability: An interface that allows analysts to mark which organizations this data has been approved to share to. It will track who marked it as releasable and also allow you to add instances of sharing so people know when something was shared out and not to duplicate efforts. Some things like the TAXII service automatically add entries like this for you.
Details Buttons: This is a section to the right of the Details section where you can find some buttons for useful actions. Currently you can "Copy to clipboard" which copies the type and ObjectId to your clipboard, and you can "Favorite" to add that top-level object to your Favorites for later reference.
Bucket List: This is a tagging mechanism. It allows you to add "buckets" to a top-level object that can be used for searching later on. This can be used to group large or small sets of top-level objects. As you add or remove buckets it will automatically update the Bucket Listing page.
Tickets: This section allows you to associate this top-level object with a ticket in your organization's ticketing system (if you have one).
Campaigns: This section allows you to perform Campaign attribution.
Relationships: This section allows you to relate this top-level object to other top-level objects throughout the system. It leverages CybOX Relationship Types.
Objects: This section allows you to add CybOX objects to this top-level object. These objects tend to be the results of performing some level of analysis on the top-level object whether it be manual or the result of some tool. These Objects can be things like strings, large amounts of text, or even a file upload.
Comments: This section allows analysts to add narrative content about the top-level object. You can have a discussion over time with other analysts. It gives you the ability to add comments, edit your own comments, reply to other people's comments, reference other analysts (using the @ format), or add hashtags (using the # format). Referencing a user will generate a notification for them that they were involved. Using a hashtag allows you to relate that comment to a common topic. You can then search by hashtag and find all comments across the system that are potentially related to what you are looking for.
Details Page Tabs
Most Details pages have several tabs to break up content. Usually there will be:
Details: The main Details tab
Analysis: Houses the analysis results derived from running services. Also allows you run services.
Some top-level objects have their own unique tabs (like Emails). These are usually there to break up Details from some common core functionality provided by CRITs.
If you add Services to CRITs they have the ability to extend the Details page with more tabs. Two common ones are:
Relationships Service: Gives you a graphical view of all of the relationships for this top-level object.
Timeline Service: Gives you a "play-by-play" of all of the modifications to that top-level object. It breaks things down by day and then sorts them in ascending order.
Another neat feature of Details pages is the ability to subscribe. When you visit a Details page you'll notice a blue checkmark in the top bar. If you do it means you aren't subscribed to that top-level object and you'll receive no notifications about it (unless someone mentions you in a comment). If you click on it you'll subscribe to it and the checkmark will change to an "X". You can click on that to unsubscribe.
Profile Page
Your profile page is packed with tons of information:
User Info: General information about you and your account. You can see:
Username
First Name
Last Name
Email Address
Last Login
Invalid Login Attempts
Failed Password Resets
Date your account was created
Organization
Roles
It also allows you to change your password and alter your TOTP settings.
Preferences: Here you can make some customizations to how you see/use CRITs:
Email Notifications: This will enable/disable getting emailed about things you are subscribed to.
UI Settings: This allows you to switch themes and set your default jTable row count.
Navigation Menu: By default CRITs uses the slider Navigation menu. If you'd rather have something always available you can swap to the "Topmenu". This will add the menu to the top-bar for dropdown navigation. You can also customize the colors for the menu to your liking.
Login Attempts: Shows you a list of the last 50 login attempts whether they were successful or not.
Recent Activity: A list of recent top-level objects you've worked on.
Subscriptions: A listing of the top-level objects you are subscribed to. Allows you to unsubscribe as well.
My Sources: A list of sources you have access to. Allows you to subscribe to those sources. If you subscribe to a source you'll get notifications for every top-level object provided by that source.
My API Keys: If you see this tab it will allow you to generate API keys. These keys can be used for accessing CRITs through the Authenticated API (more information in the Help page in CRITs). You can revoke API keys if you feel one has been compromised, and you can generate as many keys as you need so you'll always be able to use a unique one for every purposes. By doing this you won't have to worry about modifying keys for every use case you have, just the one you feel is compromised.
Notifications: The list of notifications you've received. You can remove single notifications or mass-remove all of them. One thing to note is that by visiting a Details page it will automatically clear all of the notifications you might have for that top-level object. Also if you opt into getting email notifications, the system will automatically remove any notifications in the UI that were sent out with that email.
Favorites: The list of your Favorites. Allows you to have a quick view of all of your favorites and remove them. You can perform similar actions by clicking on the start in the top bar but this interface is more robust and contains more details about each top-level object you've favorited.