Dashboard builder

A dashboard displays a collection of visualizations and searches. You can arrange, resize, edit, and save the dashboard content. A dashboard displays essential information about user activity, alerts, vulnerabilities, and network traffic in your organization.UTMStack supports several types of visualizations that streamline a network environment's security monitoring and analysis.

New dashboard

When you first log in to the UTMVault, go to the Dashboard tab to display the option: New dashboard

new-dashboard.png

1 .Clicking on New dashboard opens a pop-up window on the right side of the screen.

visualizations-1.png

It displays a list of all the logs, events, and alarms collected and generated by UTMSTack. The list can be sorted in ascending or descending order by name or last modification.

2. Two search bars allow selecting the type of visualization: pie, chart, bar, gauge, line, and the source: timestamp, alerts, events, etc.

Mouse over any element on the list to get a preview of the visualization. You can download the preview as an image, or restore it.

3. You can select any of them to create a visualization, then you add the visualizations to the dashboard. You can save the dashboard with a name and description. 

4. When you load the dashboard, every visualization can be filtered by time or deleted. Click on the visualization options icon displays a list with the following options:

4.1. Edit visualization

The visualization builder lets you manipulate the data to edit or customize the visualizations. You can see the multifaceted collected data in a simple and intuitive way.

You can filter by field, operator, and time:

Agregation

Aggregation refers to the collection of documents or a set of documents obtained from a particular search query or filter.

You can use the supported aggregations to build your visualizations. Metric aggregations extract field from documents to generate data values. You can add different metrics and apply a custom label.

UTMSTack supports the following aggregations:

Average

The mean value.

Count

The total number of documents that match the query, which allows you to visualize the number of documents in a bucket. Count is the default value.

Max

The highest value.

Median

The value that is in the 50% percentile.

Min

The lowest value.

Sum

The total value.

Unique Count

The Cardinality of the field within the bucket.

Buckets aggregations

Bucket aggregations creates buckets or sets of documents based on certain criteria. Depending on the aggregation type, you can create filtering buckets, that is, buckets representing different value ranges and intervals for numeric values, dates, IP ranges, and moreBucket aggregations sort documents into buckets, depending on the contents of the document.

UTMSTack supports the following aggregation buckets:

Date histogram

Terms

Splits a date field into buckets by interval. If the date field is the primary time field for the index pattern, it chooses an automatic interval for you. Intervals are labeled at the start of the interval. For example, the tooltip for a monthly interval displays the first day of the month.

Specify the top or bottom n elements of a given field to display, ordered by count or a custom metric. Supports exclude and include patterns.

In order to use it you will need to enable fielddata and custom label.

The visualization can be downloaded as an image, restored, or displayed as data.

Saving

After finishing building the visualization, you can enter a title and optionally a description. You can enable the option: Save as new visualization.

 

How to create a visualizations?

UTMStack partially implements the Elastic Stack architecture, using Elasticsearch as a data engine and logstash as data parsing. UTMStack has a dashboard building module to show the data, allowing you to customize the dashboard, reporting, and compliance. This characteristic and the correlation engine make UTMStack a flexible product to monitor logs from different sources. As of here, you can create your own correlation rules in the menu Manage Correlation Rules.

In this book you will learn the steps to create a new visualization:

  1. Open Dashboard.
  2. Click on New visualization. You will see all the existing visualizations types.new-visualization.jpg
  3. Select a source (default index pattern) that you want to chart or Add a new source (add a new index pattern).
  4. Select a visualization chart type.

    • Line, Area LineBar, Bar, and Bar Horizontal Charts (Compare different series in X/Y charts.)
    • Pie Chart (Display each source’s contribution to a total.)
    • Tag Cloud Chart (Display words as a cloud in which the size of the word corresponds to its importance.)
    • Table (Display the data of a composed aggregation by metric and bucket.)
    • List (List data by field and create your custom table)
    • Gauge (Display a gauge.)
    • Goal (Display a gauge.)
    • Metric (Display a single number.)
    • Region map (Represent IPs of data sources and destination sources.)
    • Heat Map (Shade cells within a matrix.)
    • Text (Allow create custom notes in the dashboard)
  5. Click the button Create visualization.

Initially, UTMStack will represent by default the general data associated with the aggregation metric (Count) in the chart selected. However, you can split them by specific aggregation buckets.

Check the documentation of each visualization chart to see their metrics aggregations and buckets aggregations.

For example, if you’re indexing alerts, you could build a bar chart that represents aggregation metric (Count) by alerts by specifying the aggregation bucket (Data Histogram) on the field (@timestamp) with a minimum interval (Daily). Click the button Run to visualize data after applying any aggregation, filter, or modification.

example-0k.jpg

The chart displays the count of alerts by seven days. When positioning the mouse pointer over each bar, you will see a tooltip with information about the number of alerts (metric) per specific day (bucket). Also, you can see all the legend information by clicking on the navigation arrow.

The y-axis shows the number of alerts, and the days are displayed across the x-axis.

Bar, Line, or Area LineBar chart visualizations use metrics for the y-axis and buckets for the x-axis. However, the Bar Horizontal changes the representation of the metric for the x-axis and buckets for the y-axis. Pie charts, use the metric for the slice size and the bucket for the number of slices.

On the other hand, you can further break down the data by specifying sub-buckets.

For example, you could add on the bar chart an aggregation sub-bucket (Terms) on the field (category.keyword) to see the count of alert descending split by the top five categories during seven days.

bucket-ok.jpg

In this case, UTMStack only shows between one or three categories per day. This means that you received only a maximum of three different alert categories during this week.

By default, UTMStack displays the top five fields ordered descending by the metric. Anyways you can change those values.

In addition, UTMStack allows you to represent the count of alerts by categories during the last 15 minutes, last 30 minutes, last hour, last 24 hours, last 30 days, last 90 days, last year, or customize your time. Click on the calendar icon for these options.

calendar-ok.jpg

You can also apply filters to the fields visualized by clicking on + Add filters.

Type of operators:

is: Selects all data that match the specific value selected.

is not: Selects all data except the specific value selected.

is one of: Selects all data that match a set of values selected.

is not one of: Selects all data that does not match a set of values selected.

exists: Selects the data where the field exists.

does not exist: Selects the data where the field does not exist.

is between: Selects numeric data that is between a specific value range. The range should match with the input pattern for each data. For example, the @timestamp's pattern is YYYY-MM-DDTHH:MM:SS.MsMsMsZ (2021-12-12T02:30:00.000Z.)

is not between: Selects numeric data that is not between a specific value range.

contain: Selects all data that contain a specified string.

does not contain: Selects all data that does not contain a specified string.

start with: Selects all data that start with a specified string.

does not start with: Selects all data that does not start with a specified string.

end with: Selects all data that end with a specified string.

does not end with: Selects all data that does not end with a specified string.

Following the above example, you can filter the count of alerts during the last 30 days given a specific alert category (Potentially Malicious Activity) using the operator "is."

filters-additions.jpg