How to create a visualizations?

UTMStack partially implements the Elastic Stack architecture, using Elasticsearch as a data engine and logstash as data parsing. UTMStack has a dashboard building module to show the data, allowing you to customize the dashboard, reporting, and compliance. This characteristic and the correlation engine make UTMStack a flexible product to monitor logs from different sources. As of here, you can create your own correlation rules in the menu Manage Correlation Rules.

In this book you will learn the steps to create a new visualization:

  1. Open Dashboard.
  2. Click on New visualization. You will see all the existing visualizations types.new-visualization.jpg
  3. Select a source (default index pattern) that you want to chart or Add a new source (add a new index pattern).
  4. Select a visualization chart type.

    • Line, Area LineBar, Bar, and Bar Horizontal Charts (Compare different series in X/Y charts.)
    • Pie Chart (Display each source’s contribution to a total.)
    • Tag Cloud Chart (Display words as a cloud in which the size of the word corresponds to its importance.)
    • Table (Display the data of a composed aggregation by metric and bucket.)
    • List (List data by field and create your custom table)
    • Gauge (Display a gauge.)
    • Goal (Display a gauge.)
    • Metric (Display a single number.)
    • Region map (Represent IPs of data sources and destination sources.)
    • Heat Map (Shade cells within a matrix.)
    • Text (Allow create custom notes in the dashboard)
  5. Click the button Create visualization.

Initially, UTMStack will represent by default the general data associated with the aggregation metric (Count) in the chart selected. However, you can split them by specific aggregation buckets.

Check the documentation of each visualization chart to see their metrics aggregations and buckets aggregations.

For example, if you’re indexing alerts, you could build a bar chart that represents aggregation metric (Count) by alerts by specifying the aggregation bucket (Data Histogram) on the field (@timestamp) with a minimum interval (Daily). Click the button Run to visualize data after applying any aggregation, filter, or modification.

example-0k.jpg

The chart displays the count of alerts by seven days. When positioning the mouse pointer over each bar, you will see a tooltip with information about the number of alerts (metric) per specific day (bucket). Also, you can see all the legend information by clicking on the navigation arrow.

The y-axis shows the number of alerts, and the days are displayed across the x-axis.

Bar, Line, or Area LineBar chart visualizations use metrics for the y-axis and buckets for the x-axis. However, the Bar Horizontal changes the representation of the metric for the x-axis and buckets for the y-axis. Pie charts, use the metric for the slice size and the bucket for the number of slices.

On the other hand, you can further break down the data by specifying sub-buckets.

For example, you could add on the bar chart an aggregation sub-bucket (Terms) on the field (category.keyword) to see the count of alert descending split by the top five categories during seven days.

bucket-ok.jpg

In this case, UTMStack only shows between one or three categories per day. This means that you received only a maximum of three different alert categories during this week.

By default, UTMStack displays the top five fields ordered descending by the metric. Anyways you can change those values.

In addition, UTMStack allows you to represent the count of alerts by categories during the last 15 minutes, last 30 minutes, last hour, last 24 hours, last 30 days, last 90 days, last year, or customize your time. Click on the calendar icon for these options.

calendar-ok.jpg

You can also apply filters to the fields visualized by clicking on + Add filters.

Type of operators:

is: Selects all data that match the specific value selected.

is not: Selects all data except the specific value selected.

is one of: Selects all data that match a set of values selected.

is not one of: Selects all data that does not match a set of values selected.

exists: Selects the data where the field exists.

does not exist: Selects the data where the field does not exist.

is between: Selects numeric data that is between a specific value range. The range should match with the input pattern for each data. For example, the @timestamp's pattern is YYYY-MM-DDTHH:MM:SS.MsMsMsZ (2021-12-12T02:30:00.000Z.)

is not between: Selects numeric data that is not between a specific value range.

contain: Selects all data that contain a specified string.

does not contain: Selects all data that does not contain a specified string.

start with: Selects all data that start with a specified string.

does not start with: Selects all data that does not start with a specified string.

end with: Selects all data that end with a specified string.

does not end with: Selects all data that does not end with a specified string.

Following the above example, you can filter the count of alerts during the last 30 days given a specific alert category (Potentially Malicious Activity) using the operator "is."

filters-additions.jpg

filtering-by-category.jpg

You can quickly edit, delete, and inverter your filters by clicking on the specific filter. Remember to click on always the button Run to apply the changes to the visualization.