- Dashboards
- Navigation Overview
- View and Interact with Dashboards
- View and Interact with Visualizations
- User Management
- Configure and Manage Dashboards
- Create a Dashboard
- Add a Visualization to a Dashboard
- Add a Text Tile
- Modify a Dashboard Layout
- Add Dashboard Filters
- Manage Automatic Refresh Rates
- Create a Scheduled Delivery
- Make a Dashboard Public
- Export and Import Dashboards
- Edit Dashboard Filters
- Edit Dashboard Details
- Duplicate a Dashboard
- Delete a Dashboard
- Configure and Manage Visualizations
- Create a Visualization
- Auto-Create a Visualization from a Natural Language Prompt
- Create a Visualization from a Search Query
- Add Visualizations from the Library to a Dashboard
- Modify a Visualization
- Configure Visualization Query Filters
- Include Context Filtering in Visualizations
- Make a Visualization Public
- Export and Import Visualizations
- Duplicate a Visualization
- Remove a Visualization from a Dashboard
- Delete Visualizations from the Library
- Pre-Built Dashboards
- Advanced Analytics
- Threat Center
- Case Manager
- Compliance / Event Store
- Access Grant and Revoke Activity Dashboard
- Account Logout Summary Dashboard
- Account Management Activity Dashboard
- Application Security Event Summary Dashboard
- Authenticated User Accounts on Hosts Dashboard
- AWS CloudTrail Summary Dashboard
- Data Loss Prevention Activity Dashboard – Host-Based
- Data Loss Prevention Activity Dashboard – User-Based
- Data Loss Prevention Activity Summary Dashboard
- Default Account Access Dashboard
- Default Credential Usage and Change Activity Dashboard
- Denied Web Access Activity Dashboard
- Disabled User Account Summary Dashboard
- Discovered Attacks by Source and Destination Dashboard
- Endpoint Detection and Response Dashboard
- Failed Application Logon Activity Dashboard
- Failed Audit Logs Summary Dashboard
- Failed Host Login Attempt Counts by Users Dashboard
- Failed VPN Login Attempts and Remote Session Timeouts Dashboard
- Firewall Activity Dashboard
- Firewall and Router Device Interfaces Dashboard
- Indicator of Compromise (IOC) Statistics Dashboard
- Insecure Authentication Attempts Dashboard
- Microsoft 365 Summary Dashboard
- Microsoft Windows Overview Dashboard
- Network Applications by Traffic Volume Dashboard
- Policy Activity Summary Dashboard
- Port Usage Trends Dashboard
- Privileged Access Dashboard
- Privileged Access Dashboard – User-Based
- Protocols by Network Traffic Dashboard
- Remote Session Overview Dashboard
- Security Alert Summary Dashboard – Impacted Hosts
- Security Alert Summary Dashboard – Origin Hosts
- Security Alert Summary Dashboard – Users
- Successful Application Logon Activity Dashboard
- Successful Database Login Activity Dashboard
- Successful Physical Access Dashboard
- Top Attackers Dashboard
- User Account Creation Summary Dashboard
- User Account Lockout Activity Dashboard
- Vendor Authentication Activity Dashboard
- Windows Audit Failure Summary by Hosts Dashboard
- Windows Audit Failure Summary by Users Dashboard
- Windows User Privilege Elevation Dashboard
- Zscaler HTTP Dashboard
- Correlation Rules
- SOC Management
- Pre-Built Visualizations
- Anomalies - Use Case & MITRE Coverage
- Anomalies by Rule Name
- Anomalies by Use Case
- Anomalies Count Over Time
- Anomaly Distribution by MITRE Tactic & Score
- Application Count
- Closed Incidents
- Correlation Rules by Severity
- Correlation Rules Triggered Over Time
- Detected Anomalies
- Incidents Created
- Incident Summary by Incident Type
- SOC Incident Distribution
- Top Activities per Top 10 Applications
- Top Users per Top 10 Applications
- Trend of Application Security Events
Configure Visualization Query Filters
Visualization query filters can be used to tailor the information displayed in the visualization. You can configure a time range filter to show only data from a specific time period. You can configure other filters, or combinations of filters, to specify aspects of dimensions included in the visualization, like certain types of users or activities. Depending on how complex your filter needs to be, you can group filter conditions together with AND or OR operators.
To configure query filters on a visualization:
With the visualization open in edit mode, click the expand arrow (
) on the Filters heading at the top of the right hand panel. The Filters panel fully expands to show two sections: Required Filters and Query Filters.Note
Required Filters cannot be removed.
The Approx Log Time filter is a required filter for visualizations based on the Event Store data model. It is automatically applied to these visualizations with a default setting of in the last 2 days. As a field, the Approx Log Time is the time that an event was triggered, and this internal filter is designed to avoid slow loading times that can happen with larger queries.
You can change this time range filter setting to anything within your licensed retention period, but it is not recommended. Instead, you can override it by adding an Approx Log Time filter at the dashboard level and setting it to any time range that you need. For information on creating dashboard filters, see Add Dashboard Filters.
In the Query Filters heading, click the expand arrow (
), if necessary, to open the Query Filter section.Depending on the query you want to create, select the AND, OR, NOT AND, or NOT OR operator from the drop-down menu on the left. This operator defines the relationship between each of the rule conditions within a group. The default operator is AND.
To add your first query condition, click + Rule. When the new condition row opens, define the query condition as follows:
Select a field name from the Field drop down menu. You can start type in the field to find the desired field name.
Select an operator from the menu in the middle of the condition row.
Note
The list of operators available for specific data type fields is being updated in phases to be consistent with those available across Exabeam New-Scale applications. Most recently, support for the following operators has been removed when creating new filters with IP data type fields:
starts with,ends with,does not start with,does not end with. Existing visualizations that are filtered using these operators on IP data type fields will not change. However, it's recommended that you update them with supported operators when you encounter them.If applicable, enter a value in the text field on the right of the condition row. If you enter multiple values, they are connected by an OR.
To add another condition, click + Rule again to add another row and define a new condition with field name, operator, and value.
To add a new group of condition rules, click + Group. A new condition group is added to the Query Filters panel.
Depending on how you want the rule conditions in the new group to be connected to each other, select the AND, OR, NOT AND, or NOT OR operator from the drop-down menu on the left. The default operator is AND.
Click + Rule and define the conditions for each rule you want to add to the new group. You can add multiple groups of conditions. To remove a condition or a group, click the delete icon (
) next to it.When you have built all of the filter conditions you need, you can review the filter as a query string. Click the collapse arrow (
) in the top right corner of the Query Filters panel. To view the filter conditions, click the expand arrow ().
If you want to apply a context filter to your visualization, click the + Context Filter option at the bottom of the Query Filters panel and then click the expand arrow to open a condition row. You can add up to two context filters to the end of the filter panel and they must be connected by an AND relationship to the other filter conditions. To define context filters, enter the following information for each context filter you add:
Context Field – A field that is assigned as the key attribute in a context table.
Operator – Select the appropriate option depending on whether you want to search for data that is or is not present in the context table.
Context Table – Select the name of the context collector that you want to include in the visualization filter.
For more information about including context tables in a query filter, see Include Context Filtering in Visualizations.
When you finish building your query filters, click the Run Data button on the left to see if the filters produce the desired results in the data your visualization displays.
To save the query filters, click Save or Add, depending on how you opened the visualization for editing.