- Dashboards
- Navigation Overview
- View and Interact with Dashboards
- View and Interact with Visualizations
- User Management
- Configure and Manage Dashboards
- Create a Dashboard
- Add a Visualization to a Dashboard
- Add a Text Tile
- Modify a Dashboard Layout
- Add Dashboard Filters
- Manage Automatic Refresh Rates
- Create a Scheduled Delivery
- Make a Dashboard Public
- Export and Import Dashboards
- Edit Dashboard Filters
- Edit Dashboard Details
- Duplicate a Dashboard
- Delete a Dashboard
- Configure and Manage Visualizations
- Create a Visualization
- Auto-Create a Visualization from a Natural Language Prompt
- Create a Visualization from a Search Query
- Add Visualizations from the Library to a Dashboard
- Modify a Visualization
- Configure Visualization Query Filters
- Include Context Filtering in Visualizations
- Make a Visualization Public
- Export and Import Visualizations
- Duplicate a Visualization
- Remove a Visualization from a Dashboard
- Delete Visualizations from the Library
- Pre-Built Dashboards
- Advanced Analytics
- Threat Center
- Case Manager
- Compliance / Event Store
- Access Grant and Revoke Activity Dashboard
- Account Logout Summary Dashboard
- Account Management Activity Dashboard
- Application Security Event Summary Dashboard
- Authenticated User Accounts on Hosts Dashboard
- AWS CloudTrail Summary Dashboard
- Data Loss Prevention Activity Dashboard – Host-Based
- Data Loss Prevention Activity Dashboard – User-Based
- Data Loss Prevention Activity Summary Dashboard
- Default Account Access Dashboard
- Default Credential Usage and Change Activity Dashboard
- Denied Web Access Activity Dashboard
- Disabled User Account Summary Dashboard
- Discovered Attacks by Source and Destination Dashboard
- Endpoint Detection and Response Dashboard
- Failed Application Logon Activity Dashboard
- Failed Audit Logs Summary Dashboard
- Failed Host Login Attempt Counts by Users Dashboard
- Failed VPN Login Attempts and Remote Session Timeouts Dashboard
- Firewall Activity Dashboard
- Firewall and Router Device Interfaces Dashboard
- Indicator of Compromise (IOC) Statistics Dashboard
- Insecure Authentication Attempts Dashboard
- Microsoft 365 Summary Dashboard
- Microsoft Windows Overview Dashboard
- Network Applications by Traffic Volume Dashboard
- Policy Activity Summary Dashboard
- Port Usage Trends Dashboard
- Privileged Access Dashboard
- Privileged Access Dashboard – User-Based
- Protocols by Network Traffic Dashboard
- Remote Session Overview Dashboard
- Security Alert Summary Dashboard – Impacted Hosts
- Security Alert Summary Dashboard – Origin Hosts
- Security Alert Summary Dashboard – Users
- Successful Application Logon Activity Dashboard
- Successful Database Login Activity Dashboard
- Successful Physical Access Dashboard
- Top Attackers Dashboard
- User Account Creation Summary Dashboard
- User Account Lockout Activity Dashboard
- Vendor Authentication Activity Dashboard
- Windows Audit Failure Summary by Hosts Dashboard
- Windows Audit Failure Summary by Users Dashboard
- Windows User Privilege Elevation Dashboard
- Zscaler HTTP Dashboard
- Correlation Rules
- SOC Management
- Pre-Built Visualizations
- Anomalies - Use Case & MITRE Coverage
- Anomalies by Rule Name
- Anomalies by Use Case
- Anomalies Count Over Time
- Anomaly Distribution by MITRE Tactic & Score
- Application Count
- Closed Incidents
- Correlation Rules by Severity
- Correlation Rules Triggered Over Time
- Detected Anomalies
- Incidents Created
- Incident Summary by Incident Type
- SOC Incident Distribution
- Top Activities per Top 10 Applications
- Top Users per Top 10 Applications
- Trend of Application Security Events
Create a Visualization
Visualizations are stored in a visualization library and can be used in multiple dashboards. You can create new visualizations either as independent entities, which can later be added to a dashboard, or as part of an existing dashboard.
Note
For examples of the different types of visualizations you can add, see Chart Types.
Enter visualization edit mode – To enter the visualization creation process, do one of the following:
From the Dashboards home page, click the Visualizations tab at the top and then click New Visualization.
From inside of an existing dashboard, click Add Visualization at the top and then select Create new.
A dialog box opens and displays the available Exabeam data models. The models displayed depend on the Exabeam products in your environment.
Select a data model – To select a data model for your visualization, select an option from one of your Exabeam products.
A visualization dialog box opens where you can select the dimension fields you want to visualize and the measure fields you want to use to quantify the visualized dimensions.
Auto-create a visualization from a natural language prompt (Optional step) – As part of Exabeam Copilot and its set of AI-driven capabilities, you can use the natural language prompt at the top of the dialog box to quickly auto-generate your visualization. For information about using the natural language prompt, see Auto-Create a Visualization from a Natural Language Prompt.
Note
This auto-create option is currently available only for Event model visualizations.
If you do not want to use this feature, proceed with the following steps to configure your measures, dimensions, and filters manually.
Add measures – On the left side of the dialog box, click Edit in the upper right corner of the Measures panel.
When you expand the Measures panel, it contains two sections. The In Visualization section shows the measures you've selected for inclusion in the visualization. The Available Measures section provides categories of available measures to choose from. The measure categories are similar to the categories of fields you are used to seeing in the Basic Search service. They include: a set of Recommendation measures, Common fields, Custom fields, and metadata. When you hover over an available field, a tooltip is displayed that includes the field's Common Information Model name and a description. You can also use the Search field to help you find a specific measure.
In the Measures panel, you can:
Click the expand (
) and collapse (
) arrows to navigate the lists of available measures, or use the Search field to find a measure field quickly.Tip
If you use the Search field to locate measures, don't forget to remove the search term when you look for the next measure.
Click the plus icon (
) on an available measure to add it the the visualization. The number next to In Visualization will increment as you add measures.Click the delete icon (
) next to a selected measure to remove it from the visualization.Click Edit in the upper right corner to collapse the panel. It will display the selected measures and you can still click to remove a specific measure.
Add dimensions – On the left side of the dialog box, click Edit in the upper right corner of the Dimensions panel.
When you expand the Dimensions panel, it contains two sections. The In Visualization section shows the dimensions you've selected for inclusion in the visualization. The Available Dimensions section provides categories of available dimensions to choose from. The dimension categories are similar to the categories of fields you are used to seeing in the Basic Search service. They include: a set of Recommendation dimensions, Common Fields, Custom Fields, Metadata, Anomalies, Audit Logs, Rules, and Geo IP. When you hover over an available field, a tooltip is displayed that includes the field's Common Information Model name and a description. You can also use the Search field to help you find a specific dimension.
Tip
In some categories of dimensions, such as Rules and Geo IP, certain dimensions can be expanded to find additional dimensions. For example, under Rules, you can find Mitre labels, which can be expanded to show additional more specific dimensions such as Tactic and Technique.
In the Dimensions panel, you can:
Click the expand (
) and collapse () arrows to navigate the lists of available dimensions, or use the Search field to find a dimension field quickly.Tip
If you use the Search field to locate dimensions, don't forget to remove the search term when you look for the next dimension.
Click the plus icon (
) on an available dimension to add it the the visualization. The number next to In Visualization will increment as you add measures.Tip
Select only the dimensions you want to display in the visualization. If you want to filter on a dimension that you do not want to display, do not select it as a dimension. Instead set a filter, as shown in Edit Filters below.
Click the pivot icon (
) to designate a dimension as a pivot field in the visualization. To remove the pivot from a dimension, click the pivot icon again.Click the delete icon (
) next to a selected measure to remove it from the visualization.Click Edit in the upper right corner to collapse the panel. It will display the selected measures and you can still click to remove a specific measure.
Note
If you selected the Event model type, in Step 2, to start your visualization, the Approx Log Time is automatically included as a filter set for 2 days. You can change the filter but not delete it. Other model types do not include this log time filter by default, but you can add it.
There are a some optional steps you can take when working with dimensions:
Create a custom measure from a dimension field – While the dimension is still in the Available Dimensions list, move your cursor over the dimension and click the options icon (
). Select one of the available aggregation functions to be applied to the dimension: Count distinct, List of unique values, Minimum, Maximum, Sum, Average. The custom measures are added to the In Visualization section of the Measures tab.Note
Minimum, Maximum, Sum, and Average are available only for numeric dimensions, such as Rule Count or Attachment Count.
Create a custom data group from a dimension field – While the dimension is still in the Available Dimensions list, move your cursor over a dimension and click the options icon (
). Select the Group option. The Group By dialog box opens. Add a Custom Field Name for the new group. In the Groups section, define the conditions you want to use to group the data. For example, in the image below, the email_addressdimension is being grouped by personal vs work email addresses. Any remaining activity will be grouped under other. When you've defined the groups, click Save. The custom data group is added to the In Use tab under Custom fields.
Review your measures and dimensions – When you have selected dimensions and measures, review your selections. You can do the following in the In Visualization section of each panel:
Reorder dimensions and measures – Click the move icon (
) on the left side of a dimension or measure field and drag the field to a new position in the In Visualization section.Designate a dimension as a pivot field – Click the pivot icon (
) on the right side of a dimension field. To remove the pivot, click the pivot icon again.Remove a dimension or a measure – Click the delete icon (
) on the right side of a dimension or measure field.
Configure filters – To add filters to the visualization, click the expand icon (
) on the far right side of the Filters panel. For more information about creating filters or using context filters, see Configure Visualization Query Filters.
Add a visualization title – In the upper-left corner of the dialog box, click in the title field and replace the placeholder text with a descriptive title, as in the following example:
Run the visualization data – Click
Run Data button on the left, below the Dimensions panel. A data table is generated in the Data tab of the main panel on the right. The data table displays the selected dimensions and their metrics. The number of rows in the data table is listed on the right just above the Data tab.
Note
If the
Run Data icon turns red after the data table is generated, the data has changed and the table is not up-to-date. To refresh the data, click the the Run Data icon again.Configure the data table – You can opt to interact with the data table in the following ways:
Change the number of data rows displayed – Click in the Row limits box and change the number of rows you want to display.
Change the sort order of the data – To control the way data appears in a visualization, you can sort the data in any column in the data table. Click the column header to toggle between ascending and descending order.
View and copy the data in a SQL query format – To view the data table in a SQL format, click the SQL icon (
) in the top right corner of the data table. A SQL dialog box opens. At the bottom of the dialog box, click Copy. You can then paste the SQL data into an application or file of your choice.
Add a chart – To add a chart to the visualization, click the Chart tab at the top of the main panel. Choose a chart type that is appropriate for the data you are visualizing. Keep in mind the following when working with charts:
It can be helpful to click through the different chart types to preview how they appear. If the data you have selected is not compatible with a specific chart, a message is displayed to indicate the type of dimensions and metrics needed to use it.
For a map chart, the visualization must include a Country Code dimension.
For bar and column charts, you can opt to change the series positioning. Click the settings icon (
) and then select the desired series positioning: Grouped, Stacked, or Stacked Percentage.
Complete the visualization – To complete the visualization, do one of the following, depending on where you started creating it:
Creating from the Visualizations Tab – Click Save. The visualization is created and added to the library. You can access it for viewing and editing from the Visualization tab. If you want to be able to add the new visualization to one or more dashboards at a later time, you will first need to make it public. See Make a Visualization Public.
Creating from within a Dashboard – Click Add. The visualization is created and added to the dashboard where you started creating it. If you would like to add it to the visualization library, click the options icon (
) of the visualization tile on the dashboard and select Add to Library. A library icon (
) appears on the visualization tile next to the title.