- Dashboards
- Navigation Overview
- View and Interact with Dashboards
- View and Interact with Visualizations
- User Management
- Configure and Manage Dashboards
- Create a Dashboard
- Add a Visualization to a Dashboard
- Add a Text Tile
- Modify a Dashboard Layout
- Add Dashboard Filters
- Manage Automatic Refresh Rates
- Create a Scheduled Report
- Make a Dashboard Public
- Export and Import Dashboards
- Edit Dashboard Filters
- Edit Dashboard Details
- Duplicate a Dashboard
- Delete a Dashboard
- Configure and Manage Visualizations
- Create a Visualization
- Auto-Create a Visualization from a Natural Language Prompt
- Create a Visualization from a Search Query
- Add Visualizations from the Library to a Dashboard
- Modify a Visualization
- Configure Visualization Query Filters
- Include Context Filtering in Visualizations
- Make a Visualization Public
- Export and Import Visualizations
- Duplicate a Visualization
- Remove a Visualization from a Dashboard
- Delete Visualizations from the Library
- Configure and Manage Scheduled Reports
- Pre-Built Dashboards
- Advanced Analytics
- AI/LLM Dashboards
- Threat Center
- Case Manager
- Compliance / Event Store
- Access Grant and Revoke Activity Dashboard
- Account Logout Summary Dashboard
- Account Management Activity Dashboard
- Application Security Event Summary Dashboard
- Authenticated User Accounts on Hosts Dashboard
- AWS CloudTrail Summary Dashboard
- Data Loss Prevention Activity Dashboard – Host-Based
- Data Loss Prevention Activity Dashboard – User-Based
- Data Loss Prevention Activity Summary Dashboard
- Default Account Access Dashboard
- Default Credential Usage and Change Activity Dashboard
- Denied Web Access Activity Dashboard
- Disabled User Account Summary Dashboard
- Discovered Attacks by Source and Destination Dashboard
- Endpoint Detection and Response Dashboard
- Failed Application Logon Activity Dashboard
- Failed Audit Logs Summary Dashboard
- Failed Host Login Attempt Counts by Users Dashboard
- Failed VPN Login Attempts and Remote Session Timeouts Dashboard
- Firewall Activity Dashboard
- Firewall and Router Device Interfaces Dashboard
- Indicator of Compromise (IOC) Statistics Dashboard
- Insecure Authentication Attempts Dashboard
- Microsoft 365 Summary Dashboard
- Microsoft Windows Overview Dashboard
- Network Applications by Traffic Volume Dashboard
- Policy Activity Summary Dashboard
- Port Usage Trends Dashboard
- Privileged Access Dashboard
- Privileged Access Dashboard – User-Based
- Protocols by Network Traffic Dashboard
- Remote Session Overview Dashboard
- Security Alert Summary Dashboard – Impacted Hosts
- Security Alert Summary Dashboard – Origin Hosts
- Security Alert Summary Dashboard – Users
- Successful Application Logon Activity Dashboard
- Successful Database Login Activity Dashboard
- Successful Physical Access Dashboard
- Top Attackers Dashboard
- User Account Creation Summary Dashboard
- User Account Lockout Activity Dashboard
- Vendor Authentication Activity Dashboard
- Windows Audit Failure Summary by Hosts Dashboard
- Windows Audit Failure Summary by Users Dashboard
- Windows User Privilege Elevation Dashboard
- Zscaler HTTP Dashboard
- Correlation Rules
- SOC Management
- Pre-Built Visualizations
- Anomalies - Use Case & MITRE Coverage
- Anomalies by Rule Name
- Anomalies by Use Case
- Anomalies Count Over Time
- Anomaly Distribution by MITRE Tactic & Score
- Application Count
- Closed Incidents
- Correlation Rules by Severity
- Correlation Rules Triggered Over Time
- Detected Anomalies
- Host-Based DLP Alerts Count
- Incidents Created
- Incident Summary by Incident Type
- Number of Hosts with DLP Alerts
- SOC Incident Distribution
- Top 5 Host-Based DLP Alert Categories
- Top 5 Protocols in Host-Based DLP Alerts
- Top 10 Host-Based DLP Alert Types
- Top 10 Hosts with DLP Alerts
- Top Activities per Top 10 Applications
- Top Users per Top 10 Applications
- Trend of Application Security Events
Include Context Filtering in Visualizations
When configuring filters for a visualization, you can select up to two context tables and filter on a specific value from a field in each table. To apply context filters to your visualization, use the + Context Filter option at the bottom of the Query Filters panel and you will be able to select a context table from a list of existing context tables. The filter query will perform a data type validation between the field you filter on and the content within the selected context tables.
For more information about configuring and using context filters in a visualization, see the following sections below:
For more information about configuring visualization filters in general, see Configure Visualization Query Filters.
Note
Context table names are used instead of table IDs, so a saved search will stop working if it uses a context table, and that table is renamed.
Rules for Using Context Filters
The following rules apply when using context tables in a visualization:
You cannot use a context table that has more than 100,000 rows. If a context table is larger than this, it will not show up in the context table list, available for selection.
You can use the following types of context tables in a visualization filter:
STIX/TAXII-based Threat Intelligence context tables that include data from external sources that support the STIX/TAXII framework
Note
STIX/TAXII context tables are available as part of a Cloud Collector Early Access program. During the early access period, you can access this functionality for STIX/TAXII context tables only if you participate in the program. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide
Pre-built Threat Intelligence context tables that include data from an Exabeam-provided, curated source
Other pre-built context tables
Note
Currently, the New-Scale Analytics set of pre-built context tables can only be accessed if you have the New-Scale Analytics License.
There must be at least one entry in the context table before the visualization can display any data. If you select a context table that contains no data, a message is displayed alerting you that the context table is empty. You can still select it to filter the visualization, but no results will be displayed until at least one record is added to the context table.
Context table lookup is only available for fields that are of a string-like type (string, ip, email, etc.) or number type (number, integer). It is not available for other types (Boolean, time, etc).
Note
Context filter queries perform case insensitive, exact match searching and NOT token searching. For example, searching for an ID of "james" will return results for "james", "James", and "JAMES".
You can use up to two context table filters per visualization.
Context table filters can only be joined with AND logic, within the query.
Context table filters are limited to a 90 day sliding window.
The following license-based restrictions apply when using context tables in a visualization:
The filter query time range must be within the number of months in your license, plus additional months if you are subscribed to any extended retention add-ons.
Note
If the filter query is beyond the allowed time range, you will not be able to use a context table and will see a message explaining that the time range is beyond the allowed period.
If your license restricts the use of third party logs:
and you have an Exabeam Security Analytics license, your query will only return the first 10 events from third party logs.
and you have an Exabeam Security Investigation license, you will have seven days of full search, and then will be restricted to the first 10 events from third party logs.
Adding a Context Filter to a Visualization
Start by following the procedure to create a visualization. When you reach the step about configuring query filters for the visualization, following these steps:
At the bottom of the Query Filters panel, click the + Context Filter option.
Click the expand arrow (
) to open a condition row.To define the context filter, enter the following information:
Context Field – A field that is assigned as the key attribute in a context table.
Operator – Select the appropriate option depending on whether you want to search for data that is or is not present in the context table.
Context Table – Select the name of the context collector that you want to include in the visualization filter.
If you want to add a second context filter, click the + Context Filter option again and enter information to define the second context filter. You may need to click the expand arrow (
) first to re-open a Context Filters section.
Finish creating the visualization and save it, either to the Visualization library or to a dashboard. When you view the saved visualization, you can hover your cursor over an element of the chart (such as a bar, a line, or a pie slice) and click the Show Results in Search option.
The Search application opens in a new window and, in the search bar, a query is automatically populated that matches your visualization selection. You can run the search query to drill into the data and find additional information.
