Skip to main content

Data LakeData Lake Migration Guide

Table of Contents

Migrate Dashboards and Visualizations

migration-flow-dashboard.png

Expected Duration:

5 to 30 minutes per visualization, depending on complexity (average = 15 minutes)

Access Required:

  • Data Lake > Library > Saved Dashboards

  • Data Lake > Library > Saved Visualizations

  • Dashboards

Dashboards and Visualizations are structured differently between Data Lake and the Dashboards application in the Exabeam Security Operations Platform. These differences mean that dashboards and visualizations cannot be directly migrated via copy/paste or export/import methods. They need to be rebuilt manually in Dashboards. To facilitate this process, let's look at some of the structural differences.

In Data Lake:

  • Dashboards, visualization, and reports are all based, either directly or indirectly, on search queries. For example, a specific visualization can be based directly on its own query or be built on a saved search.

  • Visualizations can be created independently and used in multiple dashboards. A dashboard must include one or more visualizations.

  • Reports must be connected to either a dashboard or a saved search.

In Dashboards:

  • Dashboards, visualizations, and reports are not based on, or connected to, search queries.

  • Visualizations cannot be created independently of dashboards. They must be created as tiles in a dashboard. If you want to use a visualization in multiple dashboards, it must be recreated as a tile in each dashboard. If you want to migrate a stand alone visualization from Data Lake, you will need to create a dashboard with a single tile.

  • Reports must be connected to a dashboard.

Because of these structural differences, the best strategy for recreating the Data Lake dashboards and visualizations in Dashboards is to open both applications and work between them to identify each field and filter one by one. It might be helpful to test things out in the Search application to ensure the filters you set up in Dashboards generate the results you want.

The following diagram provides a high level overview of the migration process.

migrate-dashboards.png

To rebuild a Data Lake visualization in the Dashboards application, follow the steps below.

  1. Log into Data Lake and click Library in the upper right corner. The Library opens.

  2. Select Saved Dashboards and click on a specific saved dashboard to open it.

    Note

    If you want to recreate a stand alone visualization from Data Lake, select Saved Visualizations instead. Select a specific saved visualization to open it. When it opens, you can see the query it's based on and its X-Axis and Y-Axis fields. Skip ahead to Step 4.

  3. In the open dashboard, decide which visualization you want to recreate in Dashboards. Hover over it and select the Edit icon (icon-edit.png) in the upper right corner. The visualization opens so you can see the query it's based on and its X-Axis and Y-Axis fields.

  4. In another tab, log into the Exabeam Security Operations Platform, navigate to Dashboards, and click New Dashboard. The Create Dashboard dialog box opens.

  5. Enter a Dashboard name that matches the name of the Data Lake dashboard. Click Create Dashboard. A new dashboard is created and opens for editing.

    Note

    If you're recreating a stand alone visualization, enter a name for the new dashboard that matches the visualization name in Data Lake.

  6. Click Add Visualization and select a data model. A dialog box opens where you can begin building your new visualization to match the Data Lake visualization you are recreating. For detailed information about the next few steps, see Add a Visualization in the Dashboards Guide.

  7. Select Dimension fields that match the X-Axis fields in the Data Lake visualization. Keep in mind the following about selecting Dimensions in Dashboards:

    • Only select Dimension fields that you actually want to visualize in the dashboard chart. If you want to filter on a field, but don't want it to show in the chart, do not select it as a dimension. Instead, set it as a filter, as show in Step 9.

    • Dashboard field names are different from Data Lake. Fortunately, you can use the search field at the top of the Data Field pane on the left to quickly find the fields you need.

      Note

      Field names in the Dashboards application are in a slightly different format from the Search application. For example, in Search, you will find src_ip, while in Dashboards the field name is Src IP. The simplest way to find the field you want in Dashboards is to use the search field at the top of the Data Field pane.

    • You will not find field keywords in Dashboards.

    • Remember that you need to convert field names used in a Data Lake visualization into field names that comply with the common information model used in Exabeam Security Operations Platform. For mapping information, see Map Entities to the Common Information Model.

    • If you selected the Event model type, in Step 6, to start your visualization in Dashboards, the Approx Log Time is automatically included as a filter set for 2 days. You can change the filter but not delete it. Other model types do not include this log time filter by default, but you can add it.

  8. Select a Measure field that matches the Y-Axis field in the Data Lake visualization. Keep in mind the following about selecting a Measure in Dashboards.

    • The default set of Measure fields available in Dashboards are different from the Y-Axis fields in Data Lake.

    • You can create custom measures from a Dimension field by selecting the Count distinct or List of unique values options, as shown in the image below.

      custom-measure.png

      When one of these options is selected for a dimension, the field is added as a measure in the Custom Fields section when the the In Use tab of the Data Fields panel is displayed.

      Note

      If you create a custom measure from an integer field, additional options are available, including Minimum, Maximum, Sum, and Average.

  9. Add filters to the new Dashboard visualization, by clicking Filters on the right to expand the panel. In the Query Filters section, click Rule to add a filter condition. For more information about adding filters, see Add Dashboard Filters in the Dashboards Guide.

    Keep in mind the following about adding filters to the Dashboard visualization.

    • You can add multiple conditions by adding rules to a filter and joining them with AND or OR relationships.

    • Click Group to add an additional set of rules and join the new group to the first group with an AND or OR relationship.

    • When filters are defined, they also show up in the list of Filters on the In Use tab of the Data Fields panel on the left.

    • Remember that you need to convert field names used in a Data Lake visualization into field names that comply with the common information model used in Exabeam Security Operations Platform. For mapping information, see Map Entities to the Common Information Model.

    • If you selected the Event model type, in Step 6, to start your visualization in Dashboards, the Approx Log Time is automatically included as a filter set for 2 days. You can change the filter but not delete it. Other model types do not include this log time filter by default, but you can add it.

    • To add filtering on a context table, click Context Filter to expand the Context Filters panel. You can add one context filter to the end of the filter panel and it must be connected by an AND relationship to the other filters.

      Tip

      Before you try to add a context filter to a visualization, make sure you've imported the Data Lake context table you want to use into the Context Collectors application. For information on this procedure, see Migrate Context Tables.

      To define the context filter, enter the following information:

      • Context Field – A field that is assigned as the key attribute in a Context Collector.

      • Operator – Select the appropriate option depending on whether you want to search for data that is or is not present in the Context Collector.

      • Context Table – Select the name of the Context Collector that you want to include in the visualization filter.

  10. When you are satisfied with the Dimensions, Measures, and Filters, click Run to generate the data for the dashboard visualization. The returned data is displayed on the Data tab.

  11. Click the Chart tab and select an appropriate chart option.

    Note

    You will not be able to add the visualization without selecting a chart option.

  12. Click Add to add the new visualization to the dashboard.

  13. Click Save to save the changes to the dashboard.

  14. To add additional visualizations to the dashboard, click Add Tile and repeat the procedure from Step 1.

  15. To generate a report in Dashboards, open a specific dashboard and click the options icon (icon-search-options.png) in the top right corner. Select Schedule Delivery. You can schedule a PDF or CSV snapshot of the dashboard to be emailed at a specific interval. For information about this procedure, see Create a Scheduled Delivery in the Dashboards Guide.