Custom Widgets - Walkthrough Examples
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

This is a two-part guide. The first part provides an in-depth overview of the Custom Widgets and its components. Whereas this part covers Examples and walks through scenarios to enable you to create new custom widgets efficiently.

Example #1: Incidents Breakdown by Dispositions

This example will demonstrate how you can create a widget to show the breakdown of incidents (count) by dispositions using a Pie chart.

Steps

To create a new custom dashboard widget, complete the following steps:

  1. From the Widget Type list, select the Pie chart icon.

  2. Enter the title/name of the widget in the Name field (e.g. Incident Disposition Counts).

  3. Next, from the Data Source(s) list, search and select the “Data source” from which you wish to fetch the data. In this example, we will select incident_disposition_count source as it contains the count of records from the Incident Management module based on disposition i.e. a new entry is made to this Data source whenever disposition is changed for a record in the Incident Management module. This source is used to get the count of records per disposition as well as the time spent on each disposition.

  4. From the Data Collector(s) list, search and select one or more fields that must be displayed on the widget. In this example, we will select incident_disposition_count.id and incident_disposition_count.disposition_name.

  5. Since we want to count the entries of each disposition, under Functions select the COUNT function on Field incident_disposition_count.id.

  6. Use Clauses to perform a selective search using the WHERE clause and group records together to get counts for each disposition separately using the GROUP BY clause:

  7. In the WHERE clause add the following two conditions

    1. Select = operator on incident_disposition_count.previous_status and set the value to 0 (zero). 0 value means it will fetch only the first entry of each record.

    2. Select IN operator on incident_disposition_count.disposition_name to define multiple values of dispositions (‘Alert’, ‘Investigation’, ‘Incident’)

  8. Group by - Select incident_disposition_count.disposition_name to group the result and get counts for each disposition.

  9. Click the Render button to see the sample output of the widget

  10. After validating the results use the two buttons at the top right corner Save Changes and Save as Draft to save the widget or save the widget as draft respectively.

  11. Once saved, the new widget will appear in your main widgets list.

Example #2: Investigations Trend

This example will demonstrate how you can create a widget to show the Investigations Trend (count over time) using a Line chart.

Steps

To create a new custom dashboard widget, complete the following steps:

  1. From the Widget Type list, select the Line chart icon.

  2. Enter the title/name of the widget in the Name field (e.g. Investigations Trend).

  3. From the Data Source(s) list, search and select the source from which you wish to fetch the data. In this example, we will select incident_tickets and incident_category.

  4. From the Data Collector(s) list, search and select one or more fields that must be displayed on the widget. In this example we will select incident_tickets.category_id, incident_category.name, and incident_tickets.created_at.

  5. Since we want to fetch the count based on Investigation categories over a period of time, under Functions select the COUNT function on Field incident_tickets.category_id and DATE_FORMAT(Year) function on Field incident_tickets.created_at.

  6. Use Clauses to perform a selective search. Select WHERE, GROUP BY, INNER JOIN, and ORDER BY.

  7. WHERE: Select = operator on incident_tickets.disposition_id and set value to 3. 3 is the unique ID of Investigation disposition so selecting 3 means it will only fetch Investigation records.

  8. INNER JOIN: It compares each row of entity Table #1 incident_tickets.category_id with each row of entity Table #2 incident_category.id to find all the pairs of rows that have an association and satisfy the JOIN predicate. If the association and the JOIN predicate are satisfied, the column values for each matched pair of selected rows are combined into a resulting row.

  9. GROUP BY: Select DATE_FORMAT(Year) = incident_tickets.created_at and incident_category.id to group the result and get counts for each category and for each year.

  10. ORDER BY: Select incident_tickets.created_at to sort the results based on the date in Ascending order.

  11. Click the Render button to see the sample output of the widget.

  12. After validating the results use the two buttons at the top right corner Save Changes and Save as Draft to save the widget or save the widget as draft respectively.

  13. Once saved, the new widget will appear in your main widgets list.

Example #3: Threat Intel Breakdown By Category

This example will demonstrate how you can create a widget to show the Threat Intel breakdown by Categories using a Column chart.

Steps

To create a new custom dashboard widget, complete the following steps:

  1. From the Widget Type list, select the Column chart icon

  2. Enter the title/name of the widget in the Name field (e.g. Threat Intel Breakdown By Category)

  3. From the Data Source(s) list, search and select the source from which you wish to fetch the data. In this example, we will select advisory and advisory_category.

  4. From the Data Collector(s) list, search and select one or more fields that must be displayed on the widget. In this example, we will select advisory.category_id and advisory_category.name.

  5. Since we want to count the entries of each category, under Functions select the COUNT function on Field advisory.category_id.

  6. Use Clauses to perform a selective search using WHERE, INNER JOIN, and GROUP BY clauses:

  7. WHERE: Select = operator on advisory.status and set the field to release. “release” is a Threat Intel status which signifies that a certain Threat Intel pertains to and is relevant to the organization (as opposed to “pending” status which is every threat intel received from an external source, irrespective of its applicability to the organizational environment).

  8. Inner Join: It compares each row of entity Table #1 with each row of entity Table #2 to find all the pairs of rows that have an association and satisfy the JOIN predicate. If the association and the JOIN predicate are satisfied, The column values for each matched pair of selected rows are combined into a resulting row.

  9. Group by: Select advisory.category_id to group the result and get counts for each unique category.

  10. Click the Render button to see the sample output of the widget

  11. After validating the results use the two buttons at the top right corner Save Changes and Save as Draft to save the widget or save the widget as draft respectively.

  12. Once saved, the new widget will appear in your main widgets list.

Example #4: Playbooks Breakdown by Status

This example will demonstrate the total count of the playbooks according to the date range.

This example will demonstrate how you can create a widget to show the count of playbooks based on their status (enable or disable) using a Bar chart.

Steps

To create a new custom dashboard widget, complete the following steps:

  1. From the Widget Type list, select the Bar chart icon.

  2. Enter the title/name of the widget in the Name field (e.g. Total Playbooks)

  3. From the Data Source(s) list, search and select the source from which you wish to fetch the data. In this example, we will select the playbooks.

  4. From the Data Collector(s) list, search and select one or more fields that must be displayed on the widget. In this example, we will select playbooks.id and playbooks.status.

  5. Since we want to get the count of playbooks, under Functions we will select the COUNT function on Field playbooks.id

  6. Use Clauses to perform a selective search using the WHERE clause and group records together to get the counts for each status separately using the GROUP BY clause:

  7. Where: Select != operator on playbooks.status and set the value to an empty string (““). This means we want to count the fields where certain status is set.

  8. Group by: Select playbooks.status to group the results (counts) based on playbook status.

  9. Click the Render button to see the sample output of the widget

  10. After validating the results use the two buttons at the top right corner Save Changes and Save as Draft to save the widget or save the widget as draft respectively.

  11. Once saved, the new widget will appear in your main widgets list.

Example #5: Top IP Addresses

This example will demonstrate how you can create a widget to show the Top IP Addresses (Destination IP and Source IP) throughout all the modules using the Doughnut chart.

Steps

  1. From the Widget Type list, select the Doughnut chart icon.

  2. Enter the title/name of the widget in the Name field (e.g. Top IP Addresses).

  3. Next, from the Data Source(s) list, search and select the “Data source” from which you wish to fetch the data. In this example, we will select the artifacts sources as it contains the artifacts data throughout all the modules including incident management, threat intel, and cases.

  4. From the Data Collector(s) list, search and select one or more fields that must be displayed on the widget. In this example, we will select artifacts.value and artifacts.occurrence.

  5. Use Clauses to perform a selective search using the WHERE clause and sort the records to get the top IP addresses using the ORDER BY clause and apply the LIMIT clause on it as well.

  6. WHERE: Select IN operator on artifacts.type to define multiple values of IP addresses (‘Destination IP’, ‘Source IP’).

  7. Order By: Select artifacts.occurrence to sort the result in descending order and get counts for each destination IP and source IP address.

  8. Limit By: Select 5, it returns 5 maximum records of IP addresses

  9. Click the Render button to see the sample output of the widget.

  10. After validating the results use the two buttons at the top right corner Save Changes and Save as Draft to save the widget or save the widget as draft respectively.

  12. Once saved, the new widget will appear in your main widgets list.

Example #6: Total Incidents – All Statuses

This example will demonstrate how you can create a widget to show the Total Incidents- all statuses according to the severity using a Table chart.

Steps

To set up a custom dashboard widget, complete the following steps:

  1. From the Widget Type list, select the Table chart icon.

  2. Enter the title/name of the widget in the Name field (e.g. Total Incidents – All Statuses).

  3. From the Data Source(s) list, search and select the source from which you wish to fetch the data. In this example, we will select incident_tickets only.

  4. From the Data Collector(s) list, search and select one or more fields that must be displayed on the widget. In this example, we will select incident_tickets.id, incident_tickets.ticket_status, and incident_tickets.attack_severity.

  5. Since we want to count the entries of incident tickets, under Functions select the COUNT function on the field incident_tickets.id.

  6. Use Clauses to perform a selective search using the WHERE clause and group records together to get the counts for each severity using the GROUP BY clause and apply the ORDER BY clause on it as well:

  7. In the WHERE clause add the following two conditions

    1. Select = operator on incident_tickets.disposition_id and set the value to 1. 1 value means it will fetch only the incident disposition records.

    2. Select != operator on incident_tickets.ticktes_status and set the value to Deferred. It will fetch only those data which are not equal to Deferred.

  8. GROUP BY: Select incident_tickets.attack_severity and incident_tickets.ticktes_status to group the result and get severity counts for each incident disposition and for each status.

  9. ORDER BY: Select incident_tickets.ticket_status to sort the result in ASCENDING order.

  10. Click the Render button to see the sample output of the widget.

  11. After validating the results use the two buttons at the top right corner Save Changes and Save as Draft to save the widget or save the widget as draft respectively.

  13. Once saved, the new widget will appear in your main widgets list.

Example #7: Open Incidents - 30+ Days

This example will demonstrate how you can create a widget to show the Total Incidents- Open/Close according to the severity using a Table chart.

Steps

To set up a custom dashboard widget, complete the following steps:

  1. From the Widget Type list, select the Table chart icon.

  2. Enter the title/name of the widget in the Name field (e.g. Open Incidents - 30+ Days).

  3. Next, from the Data Source(s) list, search and select the “Data source” from which you wish to fetch the data. In this example, we will select incident_tickets source as it contains the records of the incident management module.

  4. From the Data Collector(s) list, search and select one or more fields that must be displayed on the widget. In this example, we will select incident_tickets.ticket_status and incident_tickets.attack_severity.

  5. Since we want to sum the entries of the incident disposition for open status only, under Functions select the SUM function on Field incident_tickets.ticket_status.

  6. Use Clauses to perform a selective search using WHERE clause and group record together to get severity count for open dispositions using GROUP BY clause:

  7. In the WHERE clause add the following three conditions:

    1. Select = operator on incident_tickets.disposition_id and set the value to 1. 1 value means it will fetch only the incident dispostion records.

    2. Select DATEDIFF > on incident_tickets.start_date and set the value to 30. DATEDIFF> 30 means it will fetch only those incidents that have been created for more than 30+ days.

    3. Select IN operator on incident_tickets.attack_severity to define multiple values of severity (‘Critical’, ‘High’, ‘Medium’, 'Low').

  8. GROUP BY: Select incident_tickets.attack_severity to group the result and get the severity for open incidents.

  9. Click the Render button to see the sample output of the widget.

  10. After validating the results use the two buttons at the top right corner Save Changes and Save as Draft to save the widget or save the widget as draft respectively.

  11. Once saved, the new widget will appear in your main widgets list.

Example #8: Text Widget

This example will demonstrate how you can create a widget to show the text written in a widget using a Text chart.

Steps

To create a new custom dashboard widget, complete the following steps:

  1. From the Widget Type icons, select Text type to start an example

  2. Enter the title/name of the widget in the Name field (e.g. Description of Threat Intelligence)

  3. From the Widget Text description area, you can add Text widgets to create titles and texts, or when you want to add more descriptive explanations to your dashboard and surrounding visualizations.

  4. Click the Render button to see the sample output of the widget

  5. After validating the results use the two buttons at the top right corner Save Changes and Save as Draft to save the widget or save the widget as draft respectively.

  6. Once saved, the new widget will appear in your main widgets list.

Did this answer your question?