Analytics

KUMA provides extensive analytics on the data available to the program from the following sources:

• Events in storage
• Alerts
• Assets
• Accounts imported from Active Directory
• Data from collectors on the number of processed events
• Metrics

You can configure and receive analytics in the Dashboard, Reports, and Source status sections of the KUMA web interface. Analytics are built by using only the data from tenants that the user can access.

Displayed date format:

• English localization: YYYY-MM-DD.
• Russian localization: DD.MM.YYYY.

Dashboard

In KUMA, you can configure the Dashboard to display the most recent information (or analytics) about KUMA processes. Analytics are generated using widgets, which are specialized tools that can display specific types of information. If a widget displays data on events, alerts, incidents, or active lists, you can click its header to open the corresponding section of the KUMA web interface with an active filter and/or search query that is used to display data from the widget.

The collections of widgets are called layouts. Administrators and analysts can create, edit, and delete layouts. You can also assign any layout as the default layout so that it is displayed when you open the Dashboard section.

The information in the Dashboard section is updated regularly as per layout configuration, but you can force an update by clicking the button at the top of the window. The time of last update is displayed near the window title.

The data displayed on the dashboard depends on the tenants that you can access.

For convenient presentation of analytical data, you can enable TV mode. This lets you hide the left pane containing sections of the KUMA interface and switch to full-screen mode in Full HD resolution. In TV mode, you can also configure a slide show display for the selected layouts.

Creating a dashboard layout

To create a layout:

1. Open the KUMA web interface and select the Dashboard section.
2. Open the drop-down list in the top right corner of the Dashboard window and select Create layout.

   The New layout window opens.

3. In the Tenants drop-down list, select the tenants that will own the layout being created.
4. In the Time period drop-down list, select the time period from which you require analytics:
   • 1 hour
   • 1 day (this value is selected by default)
   • 7 days
   • 30 days
   • In period—receive analytics for the custom time period. The time period is set using the calendar that is displayed when this option is selected.

     The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

5. In the Refresh every drop-down list, select how often data should be updated in layout widgets:
   • 1 minute
   • 5 minutes
   • 15 minutes
   • 1 hour (this value is selected by default)
   • 24 hours
6. In the Add widget drop-down list, select the required widget and configure its settings.

   You can add multiple widgets to the layout.

   You can also drag widgets around the window and resize them using the button that appears when you hover the mouse over a widget.

   You can edit or delete widgets added to the layout by clicking the icon and selecting Edit to change their configuration or Delete to delete them from the layout.

   • Adding widgets

     To add widget:

     1. Click the Add widget drop-down list and select required widget.

        The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

     2. Configure widget parameters and click the Add button.
   • Editing widget

     To edit widget:

     1. Hover the mouse over the required widget and clicking the icon that appears.
     2. In the drop-down list select Edit.

        The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

     3. Update widget parameters and click the Save button.
7. In the Layout name field, enter a unique name for this layout. Must contain from 1 to 128 Unicode characters.
8. Click Save.

The new layout is created and is displayed in the Dashboard section of the KUMA web interface.

Selecting a dashboard layout

To select layout:

1. Open the KUMA web interface and select the Dashboard section.
2. Open the drop-down list in the top right corner of the Dashboard window and select the required layout.

The selected layout is displayed in the Dashboard section of the KUMA web interface.

Selecting a dashboard layout as the default

To set a dashboard layout as the default:

1. Open the KUMA web interface and select the Dashboard section.
2. Open the drop-down list in the top right corner of the Dashboard window and hover mouse over the required layout.
3. Click the icon.

The selected layout is become default layout.

Editing a dashboard layout

To edit layout:

1. Open the KUMA web interface and select the Dashboard section.
2. Open the drop-down list in the top right corner of the Dashboard window and hover mouse over the required layout.
3. Click the icon.
4. The Customizing layout window opens.
5. Make the necessary changes. The settings that are available for editing are the same as the settings available when creating a layout.
6. Click Save.

The layout is updated and is displayed in the Dashboard section of the KUMA web interface.

If the layout was deleted or assigned to a different tenant while you were making changes to it, an error will be displayed when you click Save. In this case, the layout will not be saved. Reload the page in your web browser to view the list of available layouts in the drop-down list in the upper-right corner.

Deleting a dashboard layout

To delete layout:

1. Open the KUMA web interface and select the Dashboard section.
2. Open the drop-down list in the top right corner of the Dashboard window and hover mouse over the required layout.
3. Click the icon and confirm this action.

The layout is deleted.

Preconfigured widgets

KUMA comes with a set of preconfigured layouts with widgets:

• Alerts Overview layout (Alert overview):
  • Active Alerts
  • Unassigned Alerts
  • Latest Alerts
  • Alerts distribution
  • Alerts by Priority
  • Alerts by Assignee
  • Alerts by Status
  • Affected users in alerts
  • Affected Assets
  • Affected Assets Categories
  • Top event source by alerts number
  • Alerts count by rule
• Incidents Overview layout (Incidents overview):
  • Active incidents
  • Unassigned Incidents
  • Latest Incidents
  • Incidents distribution
  • Incidents by Priority
  • Incidents by assignee
  • Incidents by Status
  • Affected Assets in Incidents
  • Affected Users in Incidents
  • Affected Assets Categories in Incidents
  • Incidents by Tenant
• Network Overview layout (Network activity overview):
  • Netflow top internal IPs
  • Netflow top external IPs
  • Netflow top hosts for remote control — requests to ports 3389, 22, 135 are monitored.
  • Netflow total bytes by internal ports
  • Top Log Sources by Events count

Enabling and disabling TV mode

It is recommended to create a separate user with the minimum required set of right to display analytics in TV mode.

To enable TV mode:

1. Open the KUMA web interface and select the Dashboard section.
2. Click the button in the upper-right corner.

   The Settings window opens.

3. Move the TV mode toggle switch to the Enabled position.
4. If you want to configure the slideshow display of widgets, do the following:
   1. Move the Slideshow toggle switch to the Enabled position.
   2. In the Timeout field, indicate how many seconds to wait before switching widgets. If the value 00:00 is selected, widgets will not switch.
   3. In the Queue drop-down list, select the widgets to view.
   4. If necessary, change the order in which the widgets are displayed by using the button to drag and drop them in the necessary order.
5. Click the Save button.

TV mode will be enabled. To return to working with the KUMA web interface, disable TV mode.

To disable TV mode:

1. Open the KUMA web interface and select the Dashboard section.
2. Click the button in the upper-right corner.

   The Settings window opens.

3. Move the TV mode toggle switch to the Disabled position.
4. Click the Save button.

TV mode will be disabled. The left part of the screen shows a pane containing sections of the KUMA web interface.

Reports

You can configure KUMA to regularly generate reports about KUMA processes.

Reports are generated using report templates that are created and stored on the Templates tab of the Reports section.

Generated reports are stored on the Generated reports tab of the Reports section.

Report template

Report templates are used to specify the analytical data to include in the report, and to configure how often reports must be generated. Administrators and analysts can create, edit, and delete report templates. Reports that were generated using report templates are displayed in the Generated reports tab.

Report templates are available in the Templates tab of the Reports section, where the table of existing templates is displayed. The table has the following columns:

• Name—the name of the report template.

  You can sort the table by this column by clicking the title and selecting Ascending or Descending.

  You can also search report templates by using the Search field that opens when you click the Name column title.

• Schedule—the rate at which reports must be generated using the template. If the report schedule was not configured, the disabled value is displayed.
• Created by—the name of the user who created the report template.
• Updated—the date when the report template was last updated.

  You can sort the table by this column by clicking the title and selecting Ascending or Descending.

• Last report—the date and time when the last report was generated based on the report template.
• Send by email—the check mark is displayed in this column for the report templates that notify users about generated reports via email notifications.
• Tenant—the name of the tenant that owns the report template.

You can click the name of the report template to open the drop-down list with available commands:

• Run report—use this option to generate report immediately. The generated reports are displayed in the Generated reports tab.
• Edit schedule—use this command to configure the schedule for generating reports and to define users that must receive email notifications about generated reports.
• Edit report template—use this command to configure widgets and the time period for extracting analytics.
• Duplicate report template—use this command to create a copy of the existing report template.
• Delete report template—use this command to delete the report template.

Creating report template

To create report template:

1. Open the KUMA web interface and select Reports → Templates.
2. Click the New template button.

   The New report template window opens.

3. In the Tenants drop-down list, select one or more tenants that will own the layout being created.
4. In the Time period drop-down list, select the time period from which you require analytics:
   • This day (this value is selected by default)
   • This week
   • This month
   • In period—receive analytics for the custom time period.

     The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

   • Custom—receive analytics for the last N days/weeks/months/years.
5. In the Retention field, specify how long you want to store reports that are generated according to this template.
6. In the Template name field, enter a unique name for the report template. Must contain from 1 to 128 Unicode characters.
7. In the Add widget drop-down list, select the required widget and configure its settings.

   You can add multiple widgets to the report template.

   You can also drag widgets around the window and resize them using the button that appears when you hover the mouse over a widget.

   You can edit or delete widgets added to the layout by hovering the mouse over them, clicking the icon that appears and selecting Edit to change their configuration or Delete to delete them from layout.

   • Adding widgets

     To add widget:

     1. Click the Add widget drop-down list and select required widget.

        The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

     2. Configure widget parameters and click the Add button.
   • Editing widget

     To edit widget:

     1. Hover the mouse over the required widget and clicking the icon that appears.
     2. In the drop-down list select Edit.

        The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

     3. Update widget parameters and click the Save button.
8. You can change logo in the report template by clicking the Upload logo button.

   When you click the Upload logo button, the Upload window opens where you can specify the image file for the logo. The image must be a .jpg, .png, or .gif file no larger than 3 MB.

   The added logo is displayed in the report instead of KUMA logo.

9. Click Save.

The new report template is created and is displayed in the Reports → Templates tab of the KUMA web interface. You can run this report manually. If you want to have the reports generated automatically, you must configure the schedule for that.

Configuring report schedule

To configure report schedule:

1. Open the KUMA web interface and select Reports → Templates.
2. In the report templates table, click the name of an existing report template and select Edit schedule in the drop-down list.

   The Report settings window opens.

3. If you want the report to be generated regularly:
   1. Turn on the Schedule toggle switch.

      In the Recur every group of settings, define how often the report must be generated.

      You can specify the frequency of generating reports by days, weeks, months, or years. Depending on the selected period, you should specify the time, day of the week, day of the month or the date of the report generation.

   2. In the Time field, enter the time when the report must be generated. You can enter the value manually or using the clock icon.
4. If you want, in the Send to drop-down list select the KUMA users you want to receive the link to the generated reports via email.

   You should configure an SMTP connection so that generated reports can be forwarded by email.

5. Click Save.

Report schedule is configured.

Editing report template

To edit report template:

1. Open the KUMA web interface and select Reports → Templates.
2. In the report templates table click the name of the report template and select Edit report template in the drop-down list.

   The Edit report template window opens.

   You can also open this window in the Reports → Generated reports tab by clicking the name of a generated report and selecting in the drop-down list Edit report template.

3. Make the necessary changes:
   • Change the list of tenants that own the report template.
   • Update the time period from which you require analytics.
   • Add widgets

     To add widget:

     1. Click the Add widget drop-down list and select required widget.

        The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

     2. Configure widget parameters and click the Add button.
   • Change widgets positions by dragging them.
   • Resize widgets using the button that appears when you hover the mouse over a widget.
   • Edit widgets

     To edit widget:

     1. Hover the mouse over the required widget and clicking the icon that appears.
     2. In the drop-down list select Edit.

        The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

     3. Update widget parameters and click the Save button.
   • Delete widgets by hovering the mouse over them, clicking the icon that appears, and selecting Delete.
   • In the field to the right from the Add widget drop-down list enter a new name of the report template. Must contain from 1 to 128 Unicode characters.
   • Change the report logo by uploading it using the Upload logo button. If the template already contains a logo, you must first delete it.
   • Change how long reports generated using this template must be stored.
4. Click Save.

The report template is updated and is displayed in the Reports → Templates tab of the KUMA web interface.

Copying report template

To create a copy of a report template:

1. Open the KUMA web interface and select Reports → Templates.
2. In the report templates table, click the name of an existing report template, and select Duplicate report template in the drop-down list.

   The New report template window opens. The name of the widget is changed to <Report template> - copy.

3. Make the necessary changes:
   • Change the list of tenants that own the report template.
   • Update the time period from which you require analytics.
   • Add widgets

     To add widget:

     1. Click the Add widget drop-down list and select required widget.

        The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

     2. Configure widget parameters and click the Add button.
   • Change widgets positions by dragging them.
   • Resize widgets using the button that appears when you hover the mouse over a widget.
   • Edit widgets

     To edit widget:

     1. Hover the mouse over the required widget and clicking the icon that appears.
     2. In the drop-down list select Edit.

        The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

     3. Update widget parameters and click the Save button.
   • Delete widgets by hovering the mouse over them, clicking the icon that appears, and selecting Delete.
   • In the field to the right from the Add widget drop-down list enter a new name of the report template. Must contain from 1 to 128 Unicode characters.
   • Change the report logo by uploading it using the Upload logo button. If the template already contains a logo, you must first delete it.
4. Click Save.

The report template is created and is displayed in the Reports → Templates tab of the KUMA web interface.

Deleting report template

To delete report template:

1. Open the KUMA web interface and select Reports → Templates.
2. In the report templates table, click the name of the report template, and select Delete report template in the drop-down list.

   A confirmation window opens.

3. If you want to delete only the report template, click the Delete button.
4. If you want to delete a report template and all the reports that were generated using that template, click the Delete with reports button.

The report template is deleted.

Generated reports

All reports are generated using report templates. Generated reports are available in the Generated reports tab of the Reports section and are displayed in the table with the following columns:

• Name—the name of the report template.

  You can sort the table by this column by clicking the title and selecting Ascending or Descending.

• Time period—the time period for which the report analytics were extracted.
• Last report—date and time when the report was generated.

  You can sort the table by this column by clicking the title and selecting Ascending or Descending.

• Tenant—name of the tenant that owns the report.

You can click the name of a report to open the drop-down list with available commands:

• Open report—use this command to open the report data window.
• Save as HTML—use this command to save the report as an HTML file.
• Run report—use this option to generate report immediately. Refresh the browser window to see the newly generated report in the table.
• Edit report template—use this command to configure widgets and the time period for extracting analytics.
• Delete report—use this command to delete the report.

Viewing reports

To open report:

1. Open the KUMA web interface and select Reports → Generated reports.
2. In the report table, click the name of the generated report, and select Open report in the drop-down list.

   The new browser window opens with the widgets displaying report analytics. If a widget displays data on events, alerts, incidents, or active lists, you can click its header to open the corresponding section of the KUMA web interface with an active filter and/or search query that is used to display data from the widget.

3. If necessary, you can save the report to an HTML file by using the Save as HTML button.

Generating reports

You can generate report manually or configure a schedule to have it generated automatically.

To generate report manually:

1. Open the KUMA web interface and select Reports → Templates.
2. In the report templates table, click a report template name and select Run report in the drop-down list.

   You can also generate report from the Reports → Generated reports tab by clicking the name of an existing report and in the drop-down list selecting Run report.

The report is generated and is displayed in the Reports → Generated reports tab.

To generate report automatically:

Configure the report schedule.

Saving report as HTML

To save the report as HTML:

1. Open the KUMA web interface and select Reports → Generated reports.
2. In the report table, click the name of a generated report, and select Save as HTML in the drop-down list.

The report is saved as HTML file using your browser settings.

You can also save the report in HTML format when you view it.

Deleting reports

To delete report:

1. Open the KUMA web interface and select Reports → Generated reports.
2. In the report table, click the name of the generated report, and in the drop-down list select Delete report.

   A confirmation window opens.

3. Click OK.

Source status

In KUMA, you can monitor the state of the sources of data received by collectors. There can be multiple sources of events on one server, and data from multiple sources can be received by one collector. Sources of events are identified based on the following fields of events (the data in these fields is case sensitive):

• DeviceProduct
• DeviceAddress and/or DeviceHostName

Lists of sources are generated in collectors, merged in the KUMA Core, and displayed in the program web interface under Source status on the List of event sources tab. Data is updated every minute.

The rate and number of incoming events serve as an important indicator of the state of the observed system. You can configure monitoring policies such that changes are tracked automatically and notifications are automatically created when indicators reach specific boundary values. Monitoring policies are displayed in the KUMA web interface under Source status on the Monitoring policies tab.

When monitoring policies are triggered, monitoring events are created and include data about the source of events.

List of event sources

Sources of events are displayed in the table under Source status → List of event sources. One page can display up to 250 sources. You can sort the table by clicking the column header of the relevant setting. Clicking on a source of events opens an incoming data graph.

You can use the Search field to search for event sources. The search is performed using regular expressions (RE2).

If necessary, you can configure the interval for updating data in the table. Available update periods: 1 minute, 5 minutes, 15 minutes, 1 hour. The default value is No refresh. You may need to configure the update period to track changes made to the list of sources.

The following columns are available:

• Status—status of the event source:
  • Green—events are being received within the limits of the assigned monitoring policy.
  • Red—the frequency or number of incoming events go beyond the boundaries defined in the monitoring policy.
  • Gray—a monitoring policy has not been assigned to the source of events.

  The table can be filtered by this setting.

• Name—name of the event source. The name is generated automatically from the following fields of events:
  • DeviceProduct
  • DeviceAddress and/or DeviceHostName
  • DeviceProcessName
  • Tenant

  You can change the name of an event source. The name can contain no more than 128 Unicode characters.

• Host name or IP address—host name or IP address from which the events were forwarded.
• Monitoring policy—name of the monitoring policy assigned to the event source.
• Stream—frequency at which events are received from the event source.
• Lower limit—lower boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Upper limit—upper boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Tenant—the tenant that owns the events received from the event source.

If you select sources of events, the following buttons become available:

• Save to CSV—you can use this button to export data of the selected event sources to a file named event-source-list.csv in UTF-8 encoding.
• Apply policy and Disable policy—you can use these buttons to enable or disable a monitoring policy for a source of events. When enabling a policy, you must select the policy from the drop-down list. When disabling a policy, you must select how long you want to disable the policy: temporarily or forever.

  If there is no policy for the selected event source, the Apply policy button is inactive. This button will also be inactive if sources from different tenants are selected, but the user has no available policies in the shared tenant.

  In some rare cases, the status of a disabled policy may change from gray to green a few seconds after it is disabled due to overlapping internal processes of KUMA. If this happens, you need to disable the monitoring policy again.

• Remove event source from the list—you can use this button to remove an event source from the table. The statistics on this source will also be removed. If a collector continues to receive data from the source, the event source will re-appear in the table but its old statistics will not be taken into account.

By default, no more than 250 event sources are displayed and, therefore, available for selection. If there are more event sources, to select them you must load additional event sources by clicking the Show next 250 button in the lower part of the window.

Monitoring policies

Policies for monitoring the sources of events are displayed in the table under Source status → Monitoring policies. You can sort the table by clicking the column header of the relevant setting. Clicking on a policy opens an information pane containing its settings that can be edited.

The following columns are available:

• Name—name of the monitoring policy.
• Lower limit—lower boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Upper limit—upper boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Interval—period taken into account by the monitoring policy.
• Type—type of monitoring policy:
  • byCount—the monitoring policy tracks the number of incoming events.
  • byEPS—the monitoring policy tracks the rate of incoming events.
• Tenant—the tenant that owns the monitoring policy.

To add a monitoring policy:

1. In the KUMA web interface, under Source status → Monitoring policies, click Add policy and define the settings in the opened window:
   • In the Policy name field, enter a unique name for the policy you are creating. The name must contain from 1 to 128 Unicode characters.
   • In the Tenant drop-down list, select the tenant that will own the policy. Your tenant selection determines the specific sources of events that can covered by the monitoring policy.
   • In the Policy type drop-down list, select the method used to track incoming events: by rate or by number.
   • In the Lower limit and Upper limit fields, define the boundaries representing normal behavior. Deviations outside of these boundaries will trigger the monitoring policy, create an alert, and forward notifications.
   • In the Count interval field, specify the period during which the monitoring policy must take into account the data from the monitoring source. The maximum value is 14 days.
   • If necessary, specify the email addresses to which notifications about the activation of the KUMA monitoring policy should be sent. To add each address, click the Email button.

     To forward notifications, you must configure a connection to the SMTP server.

2. Click Add.

The monitoring policy will be added.

To remove a monitoring policy,

select one or more policies, then click Delete policy and confirm the action.

You cannot remove preinstalled monitoring policies or policies that have been assigned to data sources.

Widgets

Widgets in KUMA are used to obtain analytics for the Dashboard and Reports.

Click on the title or legend of widgets for events, alerts, incidents, or active lists, to open the corresponding section of the KUMA web interface containing the widget data obtained using the section's filters and/or a search query. See below for more details. This functionality is not available while creating or editing layouts.

If the widget is configured to divide the analytics period into segments, the values or charts will be displayed in pairs: the analytics for the current segment of the period (custom color) and the analytics for the previous segment of the period (gray).

Widgets are organized into widget groups, each one related to the analytics type they provide. The following widget groups and widgets are available in KUMA:

• Events—widget for creating analytics based on events.

  Click on the title of this widget to go to the Events section of the KUMA web interface. The SQL query specified in the widget is used to request events from the widget. The query is specified without grouping (except for table graphs) but takes into account the conditions indicated in the WHERE parameter. The LIMIT parameter in a query is equal to 250.

• Active lists—widget for creating analytics based on active lists of correlators.

  Click the title of this widget to go to the section of the active list used to build the analytics of the widget.

• Alerts—group for analytics related to alerts. Click on the title or legend of widgets in this group to go to the Alerts section of the KUMA web interface and view the widget data in detail.

  The group includes the following widgets:

  • Active alerts—number of alerts that have not been closed.
  • Active alerts by tenant—number of unclosed alerts grouped by tenant.
  • Alerts by tenant—number of alerts of all statuses, grouped by tenant.
  • Unassigned alerts—number of alerts that have the New status.
  • Alerts by assignee—number of assigned alerts grouped by their executor.
  • Alerts by status—number of alerts grouped by status.
  • Alerts by severity—number of unclosed alerts grouped by their severity.
  • Alerts by rule—number of unclosed alerts grouped by correlation rule. For this widget, you cannot obtain detailed information by clicking on the widget title.
  • Latest alerts—table containing the last 10 unclosed alerts. If there are more than 10 alerts in tenants selected in the widget, some of them will not be displayed.
  • Alerts distribution—number of alerts created during the period indicated in the widget.
• Assets—group for analytics related to assets from processed events. This group includes the following widgets:
  • Affected assets—table of alert-related assets showing the severity of the asset and the number of unclosed alerts related to it.
  • Affected asset categories—categories of assets linked to unclosed alerts.
  • Number of assets—number of assets that were added to KUMA.
  • Assets in incidents by tenant—number of assets in unclosed incidents, grouped by tenant.
  • Assets in alerts by tenant—number of assets in unclosed alerts, grouped by tenant.
• Incidents—group for analytics related to incidents. Click on the title or legend of widgets in this group to go to the Incidents section of the KUMA web interface and view the widget data in detail.

  The group includes the following widgets:

  • Active incidents—number of incidents that have not been closed.
  • Unassigned incidents—number of incidents that have the Opened status.
  • Incidents distribution—number of incidents created during the period indicated in the widget.
  • Incidents by assignee—number of incidents that have the Assigned status grouped by KUMA user.
  • Incidents by status—number of incidents grouped by status.
  • Incidents by severity—number of unclosed incidents grouped by their severity. Available types of diagrams: pie chart, bar graph.
  • Active incidents by tenant—number of unclosed incidents grouped by tenant available to the user.
  • All incidents—number of incidents of all statuses.
  • All incidents by tenant—number of incidents of all statuses, grouped by tenant.
  • Affected assets in incidents—number of assets in unclosed incidents. For this widget, you cannot obtain detailed information by clicking on the widget title.
  • Affected assets categories in incidents—categories of the assets affected by unclosed incidents. Available types of diagrams: pie chart, bar graph. For this widget, you cannot obtain detailed information by clicking on the widget title.
  • Affected users in incidents—users affected by incidents. Available types of diagrams: table, pie chart, bar graph. For this widget, you cannot obtain detailed information by clicking on the widget title.
  • Latest incidents—last 10 unclosed incidents. If there are more than 10 incidents in tenants selected in the widget, some of them will not be displayed.
• Event sources—group for analytics related to sources of events. The group includes the following widgets:
  • Top event sources by alerts number—number of unclosed alerts grouped by event source.
  • Top event sources by convention rate—number of events that have an unclosed alert grouped by event source.

    Due to optimized storage of events in alerts, the number of alerts created by event sources may be distorted in some cases. To obtain accurate statistics, it is recommended to specify the Device Product event field as unique in the correlation rule, and enable storage of all base events in a correlation event. However, correlation rules with these settings consume more resources.

• Users—group for analytics related to users from processed events. The group includes the following widgets:
  • Affected users in alerts—number of users related to unclosed alerts.
  • Number of AD users—number of Active Directory accounts received via LDAP during the period indicated in the widget.

Standard widgets

This section describes the settings of all widgets except the Events widget and Active lists widget.

The available settings of widgets depend on the selected type of widget. The widget type is determined by its icon:

• —pie chart
• —counter
• —table
• —bar chart
• —date histogram

Settings of pie charts, counters, and tables

The settings of pie charts, counters, and tables are located on the same tab. The available settings depend on the selected widget:

• Name—the field for the name of the widget. Must contain from 1 to 128 Unicode characters.
• Description—the field for the widget description. You can add up to 4000 Unicode characters describing the widget.
• Tenant—drop-down list for selecting the tenant whose data will be used to display analytics. The As layout setting is used by default.
• Period—drop-down list for configuring the time period for which the analytics must be displayed. Available options:
  • As layout—when this option is selected, the widget time period value reflects the period that was configured for the layout. This option is selected by default.
  • 1 hour—receive analytics for the previous hour.
  • 1 day—receive analytics for the previous day.
  • 7 days—receive analytics for the previous 7 days.
  • 30 days—receive analytics for the previous 30 days.
  • In period—receive analytics for the custom time period. The time period is set using the calendar that is displayed when this option is selected.

    The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

• Storage—drop-down list for selecting the storage whose events will be used to create analytics.
• Color—the drop-down list to select the color in which the information is displayed:
  • Default—use your browser's default font color.
  • green
  • red
  • blue
  • yellow
• Horizontal—turn on this toggle switch if you want to use horizontal histogram instead of vertical. This toggle switch is turned off by default.
• Show legend—turn off this toggle switch if you don't want the widget to display the legend for the widget analytics. This toggle switch is turned on by default.
• Show nulls in legend—turn on this toggle switch if you want the legend for the widget analytics to include parameters with zero values. This toggle switch is turned off by default.
• Decimals—this field is used to specify how to round-off values. The default value is Auto.

Settings of bar graphs

The settings of bar graphs are located on two tabs. The available settings depend on the selected widget:

• —this tab is used to configure the chart scale. Available settings:
  • The Y-min and Y-max fields are used to define the scale of the Y-axis. The Decimals field on the left is used to set the rounding parameter for the Y-axis values.
  • The X-min and X-max fields are used to define the scale of the X-axis. The Decimals field on the right is used to control rounding of the X-axis values.

    Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

• —this tab is used to configure the widget analytics display.
  • Name—the field for the name of the widget. Must contain from 1 to 128 Unicode characters.
  • Description—the field for the widget description. You can add up to 512 Unicode characters describing the widget.
  • Tenant—drop-down list for selecting the tenant whose data will be used to display analytics.
  • Period—drop-down list for configuring the time period for which the analytics must be displayed. Available options:
    • As layout—when this option is selected, the widget time period value reflects the period that was configured for the layout. This option is selected by default.
    • 1 hour—receive analytics for the previous hour.
    • 1 day—receive analytics for the previous day.
    • 7 days—receive analytics for the previous 7 days.
    • 30 days—receive analytics for the previous 30 days.
    • In period—receive analytics for the custom time period. The time period is set using the calendar that is displayed when this option is selected.
  • Storage—drop-down list for selecting the storage whose events will be used to create analytics.
  • Color—the drop-down list to select the color in which the information is displayed:
    • default—use your browser's default font color.
    • green
    • red
    • blue
    • yellow
  • Horizontal—turn on this toggle switch if you want to use horizontal histogram instead of vertical. This toggle switch is turned off by default.

    When this option is enabled, when a widget displays a large amount of data, the horizontal scrolling will not be available and data will be fit into the widget window. If there is a lot of data to display, it is recommended to increase the widget size.

  • Show legend—turn off this toggle switch if you don't want the widget to display the legend for the widget analytics. This toggle switch is turned on by default.
  • Show nulls in legend—turn on this toggle switch if you want the legend for the widget analytics to include parameters with zero values. This toggle switch is turned off by default.
  • Decimals—this field is used to specify how to round-off values. The default value is Auto.

Customizable event-based analytics

You can use the Events widget to get the necessary event-based analytics based on SQL queries. Depending on the selected value of the graph type, two or three parameter tabs are available:

• —this tab is used to define the widget type and to compose the search for the analytics.
• —this tab is used to configure the chart scale. This tab only available for graph types (see below) Bar chart, Line chart, Date Histogram.
• —this tab is used to configure the widget analytics display.

The following parameters are available for the tab:

• Graph—this drop-down list is used to select widget graph type. Available options:
  • Pie chart
  • Bar chart
  • Counter
  • Line chart
  • Table
  • Date Histogram
• Tenant—drop-down list for selecting the tenant whose data will be used to display analytics. The As layout setting is used by default.
• Period—drop-down list for configuring the time period for which the analytics must be displayed. Available options:
  • As layout—when this option is selected, the widget time period value reflects the period that was configured for the layout. This option is selected by default.
  • 1 hour—receive analytics for the previous hour.
  • 1 day—receive analytics for the previous day.
  • 7 days—receive analytics for the previous 7 days.
  • 30 days—receive analytics for the previous 30 days.
  • In period—receive analytics for the custom time period. The time period is set using the calendar that is displayed when this option is selected.

    The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

• Show data for previous period—a toggle button that lets you enable the display of data for two periods at the same time, including data for the current period and for the previous one. This can be useful for assessing change dynamics.
• Storage—the storage where the search should be performed.
• SQL query field—here you can enter a search query that is equivalent to filtering events using SQL syntax.

  For Event widgets, you can use the button to open a query builder that is equivalent to the event filter builder parameters:

  Description of query builder parameters

  • SELECT—use these fields to define the event fields that must be extracted for analytics. The number of available fields depends on the selected widget graph type (see above).

    In the left drop-down list you can select event fields from required for analytics.

    The middle field displays what the selected field is used for in the widget: metric or value.

    When the Table widget type is selected, the values in the middle fields become available for editing and are displayed as the names of columns. Only ANSII-ASCII characters can be used for values.

    In the right drop-down list you can select how the metric type event field values must be processed for the widget:

    • count—select this option to count events. This option is available only for the ID event field.
    • max—select this option to display the maximum event field value from the event selection.
    • min—select this option to display the minimum event field value from the event selection.
    • avg—select this option to display the average event field value from the event selection.
    • sum—select this option to display the sum of event field values from the event selection.
  • SOURCE—this drop-down list is used to select the data source type. Only events option is available for selection.
  • WHERE—this group of settings is used to create search conditions:

    In the left drop-down list you can select the event field you want to use as a filter.

    In the middle drop-down list you can select the required operator. Available operators vary based on the chosen event field's value type.

    In the right you can select or enter the value of the event field. Depending on the selected event field value type, you may have to input the value manually, select it in the drop-down list, or select it on the calendar.

    You can add search conditions using the Add condition button or delete them using the button with the cross icon.

    You can also add group conditions using the Add group button. By default, groups of conditions are added with the AND operator. However, you can switch the operator by clicking the operator name. Available values: AND, OR, NOT. Group conditions are deleted using the Delete group button.

  • GROUP BY—this drop-down list is used to select the event fields for grouping events. This parameter is not available for Counter graph type.
  • ORDER BY—this drop-down list is used to define how the information from search results is sorted in the widget. This parameter is not available for Date Histogram and Counter graph types.

    In the left drop-down list you can select the value, metric or event field to use for sorting.

    In the drop-down list on the right, you can select the sorting order: ASC for ascending or DESC for descending.

    For Table-type graphs, you can add sorting conditions by using the Add column button.

  • LIMIT—this field is used to set the maximum number of data points for the widget. This parameter is not available for Date Histogram and Counter graph types.

  Example of search conditions in the query builder

  

  Search condition parameters for the widget showing average bytes received per host

  Aliases must not contain spaces.

The following parameters are available for the tab:

• The Y-min and Y-max fields are used to define the scale of the Y-axis. The Decimals field on the left is used to set the rounding parameter for the Y-axis values.
• The X-min and X-max fields are used to define the scale of the X-axis. The Decimals field on the right is used to control rounding of the X-axis values.

  Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

• Line-width and Point size fields are available for Line chart graph type and is used to configure the plot line.

The following parameters are available for the tab:

• Name—the field for the name of the widget. Must contain from 1 to 128 Unicode characters.
• Description—the field for the widget description. You can add up to 512 Unicode characters describing the widget.
• Color—the drop-down list to select the color in which the information is displayed:
  • Default—use your browser's default font color.
  • green
  • red
  • blue
  • yellow
• Horizontal—turn on this toggle switch if you want to use horizontal histogram instead of vertical. This toggle switch is turned off by default.

  When this option is enabled, when a widget displays a large amount of data, the horizontal scrolling will not be available and data will be fit into the widget window. If there is a lot of data to display, it is recommended to increase the widget size.

• Show legend—turn off this toggle switch if you don't want the widget to display the legend for the widget analytics. This toggle switch is turned on by default.
• Show nulls in legend—turn on this toggle switch if you want the legend for the widget analytics to include parameters with zero values. This toggle switch is turned off by default.
• Decimals—the field to enter the number of decimals to which the displayed value must be rounded off.
• Period segments length (available for Date Histogram graph types)—drop-down list for selecting the duration of the segments into which you want to divide the period.

Customizable active lists analytics

You can use Active lists widgets to get the necessary analytics based on SQL queries sent to the active lists. Depending on the selected value of the graph type, two or three parameter tabs are available:

• —this tab is used to define the widget type and to compose the search for the analytics.
• —this tab is used to configure the chart scale. This tab is available only for Bar chart types of graphs (see below).
• —this tab is used to configure the widget analytics display.

The following parameters are available for the tab:

• Graph—this drop-down list is used to select widget graph type. Available options:
  • Pie chart
  • Bar chart
  • Counter
  • Table
• Tenant—drop-down list for selecting the tenant whose data will be used to display analytics. The As layout setting is used by default.
• Correlator—name of the correlator service whose active list should be queried for analytics.
• Active list—name of the active list that should be searched.

  The same resource of an active list can be used by different correlator services. However, a separate entity of the active list is created for each correlator. Therefore, the contents of the active lists used by different correlators differ even if the active lists have the same names and IDs.

• SQL query field—here you can enter a search query that is equivalent to searching events using SQL syntax.

  In contrast to an event search, the FROM parameter must match the value of `records` in search queries through active lists.

  The service fields _key (the field with the keys of the active list records) and _count (the number of times this record has been added to the active list), and custom fields are available for queries.

  Examples:

  • SELECT count(_key) AS metric, Status AS value FROM `records` GROUP BY value ORDER BY metric DESC LIMIT 250—Query for a pie chart that returns the number of keys of the active list (count aggregation based on the _key field) and all options for values of the custom field Status. The widget displays a pie chart with the total number of records in the active list, divided proportionally by the number of possible values for the Status field.
  • SELECT Name, Status, _count AS Number FROM `records` WHERE Description ILIKE '%ftp%' ORDER BY Name DESC LIMIT 250—Query for the table that returns the values of the Name and Status custom fields and the _count service field for those active list records in which the value of the Description custom field matches the query ILIKE '%ftp%'. The widget displays a table with the Status, Name, and Number columns.

  If a date and time conversion function is used in an SQL query (for example, fromUnixTimestamp64Milli) and the field being processed does not contain a date and time, an error will be displayed in the widget. To avoid this, use functions that can handle a null value. Example: SELECT _key, fromUnixTimestamp64Milli(toInt64OrNull(DateTime)) as Date FROM `records` LIMIT 250.

The following parameters are available for the tab:

• The Y-min and Y-max fields are used to define the scale of the Y-axis. The Decimals field on the left is used to set the rounding parameter for the Y-axis values.
• The X-min and X-max fields are used to define the scale of the X-axis. The Decimals field on the right is used to control rounding of the X-axis values.

  Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

The following parameters are available for the tab:

• Name—the field for the name of the widget. Must contain from 1 to 128 Unicode characters.
• Description—the field for the widget description. You can add up to 512 Unicode characters describing the widget.
• Color—the drop-down list to select the color in which the information is displayed:
  • default—use your browser's default font color.
  • green
  • red
  • blue
  • yellow
• Horizontal—turn on this toggle switch if you want to use horizontal histogram instead of vertical. This toggle switch is turned off by default.

  When this option is enabled, when a widget displays a large amount of data, the horizontal scrolling will not be available and data will be fit into the widget window. If there is a lot of data to display, it is recommended to increase the widget size.

• Show legend—turn off this toggle switch if you don't want the widget to display the legend for the widget analytics. This toggle switch is turned on by default.
• Show nulls in legend—turn on this toggle switch if you want the legend for the widget analytics to include parameters with zero values. This toggle switch is turned off by default.
• Decimals—the field to enter the number of decimals to which the displayed value must be rounded off.