Kaspersky Next XDR Expert
1.1.9

Contents

Widget settings

This section describes the settings of all widgets available in KUMA.

Page top
[Topic 265236]

"Events" widget

You can use the Events widget to get analytics based on SQL queries.

When creating this type of widget, you must set values for the following settings:

The Selectors tab:

  • Graph is the type of the graph. The following graph types are available:
    • Pie chart.
    • Bar chart.
    • Counter.
    • Line chart.
    • Table.
    • Date Histogram.
  • Tenant is the tenant for which data is displayed in the widget.

    You can select multiple tenants.

    By default, data is displayed for tenants that have been selected in layout settings.

  • Period is the period for which data is displayed in the widget. The following periods are available:
    • As layout means data is displayed for the period selected for the layout.

      This is the default setting.

    • 1 hour—data is displayed for the previous hour.
    • 1 day—data is displayed for the previous day.
    • 7 days—data is displayed for the previous 7 days.
    • 30 days—data is displayed for the previous 30 days.
    • In period—data is displayed for a custom time period.

      If you select this option, use the opened calendar to select the start and end dates of the period and click Apply Filter. The date and time format depends on your operating system's settings. You can also manually change the date values if necessary.

      The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

  • Show data for previous period—enable the display of data for two periods at the same time: for the current period and for the previous period.
  • Storage is the storage that is searched for events.
  • The SQL query field (icon_search_events) lets you manually enter a query for filtering and searching events.

    You can also create a query in Builder by clicking icon_search_events.

    How to create a query in Builder

    To create a query in Builder:

    1. Specify the values of the following parameters:
      1. SELECT—event fields that should be returned. The number of available fields depends on the selected graph type.
        • In the drop-down list on the left, select the event fields for which you want to display data in the widget.
        • The middle field displays what the selected field is used for in the widget: metric or value.

          If you selected the Table graph type, in the middle fields, you must specify column names using ANSII-ASCII characters.

        • In the drop-down list on the right, you can select an operation to be performed on the data:
          • count—event count. This operation is available only for the ID event field. Used by default for line charts, pie charts, bar charts, and counters. This is the only option for date histogram.
          • max is the maximum value of the event field from the event selection.
          • min is the minimum value of the event field from the event selection.
          • avg is the average value of the event field from the event selection.
          • sum is the sum of event field values ​​from the event selection.
      2. SOURCE is the type of the data source. Only the events value is available for selection.
      3. WHERE—conditions for filtering events.
        • In the drop-down list on the left, select the event field that you want to use for filtering.
        • Select the necessary operator from the middle drop-down list. The available operators depend on the type of value of the selected event field.
        • In the drop-down list on the right, enter the value of the condition. Depending on the selected type of field, you may have to manually enter the value, select it from the drop-down list, or select it on the calendar.

        You can add search conditions by clicking Add condition or remove search conditions by clicking cross.

        You can also add groups of conditions by clicking Add group. By default, groups of conditions are added with the AND operator, but you can change the it if necessary. Available values: AND, OR, NOT. Group conditions are deleted by clicking the Delete group button.

      4. GROUP BY—event fields or aliases to be used for grouping the returned data. This parameter is not available for Counter graph type.
      5. ORDER BY—columns used as the basis for sorting the returned data. This parameter is not available for the Date Histogram and Counter graph types.
        • In the drop-down list to the left, select the value that will be used for sorting.
        • Select the sort order from the drop-down list on the right: ASC for ascending, DESC for descending.
        • For Table type graphs, you can add sorting conditions by clicking Add column.
      6. LIMIT is the maximum number of data points for the widget. This parameter is not available for the Date Histogram and Counter graph types.
    2. Click Apply.

    Example of search conditions in the query builder

    WidgetCustomExample

    Search condition parameters for the widget showing average bytes received per host

    The "metric" and "value" aliases in SQL queries cannot be edited for any type of event analytics widget, except tables.

    Aliases in widgets of the Table type can contain Latin and Cyrillic characters, as well as spaces. When using spaces or Cyrillic, the alias must be enclosed in quotation marks: "An alias with a space", `Another alias`.

    When displaying data for the previous period, sorting by the count(ID) parameter may not work correctly. It is recommended to sort by the metric parameter. For example, SELECT count(ID) AS "metric", Name AS "value" FROM `events` GROUP BY Name ORDER BY metric ASC LIMIT 250.

    In the Counter type widgets you must specify the method of data processing for the values of the SELECT function: count, max, min, avg, sum.

The Actions tab:

The tab is displayed if on the Selectors tab in the Graph field you have selected one of the following values: Bar chart, Line chart, Date Histogram.

  • The Y-min and Y-max values set the scale of the Y axis.
  • The X-min and X-max values set the scale of the X axis.

    Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

  • Line-width is the width of the line on the graph. This field is displayed for the "Line chart" graph type.
  • Point size is the size of the pointer on the graph. This field is displayed for the "Line chart" graph type.

The wrench tab:

  • Name is the name of the widget.
  • Description is the description of the widget.
  • Color is a drop-down list where you can select the color for displaying information:
    • default for your browser's default font color
    • green
    • red
    • blue
    • yellow
  • Horizontal makes the histogram horizontal instead of vertical.

    When this option is enabled, when a widget displays a large amount of data, horizontal scrolling is not available and all available information is fit into the fixed size of the widget. If there is a lot of data to display, it is recommended to increase the widget size.

  • Show total shows sums total of the values.
  • Legend displays a legend for analytics.

    The toggle switch is turned on by default.

  • Show nulls in legend displays parameters with a null value in the legend for analytics.

    The toggle switch is turned off by default.

  • Decimals—the field to enter the number of decimals to which the displayed value must be rounded off.
  • Period segments length (available for graphs of the Date Histogram type) sets the length of segments into which you want to divide the period.
Page top
[Topic 265237]

"Active lists" widget

You can use the Active lists widget to get analytics based on SQL queries.

When creating this type of widget, you must set values for the following settings:

The Selectors tab:

  • Graph is the type of the graph. The following graph types are available:
    • Bar chart.
    • Pie chart.
    • Counter.
    • Table.
  • Tenant is the tenant for which data is displayed in the widget.

    You can select multiple tenants.

    By default, data is displayed for tenants that have been selected in layout settings.

  • Correlator is the name of the correlator that contains the active list for which you want to receive data.
  • Active list is the name of the active list for which you want to receive data.

    The same active list can be used by different correlators. However, a separate entity of the active list is created for each correlator. Therefore, the contents of the active lists used by different correlators differ even if the active lists have the same names and IDs.

  • The SQL query field lets you manually enter a query for filtering and searching active list data.

    The query structure is similar to that used in event search.

    When creating a query based on active lists, you must consider the following:

    • For the FROM function, you must specify the `records` value.
    • If you want to receive data for fields whose names contain spaces and Cyrillic characters, you must also enclose such names in quotes in the query:
      • In the SELECT function, enclose aliases in double quotes or backticks: "alias", `another alias`.
      • In the ORDER BY function, enclose aliases in backticks: `another alias`.
      • Event field values ​​are enclosed in straight quotes: WHERE DeviceProduct = 'Microsoft'.

      Names of event fields do not need to be enclosed in quotes.

      If the name of an active list field begins or ends with spaces, these spaces are not displayed by the widget. The field name must not contain spaces only.

      If the values of the active list fields contain trailing or leading spaces, it is recommended to use the LIKE '%field value%' function to search by them.

    • In your query, you can use service fields: _key (the field with the keys of active list records) and _count (the number of times this record has been added to the active list), as well as custom fields.
    • The "metric" and "value" aliases in SQL queries cannot be edited for any type of active lists analytics widget, except tables.
    • If a date and time conversion function is used in an SQL query (for example, fromUnixTimestamp64Milli) and the field being processed does not contain a date and time, an error will be displayed in the widget. To avoid this, use functions that can handle a null value. Example: SELECT _key, fromUnixTimestamp64Milli(toInt64OrNull(DateTime)) as Date FROM `records` LIMIT 250.
    • Large values for the LIMIT function may lead to browser errors.
    • If you select Counter as the graph type, you must specify the method of data processing for the values of the SELECT function: count, max, min, avg, sum.
    • You can get the names of the tenants in the widget instead of their IDs.

      If you want the names of tenants to be displayed in active list widgets instead of tenant IDs, in correlation rules of the correlator, configure the function for populating the active list with information about the corresponding tenant. The configuration process involves the following steps:

      1. Export the list of tenants.
      2. Create a dictionary of the Table type and import the previously obtained list of tenants into the dictionary.
      3. Add a local variable with the dict function for mapping the tenant name to tenant ID to the correlation rule.

        Example:

        • Variable: TenantName
        • Value: dict ('<Name of the previously created dictionary with tenants>', TenantID)
      4. Add an action with active lists to the correlation rule. This action will write the value of the previously created variable in the key-value format to the active list using the Set function. As the key, specify the field of the active list (for example, Tenant), and in the Value field, reference the previously created variable (for example, $TenantName).

      When this rule triggers, the name of the tenant mapped by the dict function to the ID from the tenant dictionary is placed in the active list. When creating widgets for active lists, you can get the name of the tenant by referring to the name of the field of the active list (in the example above, Tenant).

      The method described above can be applied to other event fields with IDs.

    Special considerations apply when using aliases in SQL functions and SELECT, you can use double quotes and backticks: ", `.

    If you selected Counter as the graph type, aliases can contain Latin and Cyrillic characters, as well as spaces. When using spaces or Cyrillic, the alias must be enclosed in quotation marks: "An alias with a space", `Another alias`.

    When displaying data for the previous period, sorting by the count(ID) parameter may not work correctly. It is recommended to sort by the metric parameter. For example, SELECT count(ID) AS "metric", Name AS "value" FROM `events` GROUP BY Name ORDER BY metric ASC LIMIT 250.

    Sample SQL queries for receiving analytics based on active lists:

    • SELECT * FROM `records` WHERE "Event source" = 'Johannesburg' LIMIT 250

      This query returns the key of the active list where the field name is "Event source" and the value of this field is "Johannesburg".

    • SELECT count(_key) AS metric, Status AS value FROM `records` GROUP BY value ORDER BY metric DESC LIMIT 250

      Query for a pie chart, which returns the number of keys in the active list ('count' aggregation over the '_key' field) and all variants of the Status custom field. The widget displays a pie chart with the total number of records in the active list, divided proportionally by the number of possible values for the Status field.

    • SELECT Name, Status, _count AS Number FROM `records` WHERE Description ILIKE '%ftp%' ORDER BY Name DESC LIMIT 250

      Query for a table, which returns the values ​​of the Name and Status custom fields, as well as the service field '_count' for those records of the active list in which the value of the Description custom field matches ILIKE '%ftp%'. The widget displays a table with the Status, Name, and Number columns.

The Actions tab:

This tab is displayed if on the Selectors tab, in the Graph field, you have selected Bar chart.

  • The Y-min and Y-max values set the scale of the Y axis.
  • The X-min and X-max values set the scale of the X axis.

    Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

The wrench tab:

  • Name is the name of the widget.
  • Description is the description of the widget.
  • Color is a drop-down list where you can select the color for displaying information:
    • default for your browser's default font color
    • green
    • red
    • blue
    • yellow
  • Horizontal makes the histogram horizontal instead of vertical.

    When this setting is enabled, all available information is fitted into the configured widget size. If the amount of data is great, you can increase the size of the widget to display it optimally.

  • Show total shows sums total of the values.
  • Legend displays a legend for analytics.

    The toggle switch is turned on by default.

  • Show nulls in legend displays parameters with a null value in the legend for analytics.

    The toggle switch is turned off by default.

Page top
[Topic 265238]

"Context tables" widget

You can use the Context tables widget to get analytics based on SQL queries.

When creating this type of widget, you must set values for the following settings:

The Selectors tab:

  • Graph is the type of the graph. The following graph types are available:
    • Bar chart.
    • Pie chart.
    • Counter.
    • Table.
  • Tenant is the tenant for which data is displayed in the widget.

    You can select multiple tenants.

    By default, data is displayed for tenants that have been selected in layout settings.

  • Correlator is the name of the correlator that contains the context table for which you want to receive information.
  • Context table is name of the context table for which you want to receive information.

    The same context table can be used in multiple correlators. However, a separate entity of the context table is created for each correlator. Therefore, the contents of the context tables used by different correlators are different even if the context tables have the same name and ID.

  • The SQL query field lets you manually enter a query for filtering and searching context table data. By default, for each widget type, the field contains a query that obtains the context table schema and the key by key fields.

    The query structure is similar to that used in event search.

    When creating a query based on context tables, you must consider the following:

    • For the FROM function, you must specify the `records` value.
    • You can get data only for the fields specified in the context table schema.
    • You can use supported features of ClickHouse.
    • If you want to receive data for fields whose names contain spaces and Cyrillic characters, you must also enclose such names in quotes in the query:
      • In the SELECT function, enclose aliases in double quotes or backticks: "alias", `another alias`.
      • In the ORDER BY function, enclose aliases in backticks: `another alias`.
      • Event field values ​​are enclosed in straight quotes: WHERE DeviceProduct = 'Microsoft'.

      Names of event fields do not need to be enclosed in quotes.

      If the name of an active list field begins or ends with spaces, these spaces are not displayed by the widget. The field name must not contain spaces only.

      If the values of the active list fields contain trailing or leading spaces, it is recommended to use the LIKE '%field value%' function to search by them.

    • You can use the _count service field (how many times this record has been added to the context table), as well as custom fields.
    • The "metric" and "value" aliases in SQL queries cannot be edited for any type of active lists analytics widget, except tables.
    • If a date and time conversion function is used in an SQL query (for example, fromUnixTimestamp64Milli) and the field being processed does not contain a date and time, an error will be displayed in the widget. To avoid this, use functions that can handle a null value. Example: SELECT _key, fromUnixTimestamp64Milli(toInt64OrNull(DateTime)) as Date FROM `records` LIMIT 250.
    • Large values for the LIMIT function may lead to browser errors.
    • If you select Counter as the graph type, you must specify the method of data processing for the values of the SELECT function: count, max, min, avg, sum.
    • You can get the names of the tenants in the widget instead of their IDs.

      If you want the names of tenants to be displayed in active list widgets instead of tenant IDs, in correlation rules of the correlator, configure the function for populating the active list with information about the corresponding tenant. The configuration process involves the following steps:

      1. Export the list of tenants.
      2. Create a dictionary of the Table type and import the previously obtained list of tenants into the dictionary.
      3. Add a local variable with the dict function for mapping the tenant name to tenant ID to the correlation rule.

        Example:

        • Variable: TenantName
        • Value: dict ('<Name of the previously created dictionary with tenants>', TenantID)
      4. Add an action with active lists to the correlation rule. This action will write the value of the previously created variable in the key-value format to the active list using the Set function. As the key, specify the field of the active list (for example, Tenant), and in the Value field, reference the previously created variable (for example, $TenantName).

      When this rule triggers, the name of the tenant mapped by the dict function to the ID from the tenant dictionary is placed in the active list. When creating widgets for active lists, you can get the name of the tenant by referring to the name of the field of the active list (in the example above, Tenant).

      The method described above can be applied to other event fields with IDs.

    Special considerations when using aliases in SQL functions and SELECT statements: you may use double quotes and backquotes: ",`.
    When using spaces or Cyrillic characters, the alias must be enclosed in double quotes: "Alias with a space", values must be enclosed in straight single quotes: 'Value with a space'.
    When displaying data for the previous period, sorting by the count(ID) parameter may not work correctly. It is recommended to sort by the metric parameter. For example, SELECT count(ID) AS "metric", Name AS "value" FROM `events` GROUP BY Name ORDER BY metric ASC LIMIT 250.

    Sample SQL queries for receiving analytics based on active lists:

    • SELECT * FROM `records` WHERE "Event source" = 'Johannesburg' LIMIT 250

      This query returns the key of the active list where the field name is "Event source" and the value of this field is "Johannesburg".

    • SELECT count(_key) AS metric, Status AS value FROM `records` GROUP BY value ORDER BY metric DESC LIMIT 250

      Query for a pie chart, which returns the number of keys in the active list ('count' aggregation over the '_key' field) and all variants of the Status custom field. The widget displays a pie chart with the total number of records in the active list, divided proportionally by the number of possible values for the Status field.

    • SELECT Name, Status, _count AS Number FROM `records` WHERE Description ILIKE '%ftp%' ORDER BY Name DESC LIMIT 250

      Query for a table, which returns the values ​​of the Name and Status custom fields, as well as the service field '_count' for those records of the active list in which the value of the Description custom field matches ILIKE '%ftp%'. The widget displays a table with the Status, Name, and Number columns.

The Actions tab:

This tab is displayed if on the Selectors tab, in the Graph field, you have selected Bar chart.

  • The Y-min and Y-max values set the scale of the Y axis.
  • The X-min and X-max values set the scale of the X axis.
  • Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

The wrench tab:

  • Name is the name of the widget.
  • Description is the description of the widget.
  • Color is a drop-down list where you can select the color for displaying information:
    • default for your browser's default font color
    • green
    • red
    • blue
    • yellow
  • Horizontal makes the histogram horizontal instead of vertical.

    When this setting is enabled, all available information is fitted into the configured widget size. If the amount of data is great, you can increase the size of the widget to display it optimally.

  • Show total shows sums total of the values.
  • Legend displays a legend for analytics.

    The toggle switch is turned on by default.

  • Show nulls in legend displays parameters with a null value in the legend for analytics.

    The toggle switch is turned off by default.

Page top
[Topic 270360]

Other widgets

This section describes the settings of all widgets except the Events widget and Active lists widget.

The set of parameters available for a widget depends on the type of graph that is displayed on the widget. The following graph types are available in KUMA:

  • Pie chart (pie).
  • Counter (counter).
  • Table (table).
  • Bar chart (bar1).
  • Date Histogram (bar2).
  • Line chart.

Settings for pie charts

  • Name is the name of the widget.
  • Description is the description of the widget.
  • Tenant is the tenant for which data is displayed in the widget.

    You can select multiple tenants.

    By default, data is displayed for tenants that have been selected in layout settings.

  • Period is the period for which data is displayed in the widget. The following periods are available:
    • As layout means data is displayed for the period selected for the layout.

      This is the default setting.

    • 1 hour—data is displayed for the previous hour.
    • 1 day—data is displayed for the previous day.
    • 7 days—data is displayed for the previous 7 days.
    • 30 days—data is displayed for the previous 30 days.
    • In period—data is displayed for a custom time period.

      If you select this option, use the opened calendar to select the start and end dates of the period and click Apply Filter. The date and time format depends on your operating system's settings. You can also manually change the date values if necessary.

      The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

  • Show total shows sums total of the values.
  • Legend displays a legend for analytics.

    The toggle switch is turned on by default.

  • Show nulls in legend displays parameters with a null value in the legend for analytics.

    The toggle switch is turned off by default.

  • Decimals—the field to enter the number of decimals to which the displayed value must be rounded off.

Settings for counters

  • Name is the name of the widget.
  • Description is the description of the widget.
  • Tenant is the tenant for which data is displayed in the widget.

    You can select multiple tenants.

    By default, data is displayed for tenants that have been selected in layout settings.

  • Period is the period for which data is displayed in the widget. The following periods are available:
    • As layout means data is displayed for the period selected for the layout.

      This is the default setting.

    • 1 hour—data is displayed for the previous hour.
    • 1 day—data is displayed for the previous day.
    • 7 days—data is displayed for the previous 7 days.
    • 30 days—data is displayed for the previous 30 days.
    • In period—data is displayed for a custom time period.

      If you select this option, use the opened calendar to select the start and end dates of the period and click Apply Filter. The date and time format depends on your operating system's settings. You can also manually change the date values if necessary.

      The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

Settings for tables

  • Name is the name of the widget.
  • Description is the description of the widget.
  • Tenant is the tenant for which data is displayed in the widget.

    You can select multiple tenants.

    By default, data is displayed for tenants that have been selected in layout settings.

  • Period is the period for which data is displayed in the widget. The following periods are available:
    • As layout means data is displayed for the period selected for the layout.

      This is the default setting.

    • 1 hour—data is displayed for the previous hour.
    • 1 day—data is displayed for the previous day.
    • 7 days—data is displayed for the previous 7 days.
    • 30 days—data is displayed for the previous 30 days.
    • In period—data is displayed for a custom time period.

      If you select this option, use the opened calendar to select the start and end dates of the period and click Apply Filter. The date and time format depends on your operating system's settings. You can also manually change the date values if necessary.

      The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

  • Show data for previous period—enable the display of data for two periods at the same time: for the current period and for the previous period.
  • Color is a drop-down list where you can select the color for displaying information:
    • default for your browser's default font color
    • green
    • red
    • blue
    • yellow
  • Decimals—the field to enter the number of decimals to which the displayed value must be rounded off.

Settings for Bar charts and Date Histograms

The Actions tab:

  • The Y-min and Y-max values set the scale of the Y axis.
  • The X-min and X-max values set the scale of the X axis.

    Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

  • Decimals—the field to enter the number of decimals to which the displayed value must be rounded off.

The wrench tab:

  • Name is the name of the widget.
  • Description is the description of the widget.
  • Tenant is the tenant for which data is displayed in the widget.

    You can select multiple tenants.

    By default, data is displayed for tenants that have been selected in layout settings.

  • Period is the period for which data is displayed in the widget. The following periods are available:
    • As layout means data is displayed for the period selected for the layout.

      This is the default setting.

    • 1 hour—data is displayed for the previous hour.
    • 1 day—data is displayed for the previous day.
    • 7 days—data is displayed for the previous 7 days.
    • 30 days—data is displayed for the previous 30 days.
    • In period—data is displayed for a custom time period.

      If you select this option, use the opened calendar to select the start and end dates of the period and click Apply Filter. The date and time format depends on your operating system's settings. You can also manually change the date values if necessary.

      The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

  • Show data for previous period—enable the display of data for two periods at the same time: for the current period and for the previous period.
  • Color is a drop-down list where you can select the color for displaying information:
    • default for your browser's default font color
    • green
    • red
    • blue
    • yellow
  • Horizontal makes the histogram horizontal instead of vertical.

    When this setting is enabled, all available information is fitted into the configured widget size. If the amount of data is great, you can increase the size of the widget to display it optimally.

  • Show total shows sums total of the values.
  • Legend displays a legend for analytics.

    The toggle switch is turned on by default.

  • Show nulls in legend displays parameters with a null value in the legend for analytics.

    The toggle switch is turned off by default.

  • Period segments length (available for graphs of the Date Histogram type) sets the length of segments into which you want to divide the period.
Page top
[Topic 265239]