Basics of managing widgets

The principle of data display in the widget depends on the type of the graph. The following graph types are available in KUMA:

Pie chart ().
Counter ().
Table ().
Bar chart ().
Date Histogram ().
Line chart
Stacked Bar chart
Speedometer chart.

Basics of general widget management

The name of the widget is displayed in the upper left corner of the widgets. By clicking the link with the name of the widget about events, alerts, incidents, or active lists, you can go to the corresponding section of the KUMA web interface.

A list of tenants for which data is displayed is located under the widget name.

In the upper right corner of the widget, the period for which data is displayed on the widget is indicated (for example, 30 days ). Keep in mind that the data displayed in the dashboard may lag behind real time because of caching. You can view the date and time of the last update by hovering over the period icon.

If the Show data for previous period setting is enabled for the widget, and the widget is displaying data for a relative period, the tooltip also displays the previous period. The previous period is calculated relative to the current period as start and end values of the current period minus the duration of the current period. For example, if data is updated daily and displayed for a month, but only the first 10 days of the month have passed, the previous period is taken to be the last 10 days of the previous month.

You can change the data display period for the widget by clicking the period icon and selecting an exact date or a relative period in the window that is displayed. If you want the widget to display data for the period selected for the layout, click the Reset button. Changing the displayed period on the layout also changes the period displayed in the widget.

The time in the widget is displayed in the local time zone set in the browser.

The CSV button is located to the left of the period icon. You can download the data displayed on the widget in CSV format (UTF-8 encoding). The downloaded file name has the format <widget name>_<download date (YYYYMMDD)>_<download time (HHMMSS)>.CSV.

The widget displays data for the period selected in widget or layout settings only for the tenants that are selected in widget or layout settings.

Basics of managing Pie chart graphs

A pie chart is displayed under the list of tenants. You can left-click the selected segment of the diagram to go to the relevant section of the KUMA web interface. The data in that section is sorted in accordance with the filters and/or search query specified in the widget.

Under the period icon, the number of events, active lists, assets, alerts, or incidents grouped by the selected criteria for the data display period will be displayed.

Examples:

In the Alerts by status widget, under the period icon, the number of alerts grouped by the New, Open, Assigned, or Escalated status is displayed.
If you want to see the legend only for alerts with the Opened and Assigned status, you can clear the check boxes to the left of the New and Escalated statuses.
In the Events widget, for which the SQL query SELECT count(ID) AS `metric`, Name AS `value` FROM `events` GROUP BY Name ORDER BY `metric` DESC LIMIT 10 is specified, 10 events are displayed below the period icon, grouped by name and sorted in descending order.
If you want to view events with specific names in the legend, you can clear the check boxes to the left of the names of events that you do not want to see in the legend.

Basics of managing Counter graphs

Graphs of this type display the sum total of selected data.

Example 1:

The Number of assets widget displays the total number of assets added to KUMA.

Example 2:

If you want to view trends to compare current data with data for a past period, you can create a widget that displays upward or downward trends. Trends can be configured in the following widgets:

Assets → Number of assets.
Assets → Customized widget.
Alerts → Active alerts.
Alerts → Unassigned alerts.
Incidents → Active incidents.
Incidents → Unassigned incidents .
Incidents → All incidents.
Users -> Number of AD users.
To configure the display of trends, you need to enable the Show data for previous period toggle switch, and then select a trend on the Appearance tab. If the percentage value cannot be calculated, or if the values are equal, a horizontal line is displayed. If there is no data for the past period, KUMA displays the value in absolute units. A green arrow on the chart indicates an upward trend, and a red arrow indicates a downward trend.

You can right-click the widget to cycle through data representation modes (for example, to display absolute values instead of percentages). This functionality is available when the widget is displayed on the dashboard and when the TV mode is on.

Basics of managing Table graphs

Graphs of this type display data in a table format.

Example:

In the Events widget, for which the SQL query SELECT TenantID , Timestamp , Name , DeviceProduct , DeviceVendor FROM `events` LIMIT 10 is specified, displays an event table with TenantID, Timestamp, Name, DeviceProduct, and DeviceVendor columns. The table contains 10 rows.

You can customize the display of data in the table using two-color or three-color gradient fill. After selecting the type of gradient, you can adjust the direction of the fill by clicking the toggle direction icon ( swap_arrow_icon ) and set thresholds. Two values must be specified for a two-color gradient, and three for a three-color gradient. These values are displayed in the legend and determine the color of the cells in the table column. You can select the color from the Field for gradient indicator drop-down list.

Basics of managing Bar chart graphs

A bar chart is displayed below the list of tenants. You can left-click the selected diagram section to go to the Events section of the KUMA web interface. The data in that section is sorted in accordance with the filters and/or search query specified in the widget. To the right of the chart, the same data is represented as a table.

Example:

In the a Netflow top internal IPs widget for which the SQL query SELECT sum(BytesIn) AS metric, DestinationAddress AS value FROM `events` WHERE (DeviceProduct = 'netflow' OR DeviceProduct = 'sflow') AND (inSubnet(DestinationAddress, '10.0.0.0/8') OR inSubnet(DestinationAddress, '172.16.0.0/12') OR inSubnet(DestinationAddress, '192.168.0.0/16')) GROUP BY DestinationAddress ORDER BY metric DESC LIMIT 10 is specified, the x-axis of the chart corresponds to the total traffic in bytes, and the y-axis corresponds to destination port addresses. The data is grouped by destination address in descending order of total traffic.

You can also customize the display of bars using two-color or three-color gradient fill. After selecting the type of gradient, you can adjust the direction of the fill by clicking the toggle direction icon ( swap_arrow_icon ) and set thresholds. Two values must be specified for a two-color gradient, and three for a three-color gradient. These values are displayed in the legend and determine the coloring of the bars.

Basics of managing Date Histogram graphs

A date histogram is displayed below the list of tenants. You can left-click the selected section of the chart to go to the Events section of the KUMA web interface with the relevant data. The data in that section is sorted in accordance with the filters and/or search query specified in the widget. To the right of the chart, the same data is represented as a table.

Example:

In the Events widget, for which the SQL query SELECT count(ID) AS `metric`, Timestamp AS `value` FROM `events` GROUP BY Timestamp ORDER BY `metric` DESC LIMIT 250 is specified, the x-axis of the diagram corresponds to event creation date, and the y-axis corresponds to the approximate number of events. Events are grouped by creation date in descending order.

If you select the Bar chart timeline view when creating the widget, you can customize the display of the bars using a two-color or three-color gradient fill. After selecting the type of gradient, you can adjust the direction of the fill by clicking the toggle direction icon ( swap_arrow_icon ) and set thresholds. Two values must be specified for a two-color gradient, and three for a three-color gradient. These values are displayed in the legend and determine the coloring of the bars.

Example:

If an additional category field is used in the SQL query (for example, Type or CorrelationRuleName), the bar chart becomes a stacked bar chart. This means that each bar is segmented based on the unique values of the field marked as value.

SELECT count(ID) AS `metric`, Timestamp AS `category`, Type AS `value`

FROM `events`

GROUP BY Timestamp, Type

ORDER BY metric DESC

LIMIT 250

The X axis indicates the time intervals, and the Y axis indicates the number of events. Each segment of the bar corresponds to a value of the field marked as Type.

If you select the Line chart timeline view when creating the widget, you can display multiple graphs in the same widget. This allows comparing data for different correlation rules, users, or hosts.

Example:

When creating a Date Histogram widget with the Line chart timeline view, the user specifies the following SQL query to track the dynamics of correlation rules triggering:

SELECT count(ID) AS `metric`, Timestamp AS `category`, CorrelationRuleName AS `value`

FROM `events`

WHERE Type = 3

GROUP BY Timestamp, CorrelationRuleName

ORDER BY metric DESC

LIMIT 250

The chart displays the intervals on the X-axis (the field specified as the category). The Y-axis displays the number of times the correlation rules were triggered (the field specified as metric). Each line on the chart corresponds to a unique value in the value field. In this case, this is the name of the correlation rule.

Additionally, you can use the following time fields in charts:

Timestamp
DeviceCustomDate1
DeviceCustomDate2
EndTime
FileCreateTime
FileModificationTime
FlexDate1
OldFileCreateTime
OldFileModificationTime
DeviceReceiptTime
StartTime

For convenience, we recommend rounding the values in the time field (Timestamp), for example, to 1 hour or 1 day.

For a Date Histogram widget with the Line chart timeline view, you can also configure the display of the average value. To do this, on the Appearance tab, for the Regression setting, select LOESS.

Basics of managing Line chart graphs

A line chart is displayed below the list of tenants. You can left-click the selected section of the chart to go to the Events section of the KUMA web interface with the relevant data. The data in that section is sorted in accordance with the filters and/or search query specified in the widget. To the right of the chart, the same data is represented as a table.

Example:

In the Events widget, for which the SQL query SELECT count(ID) AS `metric`, SourcePort AS `value` FROM `events` GROUP BY SourcePort ORDER BY `value` ASC LIMIT 250 is specified, the x-axis corresponds to the approximate port number, and the y-axis corresponds to the number of events. The data is grouped by port number in ascending order.

For a Line chart widget, you can also configure the display of the average value. To do this, on the Appearance tab, for the Regression setting, select Linear. If the chart displays multiple categories, the average is displayed for each category.

Basics of managing graphs of the Stacked bar chart type

A stacked bar chart with a legend is displayed below the list of tenants. The legend displays the names of categories by which the bars are sliced. To the left of each category is a check box that lets you hide or show the category. The number of bars in the chart corresponds to the number of values in the selected grouping. The bars have captions. The color of the corresponding category in the bar is assigned automatically. When you hover over the zones of the bars, a tooltip is displayed with the value and a description of the value. You can left-click the selected diagram section to go to the Events section of the KUMA web interface.

The meaning of bar height depends on the Format setting:

If the Absolute values format is configured, the height of the bars corresponds to the sum of the values of the measured figure.
If the Relative values, % format is configured, all bars have the same height of 100%, and the relative heights of colored zones on the bars correspond to the ratios of the values.

If, when creating a custom widget based on the stacked bar chart, you selected the Show data for previous period option, and the standard value, category, metric aliases are used in the query, the chart displays previous-period data as separate bars. However, if instead of the standard metric, the query uses a custom metric calculation with non-standard aliases, the Show data for previous period is not taken into account when displaying the chart (see example queries below).

Examples:

When creating a custom widget of the Stacked Bar chart type based on an SQL query of an Events widget, the following rules apply:

The field in the query that is specified as the value alias (mandatory) is used in the chart as the field by which the legend is created and the bars are divided into categories.
The field in the query that is specified as the category alias (mandatory) is used in the chart as the field that defines the arrangement of bars along the X axis.
The field in the query specified as the metric alias is used in the chart as the field that defines how bar areas are counted. In this case, the distribution is performed automatically.

However, you can manage the count by using standard aggregation functions (sum, avg, min, max, count) and your own arbitrarily named aliases as metrics instead of the standard metric alias (in this case, the display of data for the previous period is not supported).

Example 1:

For the Events widget, the following SQL query is specified with standard aliases, and the Show data for previous period option was selected when creating the widget:

SELECT count(ID) AS `metric`,

Type AS `value`,

TenantID AS `category`

FROM `events`

GROUP BY value, category

ORDER BY metric DESC

The X-axis stands for tenants (the field specified as the category), the Y-axis stands for the number of events of a certain type (the field specified as the value). Inside each bar, the quantity corresponding to a certain type is represented by a certain color. In the legend, the names of the event types by which the bars are divided are displayed as categories. Each category has an automatically assigned corresponding color on the bar. If you want to view only certain event types in the chart, you can clear or select the check boxes to the left of the corresponding event types in the legend.

Next to each bar, an additional bar is displayed with historical data, if such data was received in the query response.

Example 2:

For the Events widget, the following SQL query is specified with custom metrics specified as the Base and Audit aliases instead of the standard metric alias:

SELECT SUM(IF (Type = 1,1,0)) AS `Base`,

SUM(IF (Type = 4,1,0)) AS `Audit`,

TenantID as `category`

FROM `events`

GROUP BY category

The X-axis stands for tenants (the field specified as category), the Y-axis stands for the number of events of each type (custom metrics specified as Base and Audit). Inside each bar, the quantity corresponding to a certain metric is represented by a certain color. In the legend, the Base and Audit metrics by which the bars are divided into categories are displayed as category names. Each category has an automatically assigned corresponding color on the bar. If you want to view only event corresponding to a certain metric in the chart, you can clear or select the check boxes to the left of the relevant metric in the legend.

The additional bar with historical data is not displayed for a query with custom metrics, even if the Show data for previous period option was selected when creating the widget.

Example 3:

For the Events widget, the following SQL query is specified with standard aliases:

SELECT count(ID) AS `metric`,

TenantID as `value`,

Type as `category`

FROM events

GROUP BY value, category

ORDER BY metric DESC

In contrast to the similar query in example 1, in this case, the X-axis stands for the types of events (the field specified as the category), and the tenants (the field specified as the value) are represented by ranges of values in the bars (along the X axis) and the corresponding captions in the legend.

Example 4:

For the Events widget, the following SQL query is specified with standard aliases:

SELECT count(ID) AS `metric`,

CAST(fromUnixTimestamp64Milli(Timestamp) AS DATE) AS `category`,

Type as `value`

FROM `events`

GROUP BY category, value

ORDER BY category DESC

The chart displays the days of the month on the X axis (the field specified as the category). The Y axis displays the number of events of a particular type (the field specified as the value).

To create a similar chart with bars arranged by date and/or time, use a query with grouping and sorting by the following fields of the timestamp type:

Timestamp
DeviceCustomDate1
DeviceCustomDate2
EndTime
FileCreateTime
FileModificationTime
FlexDate1
OldFileCreateTime
OldFileModificationTime
DeviceReceiptTime
StartTime

We recommend using the Date Histogram to work with data that is arranged by date and/or time.

Basics of managing Speedometer charts

This type of chart displays the percentage of the number of objects of the selected category vs the total number of objects for a certain period. The Speedometer chart can be used for the following objects:

Assets in a category that satisfy certain criteria vs the total number of assets in the same category or uncategorized assets
Alerts that satisfy certain criteria vs the total number of alerts for a certain period
Incidents that satisfy certain criteria vs the total number of incidents
Events that satisfy certain criteria vs the total number of events for a certain period

The value on the chart is displayed as a percentage with a color matching the configured ranges of values. By default, the following ranges are specified: 0–30, 30–70, 70–100.

Example 1:

In the Assets customized widget, the user selects an asset category for comparing the number of assets in it with the total number of assets. The user can specify threshold values for the scale on the graph. Then, based on one or more conditions for the Y-axis, a calculation is performed with the existing asset database.

Example 2:

In the Alerts widget, you can select the Speedometer chart type for the Active alerts and Unassigned alerts categories. For alerts, a tenant and a period for analysis are selected. By default, these values match the values specified in the relevant dashboard. In the total number of alerts, you can also display data for the previous period.

The percentage value for the Active incidents and Unassigned incidents categories is calculated in the same way in the Incidents widget.

Example 3:

In the Events widget, for the Speedometer chart type, the user specifies a tenant, a period for analysis, and the event data storage. The SQL query is displayed as follows:

SELECT count(ID) AS `metric`, SourcePort AS `value` FROM `events` GROUP BY SourcePort ORDER BY value ASC LIMIT 250

Page top