Create a dashboard widget

A dashboard widget is a chart or graph that visualizes a dataset.

Tip: You can use Aurora Security Assistant to create widgets. For more information, see Aurora Security Assistant.

These resources are required:

  • A Managed Detection and Response (MDR) license.
  • A full Data Explorer license.

    For more information, see Data Explorer license options.

  • Administrator permissions for the Arctic Wolf Unified Portal.

    You must be a primary or secondary contact. If you require this level of access, submit your request to a primary or secondary contact in your organization.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. Open a custom dashboard for editing using one of these actions:
  3. To create a widget without using a predefined dataset as your starting point, click Dashboard Actions > Add Custom Widget at the top of the dashboard.
  4. To create a custom widget based on an existing widget, complete these steps:
    1. Insert a widget from the widget gallery or copy a widget:
      • To add a widget from the widget gallery — Click Dashboard Actions > Widget Gallery , and then click Add to add a widget. To close the widget gallery, click Close .
      • To copy a widget on the current dashboard — Click Actions > Duplicate.
      • To copy a widget from another dashboard — See Copy a widget to another dashboard.
    2. To edit a widget, click Actions > Edit.
  5. In the Query Builder section:
    1. Use operators to define a dataset for the widget.
      For more information, see Query Builder.
    2. Click Search Data.
      Search results appear in the Event Logs section.
    3. Review the Event Logs section to make sure that you have the desired dataset.
  6. In the Data Visualization Settings section:
    1. In the Chart Type list, select a data visualization option.
      More fields appear based on the selected Chart Type option.
    2. Fill in the fields for the selected Chart Type option.
      For more information, see Data visualization settings.
    3. In the Widget Name field, enter a name for the widget.
    4. Optional: In the Widget Description field, enter a brief description of the widget.
  7. To preview the widget, click Update Visualization.
  8. If necessary, change the chart type or modify the dataset. Then, preview the widget again.
  9. Click Update Widget or Add Widget to Dashboard.

Example widgets

These are examples of widgets that you can add to a custom dashboard.

Create a lockouts by username widget

You can create a widget showing the top user accounts generating user lockout messages in an environment. Windows event code 4740 is the code for user lockout.

  1. Open a custom dashboard for editing.
  2. At the top of the dashboard, click Add Widget .
  3. For the first rule, enter these values:
    • Fieldevent.code
    • Operator=
    • Value4740
  4. Click Search Data.
  5. In the Data Visualization Settings section, enter these values:
    • Chart TypeVertical Bar Chart
    • Group Byuser.name
      Tip: You can also group by host.hostname to see the top devices where user lockouts occur.
    • AggregationCount
    • Widget NameLockouts by Username
  6. Click Update Visualization.
    The data appears in a vertical bar chart.
  7. Click Add Widget to Dashboard.

Create a top 5 Sysmon events widget

You can create a widget showing the top events from Sysmon.

  1. Open a custom dashboard for editing.
  2. At the top of the dashboard, click Add Widget .
  3. In the first rule, enter these values:
    • Fieldevent.provider
    • Operator=
    • ValueMicrosoft-Windows-Sysmon
  4. Make sure that AND is selected.
  5. Click + Rule.
  6. In the new rule, enter these values:
    • Fieldrule.description
    • OperatorExists
  7. Click Search Data.
  8. In the Data Visualization Settings section, enter these values:
    • Chart TypeHorizontal Bar Chart
    • Group Byrule.description
    • AggregationCount
    • Widget NameSysmon Events
  9. Click Update Visualization.
    The data appears in a horizontal bar chart.
  10. Click Add Widget to Dashboard.