Alert Type Proportion in Detection Sources

Shows the relative proportion of alert types within each detection source.

Bar Chart type: multiple series - 100% stacked bars.

Sample input data:

alert_typedetection_sourcehosttimestamp
ProcessEDRhost12025-08-11T00:01:23Z
NetworkFirewallhost22025-08-11T00:01:24Z
FileEDRhost32025-08-11T00:01:25Z
NetworkFirewallhost42025-08-11T00:01:26Z
ProcessEDRhost52025-08-11T00:01:27Z

Query:

logscale
detection_source=* alert_type=*
| groupBy([detection_source, alert_type], limit=max)

Query breakdown:

  1. Filter for relevant events

  2. Group events by two fields: detection_source and alert_type.

  3. Count events for each unique combination

Visualization: a stacked bar chart with 100% normalization.

Screenshot showing a stacked bar chart widget displaying alert type proportions across detection sources with five vertical bars showing percentage distribution of multiple alert categories (Credential, Data, Lateral, Privilege, Ransomware, Suspicious, Malware, Network, Command) in various colors, with Format Bar Chart panel visible on the right

Figure 214. Alert Type Proportion in Detection Sources


Configuration:

  1. From the Search page, type your query in the Query Editor → click Run

  2. Choose Bar Chart in the Widget Selector

  3. Click the style icon : the side panel shows most settings already configured by default based on the query result. You may configure more settings manually, as follows.

  4. In Layout, select Stacked as the type.

  5. In Value axis (left):

    • Ensure that Type is set to Linear

    • Click the Normalize checkbox

    • Change Title to "percentage" to clearly indicate that the axis shows the relative proportion of the different alert types.

You can further customize this widget by setting more properties, see Bar Chart Property Reference.