Event Detection Across Severity Levels
Compare the number of detection events across different severity levels (Critical, High, Medium, Low).
Bar Chart type: Single series.
Sample input data. Here is example input data for this scenario:
{"timestamp": "2025-08-11T00:01:23Z", "severity": "Critical", "detection_name": "Ransomware Activity", "host": "WORKSTATION01"}
{"timestamp": "2025-08-11T00:01:24Z", "severity": "High", "detection_name": "Suspicious PowerShell Execution", "host": "SERVER02"}
{"timestamp": "2025-08-11T00:01:25Z", "severity": "Medium", "detection_name": "Unusual Service Creation", "host": "WORKSTATION03"}
{"timestamp": "2025-08-11T00:01:26Z", "severity": "Low", "detection_name": "New User Added", "host": "SERVER01"}
{"timestamp": "2025-08-11T00:01:27Z", "severity": "Critical", "detection_name": "Credential Dumping", "host": "DC01"}
{"timestamp": "2025-08-11T00:01:28Z", "severity": "High", "detection_name": "Lateral Movement Attempt", "host": "WORKSTATION02"}
{"timestamp": "2025-08-11T00:01:29Z", "severity": "Medium", "detection_name": "Suspicious Registry Modification", "host": "SERVER03"}
{"timestamp": "2025-08-11T00:01:30Z", "severity": "High", "detection_name": "Suspicious Process Injection", "host": "WORKSTATION04"}
{"timestamp": "2025-08-11T00:01:31Z", "severity": "Low", "detection_name": "Failed Login Attempts", "host": "SERVER04"}
{"timestamp": "2025-08-11T00:01:32Z", "severity": "Critical", "detection_name": "Defense Evasion Attempt", "host": "DC02"}Query. To create this bar chart, use the following query:
severity=*
| groupBy(
severity,
function=count(),
limit=4
)
| sort(field=severity, order=asc)The query performs the following operations:
Matches all events in the selected time range.
Filters for events that contain the severity field.
Groups the events by severity level.
Counts how many events are in each severity group.
Sorts results by count in descending order.