Distribution of Security Alert Severities

Understand the overall risk landscape. This chart enables you to:

  • Quickly identify which severity levels are most common

  • Understand your overall risk landscape at a glance

  • Prioritise response efforts based on severity distribution

  • Track whether critical/high severity alerts are increasing over time

Visualization: the pie chart visualizes the proportion of alerts by severity level.

Pie Chart showing use case of Security Alert Severities Distribution

Figure 224. Distribution of Security Alert Severities


Sample input data:

alert_namehostseveritytimestamp
Ransomware DetectionLAPTOP01Critical2025-08-11T00:01:23Z
Suspicious PowerShellSERVER01High2025-08-11T00:01:24Z
Failed LoginDESKTOP02Medium2025-08-11T00:01:25Z
Policy ViolationLAPTOP02Low2025-08-11T00:01:26Z
Data ExfiltrationSERVER02Critical2025-08-11T00:01:27Z

Query:

logscale
severity=*
| groupBy(severity, function=count())

Query breakdown:

  1. Filter to events with non-empty severity values

  2. Group events by unique severity levels

  3. Count events in each severity group

  4. Provide the numerical data for the pie slices in the _count field

Configuration:

  1. From the Search page, type your query in the Query Editor → click Run

  2. Choose Pie Chart in the Widget selector

  3. Click the style icon : this opens the Format panel on the side where some properties are already configured by default based on the query result.

  4. Modify the properties as follows to obtain the look and feel of this example widget.

  5. Adjust the inner radius of the donut

  6. Toggle Legend on. If there is only one item in the chart, the legend does not show.

  7. Set the position of the legend to Bottom

  8. Select Show title to display the legend title, then assign the name "Severity" to the legend title and adjust its size to Medium

See Pie Chart Property Reference for more customizations of this widget.