Malware Types by Infection Count (In Small Multiples)

Identify the most prevalent types of malware in your environment to focus security efforts and updates. This chart would be ideal for a security operations centre (SOC) dashboard.

Visualization: the pie chart visualizes the proportion of each malware type in your environment. The small multiple option offers a different way to visualize multiple aggregate results when grouping on more than one field: in this case, each unique malware type value is a donut, each donut is labelled with the malware type name.

Pie Chart showing use case of Malware Types by Infection Count

Figure 226. Malware Types by Infection Count


Sample input data:

file_namehostmalware_typetimestamp
suspicious.exeHOST01Trojan2025-08-11T00:01:23Z
encrypt.binHOST02Ransomware2025-08-11T00:01:24Z
logger.dllHOST03Spyware2025-08-11T00:01:25Z
malicious.exeHOST04Trojan2025-08-11T00:01:26Z
popup.exeHOST05Adware2025-08-11T00:01:27Z

Query:

logscale
malware_type=*
| groupBy(malware_type, function=count())
| sort(_count, order=desc)

Query breakdown:

  1. Filter to include only events that have a value for the malware_type field – that is, the wildcard * matches any non-empty value.

  2. Group all filtered malware detection events by unique values in the malware_typefield

  3. Apply the count() aggregate function to each group

  4. Create a field named _count containing the number of infection instances for each malware type

  5. Sort the grouped results by the _count field in descending order, ensuring the most prevalent malware types appear first in the results.

Configuration:

  1. From the Search page, type your query in the Query Editor → click Run

  2. Choose Pie Chart in the Widget selector

  3. Click the style icon : this opens the Format panel on the side where some properties are already configured by default based on the query result.

  4. Modify the properties to obtain the look and feel of this example widget, as follows:

  5. Toggle the Small multiples option on to visualize multiple aggregate results in a grid.

  6. In Series formatting, assign the preferred color to one or more series: for example, always show the malware type "Criminal" as red.

  7. Set the Legend position to Right

You can further customize this widget by setting more properties, see Pie Chart Property Reference.