Dashboard Best Practices
Dashboards are a great way to summarize key information from the logs and to engage users. Dashboards can contain many different widgets (e.g. charts, graphs, tables).
Think about whether it is better to have a single dashboard with many widgets or whether there is a logical grouping of content which could mean that multiple different dashboards , each with widgets relevant to a particular use are more appropriate.
Be clear about the expected use of the dashboards and think how the user's next steps could be anticipated and catered for in the dashboards.
Parameters
To make dashboards more useful you can use parameters to take input from the user to re-draw the dashboard based on their inputs.
These can be very useful when dealing with large sets of data as they allow the user to narrow the scope of the dashboard widget to a subset of data or a particular single value.
IOC Feed
All LogScale customers have access to the built in CrowdStrike IOC (Indicators of Compromise) feed except LogScale Community Edition users.
If the package is relevant for security users consider whether it makes sense to include using the IOC feed in the dashboard. Highlighting any IP, domain or URLs that are present in the customer logs and matching the IOC feed could be very useful for the user.
Links in Dashboards
Often a dashboard will identify something at a high level that needs more investigation and sometimes the next step for the user can be pre-empted.
Consider whether links to either external URLs or additional LogScale searches could be added to dashboard tables to provide convenience for the user.
In LogScale dashboards it is possible to use dashboard parameters, time windows and/or fields from the relevant events in constructing links for deep LogScale links or external URL links.
Note that the URL for the customer's LogScale service is unknown (could be self-cloud or different LogScale clouds and repositories), so this limits the practical possibilities.