Best Practice: Using widget visualizations

Visualizing aggregated data with widgets can add additional context and assist in the creation of custom dashboards. When running a simple query like this, selecting the desired widget from the drop down is all that's required:

shell
#event_simpleName=OsVersionInfo
| groupBy("ProductName")`
Barchart widget example

Note

LogScale will only allow you to select compatible widgets.

The desired visualization widget can also be specified in the query itself. As an example:

shell
EventType = "Event_ExternalApiEvent" ExternalApiType = "Event_DetectionSummaryEvent"
| sankey(source="Tactic",target="Technique", weight=count(AgentIdString))
Sankey widget example

The Save button can be leveraged to add any query or widget to a custom dashboard.