Finding Threat Overview Widget
The Finding Threat Overview is the most comprehensive threat visualization widget in DataBee, combining three views in a single widget: severity summary cards showing total counts by severity level, a color-coded threat trends chart showing how findings are distributed over time, and a detailed findings table listing individual events. Use this widget as your primary threat monitoring dashboard.
Configuration
Click + Add Widget, select Finding Threat Overview, and click Next.
Field | Required | Description | Default |
Widget Name | Yes | A title (e.g., 'Detection Findings Overview'). | — |
Findings Table | Yes | Which OCSF findings table to query. See Available Findings Tables below. | — |
Time Range | No | Period to display. | Use Global |
Query | No | A DataBee search query to filter findings. | Empty |
Available Findings Tables
Findings Table | What It Contains | Common Data Sources |
Detection Finding | Detection rule matches, SIEM alerts, and EDR detections. This is the most commonly used table. | CrowdStrike, Sigma rules, Splunk alerts, custom detections |
Vulnerability Finding | Vulnerability scan results and CVE matches from scanning tools. | Qualys, Nessus, Tenable, Rapid7 |
Compliance Finding | Cyber Risk violations and regulatory assessment results. | CIS benchmarks, cyber risk scanning tools |
Security Finding | General consolidated security findings from multiple sources. | Aggregated from other finding types |
Incident Finding | Incident response and investigation findings. | SOAR platforms, ticketing systems |
Data Security Finding | Data loss prevention and data security findings. | DLP tools, CASB solutions |
IAM Analysis Finding | Identity and access management analysis results. | IAM governance tools |
App Security Posture Finding | Application security posture assessment results. | CSPM, ASPM tools |
Tip: Start with Detection Finding — it's the most commonly populated table and captures alerts from SIEM rules, sigma detections, and EDR products.
Understanding the Widget Sections
Severity Summary Cards
Large colored numbers at the top show finding counts by severity: Fatal (black), Critical (red), High (orange), Medium (light orange), Low (yellow), plus a Total Events count. These give you an immediate sense of the threat landscape.
Threat Trends Chart
A stacked bar chart below the summary cards shows how findings are distributed over time. Each bar is a time interval with colored segments for each severity level. Look for patterns like clusters of Critical findings at unusual hours (potential attack) or a steady increase in Medium findings (growing attack surface).
Findings Table
A detailed table at the bottom lists individual findings:
Column | Description |
Timestamp | When the finding was recorded. |
Device | The associated device. Click to view device details. |
Type Name | Finding type and action (e.g., 'Detection Finding: Create', 'Detection Finding: Close'). |
Description | Detailed description — the detection rule name or finding narrative. |
Source | Source IP address or endpoint. |
Destination | Destination IP or endpoint (if applicable). |
Severity | Severity level: Low, Medium, High, Critical, or Fatal. |
Note: The widget automatically excludes Unknown, Informational, and Other severities to focus on actionable findings.
Query Syntax
The Query field accepts DataBee's search query syntax to filter which records are included. If left blank, all records in the selected table within the time range are included.
Basic Syntax
Queries follow the format: field_name operator value
Supported Operators
Operator | Description | Example |
in | Field value matches the specified value(s). Use parentheses for multiple values. | severity_id in (4,5,6) |
notin | Field value does NOT match the specified value(s). | status_id notin (0,99) |
contains | Field value contains the specified substring. | message contains ransomware |
between | Field value falls between two values (inclusive). Separate with comma. | traffic.bytes between 1000,50000 |
Combining Conditions
Use "and" to combine multiple conditions. For example: severity_id in (4,5) and metadata.product.name in CrowdStrike
Nested Field Paths
Access nested fields using dot notation. Common paths include:
Path | Description |
metadata.product.name | The security product that generated the event (e.g., CrowdStrike, Qualys) |
src_endpoint.ip | Source IP address |
dst_endpoint.ip | Destination IP address |
device.name | Device hostname |
user.name | Username |
finding.severity | Finding severity level |
Note: The widget's Time Range setting automatically filters by time — you do not need to include time filters in the Query field.
Query Examples for Finding Threat Overview
Scenario | Query |
Only CrowdStrike detections | metadata.product.name in CrowdStrike |
Only Critical and Fatal findings | severity_id in (5,6) |
Findings mentioning ransomware | message contains ransomware |
From a specific device | device.name in web-server-01 |
Sigma rule detections only | type_name contains sigma |
Exclude low-severity noise | severity_id notin (0,1,2) |
Interactive Features
- Click on a bar segment in the Threat Trends chart to filter the table to that time period and severity.
- Click on a severity legend item to toggle that severity on/off in the chart.
- Click Clear Filter to reset all interactive selections.
- Click on a device name in the findings table to view the device detail page.