Visualization of Azure cloud offense data

The Azure Offense Overview dashboard helps security analysts to visualize potential offenses in Microsoft Azure, and can be organized in various ways to suit your needs.

The Azure Offense Overview dashboard displays all open offense data in the following charts:
  • All users by magnitude
  • All users by related rule
  • Total offenses by MITRE tactic and rule (This chart is only available if IBM® QRadar® Use Case Manager is installed.)
  • Most severe offenses
  • All users by number of offenses
  • Magnitude level indicator

The offense data can be displayed in pie or bar chart format. To toggle the view, click the View Chart icon. By hovering over a section, you find out more details, such as what the color represents and the percentage of rules that are related to that representation. Display a legend of the rules and their colors by clicking Show legend. You can also toggle between viewing the information in graph or table format by clicking the View table icon in the All regions by magnitude and All regions by related rule charts.

If you want to view specific information on one of the charts, you can drill down into a list of offenses that are related to the location or user that you clicked. Drill down into a chart section for a related list of offenses. For example, you might want to see more information about an offense list that is related to a user and the rule that is depicted by the bar chart. To see this information, drill down to different levels of detail about an offense within that user, and then click an offense to view details in QRadar.

Along with the charts, you can learn more information about IBM Cloud offenses through the severe offenses table and the magnitude level indicator. The most severe offenses are listed in a separate table where you can click an offense to get more details. The magnitude level indicator shows the percentage of offenses per each magnitude. Hovering over the magnitude level indicator shows the average offense magnitude.

To ensure that the data is up-to-date, click Refresh in the overview title bar. You can also see when you last refreshed the page.


By clicking the Trends tab, you can see a trend of new offenses that are created over a specific time period. The tab will refresh on its own if it is reopened after more than 5 minutes. The default is set to view the offense creation timeline from the last 24 hours. You can also view an offense timeline for the last 7 days and the last 30 days. Only the timeline of new offenses is displayed.

If you want to save a snapshot of offense creation for a specific time, you can save chart data. The charts can be downloaded in PNG format through QRadar Cloud Visibility, so you can save these images and share them with managers and colleagues.

To return to the dashboard view, click the Current Status tab. The date and time range you want to view can be selected in the Filters sidebar for the Trends page.


The Offense dashboard has filters so you can choose the offenses that you want to view. These filters apply to the whole dashboard, not just one chart, and are different depending on which cloud service you are viewing. Access the Filters sidebar by clicking the filter icon (Filter icon) in the upper left of the page.

Fine-tune the Azure Cloud Offense Overview dashboard by the following filters:
Offense status
Select the status type that you want to view in the overview charts: all open, only active, or closed.
Offense Start Date
Configure a date range to display in the charts for when offenses were first detected in QRadar Cloud Visibility.
Select the magnitude of offenses you want to view in the overview charts. The graphs are also affected by the magnitudes you select.
Log Source Types and Log Sources
Select the log source types and specific log sources for the offenses you want to view. Alternatively, you can also select all the log sources for the selected log source type.
Note: As of QRadar Cloud Visibility V1.3.0, administrators can customize which log source types and log sources contribute to the dashboard.
Select the user who is associated with the offenses you want to view.
Rule Groups and Rules
Select the groups or individual rules for the offenses you want to view.
Note: The Other category contains contributing rules, such as custom rules and rules from different content packs. Consider tuning your rules if unintended rules appear in the dashboard.

Azure Offense Overview

Figure 1. All users by magnitude and by related rule, and the total offenses by MITRE tactic and rule on Azure
Image of charts that show users on Azure Image of charts that show users on Azure
Figure 2. Most severe offenses, users by number of offenses, and magnitude level indicator on Azure
Image of charts showing offenses