Creating custom incident graphs

You can create custom graphs to display incident trends over time.

You create a custom graph by adding a custom widget. You add fields, and add filters to focus on the areas of greatest interest to your organization. For best results, create test graphs and variations to become familiar with the graphing capabilities. For example, create a graph that shows the average time for incidents to close per month, by incident severity, and by geographical location.

The following are examples of graphs that you can create:
  • Incidents over time.
  • Average time to close by type.
  • Average time to close by severity.
  • Average time to close by location.
  • Average time to close by workspace.

The following examples show each of these graphs and the fields that are used to create them.

Incidents over time
The example graphs incidents over time. It shows the open incidents by type and over time periods (weeks). You can create variations of this example.
The fields that are used to create it are shown in the following graphic.

You can apply a maximum of four fields to any graph or chart. The fields control the data that is displayed in the graph. When you create the graph from the custom widget, you select the fields from the list of fields in the Fields section. Then, you determine the order of the fields. For example, you might want to see Incident Type by Date Created. Drag the fields to the appropriate area before or after By. For some fields, you can click the edit icon to configure the field values. For example, for Date Created you can change time units to days, or hours.

Average time to close by type
This example graphs the average time that it takes for incidents to close, by incident type. You can create variations, such as the time it takes for incidents to close by type per month, or per workspace.

This sample is a Bar graph, and the fields that are used to create it are shown in the following graphic.

Average time to close by severity
This example graphs the average time for incidents to close by severity. You can create variations, such as average time to close by severity, per workspace.

This sample is a Column graph, and the fields that are used to create it are shown in the following graphic.

Average time to close by location
This example graphs the average time to close for incidents based on location. You can create variations, such as average time to close by location, per month.

This sample type is a Table graph, and the fields that are used to create it are shown in the following graphic.

Average time to close by workspace

This example graphs the average time to close incidents per workspace.

This sample is a Column graph and the fields that are used to create it are shown in the following graphic.

Creating graphs over time

When you create a custom graph, all incident fields are available for selection, including your custom fields. You can choose from multiple graph formats and you can configure the graph to display trends over time.

About this task

Before you begin creating a custom graph, it is useful to design your graph in advance and define the time range. Then, identify the filters and fields you need to narrow down the data that is displayed. Typically, creating a graph requires some trial and error and fine-tuning. For example, selecting a small time unit, such as minutes, over a longer period results in too many data points. By changing the time units to a larger unit, such as days, the data that is displayed is more useful. When you select the fields for your graphs, you can add a maximum of two fields for field selection area.

The following steps show an example of how to create an incident over time graph.

Procedure

  1. Select Dashboards > Analytics Dashboard and click Add Widget .
  2. Click Custom Incident Widget. You create the graph from this screen.
    Custom_Incident_Widget_screenshot
  3. Enter a title and select a size for the graph. Use Full size for large graphs that span across the screen, while Half is useful for displaying two smaller graphs side by side. For this example, select Full.
  4. If using any graph type except Table, use one of the following Sort By options to determine the order in which the fields are presented:
    • Label (Natural Order) sorts the fields' label, which is alphabetical (case-sensitive) for strings where multi-digit numbers are ordered as a single character, oldest to newest for dates, and ascending for numbers. Select Fields are an exception. They follow the order in which the values are declared in the field definition. Label (Natural Order) is the default selection.
    • Ascending sorts the fields by the total number of incidents within your selected criteria. As an example, a graph displays incidents by status per city. Boston has 30 open incidents and 30 closed incidents for a total of 60, and London has 20 open incidents and 50 closed incidents for a total of 70. In ascending order, Boston would be first in the graph that shows open incidents although London has less open incidents.
    • Descending also sorts by the fields by the total number of incidents within your selected criteria. Using the previous example, London would be shown first.
  5. Use the filters at the beginning of the screen to focus on the data that you want to graph. As an example, from the Date Created filter, you can specify a time range, such as the past 30 hours. For this scenario, select the following filters:
    • Select All from the Date Created filter.
    • Select Active from the Status filter. If Closed is enabled, clear its checkbox.
    You can add other filters, as needed, by using More....
  6. If you want to toggle the data values in the graph, enable Data Labels. It is not available for all type of graphs, such as Table type graphs.
  7. From the Fields section, use the search to find and add the fields that you want to include in the graph by dragging and dropping them to the Fields selection areas. It controls the data that is displayed in the graph, such as incident severity or incident type. For this scenario, add Incident Type to the section before By and add Date Created to the selection after By, as shown in the following graphic.
    fields_section_screenshot
    For some fields that you add, you can click the edit icon to configure the field values. For example, for Date Created you can change time units to months by clicking the edit icon next to Date Created, and for the Bucket Type, selecting Months.
  8. Click Save. The graph displays on the Analytics Dashboard, similar to the following graphic.
    open_incidents_type

Creating graphs using Time Tracker

You can use Time Tracker to track the duration incident fields spend on each value.

About this task

You use Time Tracker to determine how much time an incident spends in each value (or collection of values) of a chosen field. For example, you can track how long incidents remain in each phase of the incident before it moves to the next phase. To use Time Tracker, the field must be previously configured by the playbook designer to track time changes.

For simple graphs, you can use Time Tracker by itself without relating it to another field. For more complex graphs, specify one or more fields in the Fields and Time Tracker in the By field. In either case, you need to configure Time Tracker, which includes specifying a field to track time and the mathematical computations, such as sum and average.

When Time Tracker is in the Fields area, its values display on the x axis. In the By area, its values are on the y axis.

For a video and tutorial on how to track time changes to incident field values, see https://www.securitylearningacademy.com/course/view.php?id=4841.

Procedure

  1. Select Dashboards > Analytics Dashboard and click Add Widget .
  2. Click Custom Incident Widget. You create the graph from this screen.
  3. Enter a title and select a size for the graph. Use Full size for large graphs that span across the screen, while Half is useful for displaying two smaller graphs side by side.
  4. If using any graph type except Table, use one of the following Sort By options to determine the order in which the fields are presented:
    • Label (Natural Order) sorts the fields' label, which is alphabetical (case-sensitive) for strings where multi-digit numbers are ordered as a single character, oldest to newest for dates, and ascending for numbers. Select Fields are an exception. They follow the order in which the values are declared in the field definition. Label (Natural Order) is the default selection.
    • Ascending sorts the fields by the total number of incidents within your selected criteria. As an example, a graph displays incidents by status per city. Boston has 30 open incidents and 30 closed incidents for a total of 60, and London has 20 open incidents and 50 closed incidents for a total of 70. In ascending order, Boston would be first in the graph that shows open incidents although London has less open incidents.
    • Descending also sorts by the fields by the total number of incidents within your selected criteria. Using the previous example, London would be shown first.
  5. Use the filters at the beginning of the screen to focus on the data that you want to graph. As an example, from the Date Created filter, you can specify a time range, such as the past 30 days. You can add other filters, as needed, by using More....
  6. If you want to toggle the data values in the graph, enable Data Labels. It is not available for all type of graphs, such as Table type graphs.
  7. From the Fields section, use the search to find and add the fields that you want to include in the graph by dragging and dropping them to the Fields selection areas. It controls the data that is displayed in the graph, such as incident severity or incident type. For this scenario, add ID and Time Tracker as shown in the following graphic.
  8. Click the Time Tracker edit icon to configure the field values.
    • Title. Enter any text that you choose as the axis label. When displayed, the label automatically includes the Time Unit.
    • Field. Select the incident field that you want to monitor.
    • Values. Select the values for the field that you want to track. If you do not make any selections, then all values are calculated individually.
    • Label. Enter any text that you choose as the tag for this aggregation. If left blank, the names of the selected values appear.
    • Operation. The only option is Sum, which applies to the values of each incident in scope before the calculation is applied.
    • Calculation. The only option is Average, which applies to the values across all incidents.
    • Time Unit. Select the duration of time to view the data.

    For example, if you select Phase as the field and Initial and Engage as the values, you see the sum of these values across your incidents.

  9. Click Save to save the Time Tracker selections.
    The following shows that the Phase field is selected along with all its values.

  10. Click Save in the graph window. The graph displays on the Analytics Dashboard.
    The following example graph is based on the settings that are shown in the previous step.