# Custom Dashboards (Beta)
## Overview
{% hint style="info" %}
Custom dashboards are in open beta starting with Panther version 1.112, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}
Custom dashboards in Panther allow you to group data visualizations that provide insights tailored to your organization's needs. You can customize each dashboard to display key metrics, such as data ingest volume, alert volume, and any other trends you'd like to monitor at a glance.
A custom dashboard is made up of one or more visualizations, or "widgets." Each visualization is generated from a [PantherFlow](https://docs.panther.com/pantherflow) query using the [`visualize` operator](https://docs.panther.com/pantherflow/operators/visualize). After you create a dashboard, you can [apply filters](#creating-a-dashboard-filter-and-variable) on all visualizations.
Learn how to [build a custom dashboard](#creating-a-custom-dashboard-and-adding-visualizations), [access your custom dashboards](#viewing-a-custom-dashboard-and-its-pantherflow-queries), and more, below.
## Creating a custom dashboard and adding visualizations
To build a custom dashboard, first you will [create the dashboard](#creating-a-custom-dashboard), then you will [add one or more visualizations](#adding-a-visualization-to-a-custom-dashboard).
### **Creating a custom dashboard**
You can create a custom dashboard in the Panther Console from either the **Dashboard** or **Search** page.
{% tabs %}
{% tab title="From Dashboard page" %}
**Creating a custom dashboard from the Dashboard page**
1. In the left-hand navigation bar of your Panther Console, click **Dashboard**.
* This is the landing page when logging into the Panther Console.
2. To create a dashboard, either:
* Hover over the name of the currently displayed dashboard, then click **+**.\
* Click the name of the currently displayed dashboard, then click **+ New Dashboard**.\
3. Now that your new dashboard exists, you can [add one or more visualization widgets](#adding-a-visualization-to-a-custom-dashboard) and [update the name and/or emoji of the dashboard](#updating-the-name-or-emoji-of-a-custom-dashboard).
{% endtab %}
{% tab title="From Search page" %}
**Creating a custom dashboard from the Search page**
This method of dashboard creation also adds the first visualization widget to the new dashboard.
1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Search**.
2. Run a [PantherFlow](https://docs.panther.com/pantherflow) search that uses the [`visualize` operator](https://docs.panther.com/pantherflow/operators/visualize).
* [Learn more about how to run a PantherFlow query in Search here](https://docs.panther.com/search-tool#using-pantherflow-in-search).
3. In the top-right corner of the resulting visualization, click the three dots icon, then **+ Add to dashboard...**.\
4. Click **+ New dashboard**.
* A new custom dashboard is created, and this visualization is added to it. In the notification displayed in the lower-left corner of the screen, click **Go to dashboard** to view the new dashboard.\
* You can optionally [update the name and/or emoji of the dashboard](#updating-the-name-or-emoji-of-a-custom-dashboard).
{% endtab %}
{% endtabs %}
### Adding a visualization to a custom dashboard
After you have [created a custom dashboard](#creating-a-custom-dashboard), you can add a visualization widget to it. You can only add visualizations to dashboards you created.
1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Search**.
2. Run a [PantherFlow](https://docs.panther.com/pantherflow) search that uses the [`visualize` operator](https://docs.panther.com/pantherflow/operators/visualize).
* [Learn more about how to run a PantherFlow query in Search here](https://docs.panther.com/search-tool#using-pantherflow-in-search).
3. In the top-right corner of the resulting visualization, click the three dots icon, then **+ Add to dashboard...**.\
4. Select the name of the custom dashboard you'd like to add the visualization to.
* The visualization is added to the custom dashboard. In the notification displayed in the lower-left corner of the screen, click **Go to dashboard** to view the dashboard.\
{% hint style="info" %}
If the custom dashboard you add your visualization to has [filters](#dashboard-filters-and-variables-beta), they will be inserted into to your PantherFlow query when it is added to the dashboard.
{% endhint %}
## Viewing a custom dashboard and its PantherFlow queries
A dashboard is made up of one or more visualizations, each powered by a [PantherFlow](https://docs.panther.com/pantherflow) query.
### **Viewing a custom dashboard**
To view a custom dashboard in your Panther Console:
1. In the left-hand navigation bar of your Panther Console, click **Dashboards**.
* This is the landing page when logging into the Panther Console.
2. In the upper-left corner, click **Overview**.
3. Under **Custom Dashboards**, select the dashboard you'd like to view.
### Viewing a visualization's PantherFlow query
It may be helpful to see the [PantherFlow](https://docs.panther.com/pantherflow) query underlying a visualization widget. You can view the query in the Edit modal or in Search:
{% tabs %}
{% tab title="In Edit modal" %}
**Viewing a visualization's PantherFlow query in the Edit modal**
1. In the upper right-hand corner of the visualization widget for which you'd like to view the PantherFlow query, click the three dots icon.
2. Click **Edit visualization settings**.
* On the **Edit visualization settings** pop-up modal, in the left-side panel, click the down arrow icon to expand and view the PantherFlow query.
* You can also edit the visualization from this modal—learn more in [Editing a visualization](#editing-a-visualization).
{% endtab %}
{% tab title="On Search page" %}
**Viewing a visualization's PantherFlow query in Search**
1. In the upper right-hand corner of the visualization widget for which you'd like to view the PantherFlow query, click the three dots icon.
2. Click **Go to PantherFlow query**.\
* You will be redirected to [Search](https://docs.panther.com/search/search-tool) and the associated PantherFlow query will load and execute.
{% hint style="info" %}
Editing a visualization's underlying PantherFlow query in Search will not update the visualization on your dashboard. To edit a visualization in your dashboard, see [Editing a visualization](#editing-a-visualization) below.
{% endhint %}
{% endtab %}
{% endtabs %}
## Updating a custom dashboard
Once you have [created a custom dashboard](#creating-a-custom-dashboard), you can [update its name or emoji](#updating-the-name-or-emoji-of-a-custom-dashboard). Once you have [added visualization widgets](#adding-a-visualization-to-a-custom-dashboard) to the dashboard, you can [edit them](#editing-a-visualization) as well as [reposition and resize them](#customizing-the-layout-of-a-custom-dashboard).
You can only update custom dashboards you created.
### **Editing a visualization**
You can edit a visualization widget from a custom dashboard you created.
To edit a visualization widget in a custom dashboard:
1. [View the custom dashboard](#viewing-a-custom-dashboard) containing the visualization widget you'd like to edit.
2. In the top-right corner of the visualization widget you'd like to edit, click the three dots icon.
3. Click **Edit visualization settings**.
4. Make desired updates in the **Edit visualization settings** pop-up modal.
* If you'd like to update attributes of the visualization (such as the chart title or orientation), follow either the **Using form** or **Using PantherFlow** instructions below.
* If you'd like to update the PantherFlow query underlying the visualization outside of the [`visualize` operator annotations](https://docs.panther.com/pantherflow/operators/visualize#supported-annotations) (e.g., you'd like to add a [`where`](https://docs.panther.com/pantherflow/operators/where) clause), follow the **Using PantherFlow** instructions below.
{% tabs %}
{% tab title="Using form" %}
To update a visualization widget using the form:
1. On the left-hand side of the **Edit visualization settings** pop-up modal, update the visualization form field values as desired.
* Updates to form field values are reflected in the PantherFlow query above (visible by clicking the down arrow icon: ).
* The form fields reflect the PantherFlow [`visualize` annotations](https://docs.panther.com/pantherflow/operators/visualize#supported-annotations), and include:
* In the **Data** section:
* **Chart Type**: Select **Bar chart**, **Line chart**, or **Table chart.**
* (If **Chart Type** is **Bar chart** or **Line chart**) **Y-axis**: Select the field you'd like to be represented on the vertical axis. (Select **Auto-detect** to allow Panther to infer the value based on your query.)
* (If **Chart Type** is **Bar chart** or **Line chart**) **X-axis**: Select the field you'd like to be represented on the horizontal axis. (Select **Auto-detect** to allow Panther to infer the value based on your query.)
* (If **Chart Type** is **Bar chart** or **Line chart**) **Series**: Select the field you'd like to use to group the data. (Select **Auto-detect** to allow Panther to infer the value based on your query.)
* (If **Chart Type** is **Bar chart** or **Line chart**) In the **Appearance** section:
* **Orientation**: Select an icon to indicate the direction of the bars.
* Orientation can only be altered if **Y-axis** and **X-axis** are both set to **Auto-detect**.
* **Show legend**: Toggle **On** or **Off** depending on whether the visualization should have a legend.
* (If **Show legend** is **On**) **Legend Position**: Select a value for the legend's placement.
* In the **Labels** section:
* **Visualization Title**: Enter a title for the visualization.
2. Click **Save Changes** to update the visualization widget or **Cancel** to discard your edits.
{% endtab %}
{% tab title="Using PantherFlow" %}
To update a visualization widget by editing its PantherFlow query:
1. On the left-hand side of the **Edit visualization settings** pop-up modal, click the down arrow icon to expand the PantherFlow query and enter edit mode.\
2. Edit the query as desired.
* Updates made to the [`visualize` operator](https://docs.panther.com/pantherflow/operators/visualize) will be reflected in the modal form (visible by clicking the up arrow icon: ).
3. Click **Run Query** to see how the visualization changes after your modification(s).
4. Click **Save Changes** to update the visualization widget or **Cancel** to discard your edits.
{% endtab %}
{% endtabs %}
### Updating the name or emoji of a custom dashboard
1. [View the custom dashboard](#viewing-a-custom-dashboard) you'd like to update.
2. Hover over the title of the dashboard, then click the pencil (**Edit Title**) icon.\
3. Update the **Dashboard Name** value and/or select a new emoji.
4. Click the check mark icon to save your changes, or the **X** icon to discard your changes.\
### Customizing the layout of a custom dashboard
You can adjust both the size and position of each visualization widget in a custom dashboard. Changes made to widget size and position will be saved automatically after changes have stopped for a short period of time. You can only customize the layout of dashboards you created.
#### **Resizing a visualization widget**
To change the size of a widget:
1. Hover over the lower right-hand corner of a widget.
2. Click and drag the corner to resize the widget to the desired size.
#### **Repositioning a visualization widget**
To change the position of a widget:
1. Hover over the widget's title.
2. Click and drag the widget to its new location within the dashboard.
## **Deleting a custom dashboard or its visualizations**
### **Deleting a custom dashboard**
Once a dashboard is deleted, it will not appear in any dashboard lists. You can only delete dashboards you created. If you only need to delete a visualization from a dashboard (and not the entire dashboard as a whole), see [Deleting a visualization in a custom dashboard](#deleting-a-visualization-in-a-custom-dashboard), below.
To delete a custom dashboard:
1. [View the custom dashboard](#viewing-a-custom-dashboard) you'd like to delete.
2. Once the selected dashboard is loaded, hover over its title, then click the trash can icon.\
3. In the **Delete Dashboard?** pop-up modal, click **Confirm**.
* The dashboard will be deleted and a confirmation notification will be displayed in the lower left-hand corner of the Console window.
* To revert the deletion, in the confirmation notification, click **Undo**.\
### Deleting a visualization in a custom dashboard
You can only delete a visualization widget from a custom dashboard you created.
To delete a visualization widget from a custom dashboard:
1. [View the custom dashboard](#viewing-a-custom-dashboard) containing the visualization widget you'd like to remove.
2. In the top-right corner of the visualization widget you'd like to remove, click the three dots icon.
3. Click **Remove visualization**.
## **Limitations of custom dashboards**
Custom dashboards currently have the following limitations:
* Your Panther instance can store up to 1,000 custom dashboards.
## Dashboard filters and variables
You can add filters to your custom dashboard, which allow you and others viewing your dashboard to drill down on certain fields across all visualizations.
* **Dashboard filters**:
* Apply to all visualization widgets on your custom dashboard (though you can manually exclude certain visualization widgets from a filter)
* Panther applies the filter by inserting a `where` clause in the PantherFlow statements underlying all visualization widgets on the dashboard
* Create dashboard variables
* **Dashboard variables**:
* Are created when a filter is created, and are used in the `where` clauses Panther appends to each visualization widget's underlying PantherFlow
* Can be used in custom PantherFlow clauses (outside the `where` clauses Panther auto-adds)
### Creating a dashboard filter and variable
You can only add filters to custom dashboards you own (though anyone viewing your dashboard can provide values).
To add a filter to a custom dashboard:
1. [View the custom dashboard](#viewing-a-custom-dashboard) you'd like to apply a filter on.
2. Under the dashboard title, click **Add Filter**.
3. In the dropdown, search for and select a field you'd like to filter on. Adding this filter (even before entering any [values](#providing-values-to-a-filter-and-variable)):
* Creates a dashboard variable, which can be [used in custom clauses](#using-a-variable-in-a-custom-pantherflow-clause). Variable names start with `$`.
* In the example below, the variable is `$p_alert_severity`.
* Adds a `where` clause with the new variable to the PantherFlow underlying each visualization.
* The `where` clause syntax depends on the data type of the variable—see examples in [Providing values to a filter and variable](#providing-values-to-a-filter-and-variable).
* You can view the updated PantherFlow in the [Edit visualization settings modal](#editing-a-visualization).
4. Add values to the filter—see [Providing values to a filter/variable](#providing-values-to-a-filter-variable) to learn about how to enter values depending on the data type of the field you're filtering on.
* Adding values doesn't change the visualization widgets' underlying PantherFlow; it only changes the value of the variable that's already been added in a `where` clause.
### Providing values to a filter and variable
[Creating a dashboard filter](#creating-a-dashboard-filter) creates a variable, which is used in a `where` clause inserted in each visualization widget and able to be used in custom clauses. You can then provide values to the variable.
How you enter filter values depends on the data type of the field you're filtering on:
{% tabs %}
{% tab title="String" %}
**Providing values to a string filter/variable**
1. Click the filter.
2. If the value you'd like to filter on is available in the dropdown, click its checkbox.
* The dropdown options do not represent all available options—they are some of the values of the field that are currently found in the data set.
* If you update the **Date Range** filter value, the data set will be refreshed, and the options may change.
* You can also enter custom values:
For string fields, a `where` clause like the following will be added to the PantherFlow query underlying each visualization widget (in this example, we are using `p_alert_severity`):
{% code overflow="wrap" %}
```kusto
| where p_alert_severity in $p_alert_severity
```
{% endcode %}
{% endtab %}
{% tab title="Number" %}
**Providing values to a number filter/variable**
1. Click the filter.
2. Enter **Min** and **Max** values.
3. Click **Set Range**.
For number fields, a `where` clause like the following will be added to the PantherFlow query underlying each visualization widget (in this example, we are using `p_udm.destination.bytes`):
{% code overflow="wrap" %}
```kusto
| where p_udm.destination.bytes between $p_udm__destination__bytes.min .. $p_udm__destination__bytes.max
```
{% endcode %}
{% endtab %}
{% tab title="Boolean" %}
**Providing values to a boolean filter/variable**
1. Click the filter.
2. Select **True** or **False**.
For boolean fields, a `where` clause like the following will be added to the PantherFlow query underlying each visualization widget (in this example, we are using `p_current`):
{% code overflow="wrap" %}
```kusto
| where p_current == $p_current
```
{% endcode %}
{% endtab %}
{% tab title="Time" %}
**Providing values to a time filter/variable**
1. Click the filter.
2. Select a time range—either a relative range (e.g., "Last 20 minutes") or a custom range.
For time fields, a `where` clause like the following will be added to the PantherFlow query underlying each visualization widget (in this example, we are using `p_alert_update_time`):
{% code overflow="wrap" %}
```kusto
| where p_alert_update_time between $p_alert_update_time.start_time .. $p_alert_update_time.end_time
```
{% endcode %}
If you added a filter for the **Date Range** field, the filter will be based on `p_event_time`, and the following `where` clause will be added to the PantherFlow query underlying each visualization widget:
{% code overflow="wrap" %}
```kusto
| where p_event_time between $time.start_time .. $time.end_time
```
{% endcode %}
{% endtab %}
{% tab title="Array" %}
**Providing values to an array filter/variable**
1. Click the filter.
2. If the value you'd like to filter on is available in the dropdown, click its checkbox.
* The dropdown options do not represent all available options—they are some of the values of the field that are currently found in the data set.
* If you update the **Date Range** filter value, the data set will be refreshed, and the options may change.
* You can also enter custom values:
For array fields, a `where` clause like the following will be added to the PantherFlow query underlying each visualization widget (in this example, we are using `p_any_actor_ids`):
```kusto
| where arrays.overlap(p_any_actor_ids, $p_any_actor_ids)
```
{% endtab %}
{% endtabs %}
### Excluding a visualization widget from a filter
When a filter is created, it's automatically added to every visualization widget in the custom dashboard. If you prefer a certain visualization not be filtered:
* [Edit your visualization's PantherFlow query](#editing-a-visualization) to remove the `where` clause referencing the variable.
### Using a variable in a custom PantherFlow clause
After you've created a variable (by [creating a filter](#creating-a-dashboard-filter)) and [provided it a value](#providing-values-to-a-filter-variable), you may want to use it in custom clauses in the PantherFlow underlying a visualization.
1. Follow the steps in [Editing a visualization](#editing-a-visualization) to access a visualization widget's PantherFlow editor.
2. Modify the PantherFlow using the variable.
### Resetting a filter and variable value
* To reset a dashboard variable's value, click the filter, then click **Clear**.
* It's not possible to reset the value of a time filter.
### Deleting a dashboard filter and variable
When you delete a filter from a custom dashboard, you also delete the variable(s) it created.
To remove a dashboard filter and its related variable(s):
1. Click **Add Filter**.
2. Uncheck the field you'd like to remove.
* There `where` clause added to the underlying PantherFlow queries of each visualization will be removed.
{% hint style="warning" %}
When you delete a filter:
* If you've modified the `where` clause Panther inserted when you created a filter, Panther may not be able to properly remove it—you may have to do so manually.
* If you've used the variable in any [custom PantherFlow clauses](#using-a-variable-in-a-custom-pantherflow-clause), Panther will not remove them—you must do so manually.
{% endhint %}
).
* The form fields reflect the PantherFlow [`visualize` annotations](https://docs.panther.com/pantherflow/operators/visualize#supported-annotations), and include:
* In the **Data** section:
* **Chart Type**: Select **Bar chart**, **Line chart**, or **Table chart.**
* (If **Chart Type** is **Bar chart** or **Line chart**) **Y-axis**: Select the field you'd like to be represented on the vertical axis. (Select **Auto-detect** to allow Panther to infer the value based on your query.)
* (If **Chart Type** is **Bar chart** or **Line chart**) **X-axis**: Select the field you'd like to be represented on the horizontal axis. (Select **Auto-detect** to allow Panther to infer the value based on your query.)
* (If **Chart Type** is **Bar chart** or **Line chart**) **Series**: Select the field you'd like to use to group the data. (Select **Auto-detect** to allow Panther to infer the value based on your query.)
* (If **Chart Type** is **Bar chart** or **Line chart**) In the **Appearance** section:
* **Orientation**: Select an icon to indicate the direction of the bars.
* Orientation can only be altered if **Y-axis** and **X-axis** are both set to **Auto-detect**.
* **Show legend**: Toggle **On** or **Off** depending on whether the visualization should have a legend.
* (If **Show legend** is **On**) **Legend Position**: Select a value for the legend's placement.
* In the **Labels** section:
* **Visualization Title**: Enter a title for the visualization.
2. Click **Save Changes** to update the visualization widget or **Cancel** to discard your edits.
{% endtab %}
{% tab title="Using PantherFlow" %}
To update a visualization widget by editing its PantherFlow query:
1. On the left-hand side of the **Edit visualization settings** pop-up modal, click the down arrow icon to expand the PantherFlow query and enter edit mode.\
2. Edit the query as desired.
* Updates made to the [`visualize` operator](https://docs.panther.com/pantherflow/operators/visualize) will be reflected in the modal form (visible by clicking the up arrow icon: 
).
