Documentation Index

Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt

Use this file to discover all available pages before exploring further.

🎉 ThreatConnect® 8.0 is now available!

Introduction to Dashboards

Prev Next

ThreatConnect 101  

Introduction to Dashboards

This video focuses on dashboards which serve as a centralized location for visualizing and understanding key intelligence within the platform. 


Guide: Introduction to Dashboards

Individual searches answer one-time questions. Dashboards answer ongoing ones, like what's trending on a specific threat actor, or what new IOCs have shown up this week. All without you having to re-run searches manually. This guide covers exploring existing dashboards and building your own from scratch.

Key Steps:

  1. Open an existing out-of-the-box dashboard (for example, a threat-actor-focused dashboard) to see how dashboards are structured. Note the mix of card types, some more graphical (number cards, tree maps), some more tabular (lists of matching objects).
  2. Click the three-dot menu on an existing card and choose Edit to see how it was built - the underlying TQL query, the display format (chart vs. table), and which owners/object types it pulls from. Reviewing a few existing cards is a good way to learn dashboard patterns before building your own.
  3. To start a new dashboard, go to Dashboards at the top of the screen and select Create Dashboard. Give it a clear, descriptive name (for example, “APT28 Intelligence - Last 7 Days”).
  4. Note the dashboard-level controls: the owner selector (top left) filters which intelligence sources feed the dashboard's cards; the global date range applies a time slice to any cards configured to use it; and the layout lock/unlock control lets you rearrange cards freely, then lock the layout once you're happy with it.
  5. Add your first card. You'll choose between three types: 
    • Metrics cards (pre-configured, no setup needed - for example, open cases or recently enriched indicators)
    • Widget cards (pre-built visual components)
    • Query cards (the most flexible, powered by custom TQL)
  6. Build a Query card by loading a previously saved query (from Guide 3) rather than starting from scratch, then give the card a specific, descriptive name (for example, “APT28 Reports - Last 7 Days” rather than just “Reports”).
  7. Choose a display format: Table or Chart. Table for smaller result sets where you want to click into individual objects, or Chart for larger result sets or trend/distribution analysis.
  8. If your card title references a time window (for example, “Last 7 Days”), add that date filter directly into the TQL query. The global date range control only affects cards specifically configured to use it, so a hardcoded title alone won't filter the data.
  9. Customize which columns appear on table cards. For intelligence reports, consider adding Tags for quick context; for IOC tables, prioritize Threat Assess Score and Observations.
  10. Save the card, then resize and reposition it on the dashboard's grid layout as needed.
  11. Add a second card using the same saved query, but display it as a Chart. Use Group By to aggregate on a field like Attack Tags to see which TTPs are trending, and set a limit (for example, top 10). A tree map or bar chart tends to work well for TTP data.
  12. Add a third card to pivot one layer deeper. For example, from intelligence reports to the IOCs associated with them. When pivoting from a Group-based query (like reports) to an Indicator-based query (like IOCs), build the query under the Indicators context, using a construct like hasGroup to link back to the original reports. This group-vs-indicator distinction is the most common mistake when building pivot cards, so take it slowly.
  13. Now you can see the cards on your dashboard and can configure them as you like. You can sort within each card and go straight to the underlying intelligence.

Good to know:

  • If a card comes back empty, check three things in order: the TQL query itself, whether the right owners are selected, and whether the date range is too narrow.
  • Clear, specific card labels matter. A vaguely named card (“IOCs”) is confusing to anyone who didn't build it, especially on a shared dashboard.
  • Dashboards are private by default. If you want to share one with your team, you'll need to explicitly turn on sharing.
  • Because dashboard cards are backed by live TQL queries, they stay current automatically, no manual refresh needed, and no stale screenshots in a weekly briefing.