--- title: Visualize detection alerts description: Visualize and group detection alerts using Summary, Trend, Counts, and Treemap views on the Alerts page. url: https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/visualize-detection-alerts products: - Elastic Cloud Serverless - Elastic Security applies_to: - Serverless Security projects: Generally available - Elastic Stack: Generally available --- # Visualize detection alerts The Alerts page includes a visualization section that helps you spot patterns, identify high-volume rules, and prioritize investigation. Choose from four view types, each designed for different analysis tasks. ![Alerts page with visualizations section](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/images/security-alert-page.png) ## View types at a glance | View | Best for | Supports secondary grouping | |-----------------------------------------------|-----------------------------------------------------------------|-----------------------------| | [Summary](#security-visualize-alerts-summary) | Quick overview of severity, top rules, and affected hosts/users | No | | [Trend](#security-visualize-alerts-trend) | Spotting alert spikes and patterns over time | No | | [Counts](#security-visualize-alerts-counts) | Comparing alert volumes across rules, hosts, or other fields | Yes | | [Treemap](#security-visualize-alerts-treemap) | Identifying the most frequent and critical alert combinations | Yes | ## Grouping alerts Use the dropdown menus above the visualization to group alerts by ECS fields: | Menu | Purpose | |-----------------------------|--------------------------------------------------------------------------------| | Group by (or Top alerts by) | Primary field for grouping alerts | | Group by top | Secondary field for subdividing groups (available in Counts and Treemap views) | **Example**: Group by `kibana.alert.rule.name`, then by `host.name` to see which rules fired and which hosts triggered each rule. For groupings with many unique values, only the top 1,000 results are displayed. ## Common actions | Action | How to do it | |------------------------|-----------------------------------------------------------------------------------------------| | Reset grouping | Hover over the visualization, click `boxes_horizontal`, then select **Reset group by fields** | | Inspect queries | Click `boxes_horizontal` and select **Inspect** | | Add to case | Click `boxes_horizontal` and select **Add to case** (Trend and Counts views only) | | Open in Lens | Click `boxes_horizontal` and select **Open in Lens** (Trend and Counts views only) | | Collapse visualization | Click `arrow_down` to show a compact summary instead | ![Alerts page with visualizations section collapsed](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/images/security-alert-page-viz-collapsed.png) ## Summary The default view. Shows alert distribution across three panels: | Panel | What it shows | |-----------------|------------------------------------------------------------------------------------| | Severity levels | Count of alerts by severity (`low`, `medium`, `high`, `critical`) | | Alerts by name | Count of alerts by detection rule | | Top alerts by | Percentage breakdown by `host.name`, `user.name`, `source.ip`, or `destination.ip` | Click any element (severity level, rule name, or host) to filter the Alerts table to those values. ![Summary visualization for alerts](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/images/security-alerts-viz-summary.png) ## Trend Shows alert volume over time as a stacked area chart. Use this to spot spikes, patterns, or changes in alert activity. | Setting | Default | |--------------------|--------------------------| | Group by | `kibana.alert.rule.name` | | Secondary grouping | Not available | ![Trend visualization for alerts](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/images/security-alerts-viz-trend.png) ## Counts Shows alert counts as a table, grouped by one or two fields. Use this to compare alert volumes across rules, hosts, users, or other dimensions. | Setting | Default | |--------------|--------------------------| | Group by | `kibana.alert.rule.name` | | Group by top | `host.name` | ![Counts visualization for alerts](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/images/security-alerts-viz-counts.png) ## Treemap Shows alert distribution as nested, proportionally-sized tiles. Larger tiles indicate more alerts; colors indicate risk score. | Setting | Default | |--------------|--------------------------| | Group by | `kibana.alert.rule.name` | | Group by top | `host.name` | ![Treemap visualization for alerts](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/images/security-alerts-viz-treemap.png) ### Treemap colors | Color | Risk score range | |--------|-------------------| | Green | Low (0–46) | | Yellow | Medium (47–72) | | Orange | High (73–98) | | Red | Critical (99–100) | ### Interacting with the treemap Click elements to filter the alerts table: - Click a **group label** (above a section) to filter to that group - Click an **individual tile** to filter to that specific combination Filters appear below the KQL search bar, where you can edit or remove them. ![Animation of clicking the treemap](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/images/security-treemap-click.gif) Some tiles may be small depending on alert volume. Hover over tiles to see details in a tooltip.