Add and Manage Cards
After you create a dashboard, you can begin adding cards to it. Simply go to a dashboard and press the Add a Card button. Select to add a preconfigured card from the card library, or build your own card using a query.
Add a Card from the Library
Preconfigured cards are sorted into categories from your available logs.
When you select the category label, it will display all visual options available to you.

Preconfigured Cards
The following table lists all of the preconfigured cards available to you from InsightIDR:
Name | Type | Description |
---|---|---|
1.3.5 Denied Connection Attempts | Compliance | Visualize denied connections attempts as specified in PCI control 1.3.5 |
10.2.4 Failed Logins Over Time | Compliance | Visualize the number of failed logins over time per PCI control 10.2.4 |
10.2.5a Authentications Over Time | Compliance | Visualize all asset authentication over time per PCI control 10.2.5a |
4.1c Potential Insecure Connections | Compliance | Visualize connections that appear to be insecure (over port 80) as specified in PCI control 4.1c |
7.1.2b User authentications | Compliance | List of users who have logged in, in the specified time period per PCI control 7.1.2b |
8.1.1 Shared/Linked Accounts | Compliance | List of shared/linked accounts used in the specified time period per PCI control 8.1.1 |
8.1.3a Deactivated Accounts | Compliance | List of deactivated accounts in the last 6 months per PCI control 8.1.3a |
8.2.4a Recent Password Resets | Compliance | List of users who have had passwords reset within the specified time period per PCI control 8.2.4a |
AD Admin Actions | Active Directory Admin Activity | Show all "admin actions" |
Account Lockouts over Time | Active Directory Admin Activity | Shows the number of account lockouts by day |
Accounts Created | Active Directory Admin Activity | Users accounts that have been created |
Accounts Disabled | Active Directory Admin Activity | User accounts that have been disabled |
Accounts Locked | Active Directory Admin Activity | User accounts that have been locked |
Groups Users Were Added To | Active Directory Admin Activity | Groups that had users added to them |
Passwords Set to Never Expire | Active Directory Admin Activity | User accounts where the password was set to never expire |
Users Added to Groups | Active Directory Admin Activity | Accounts that were added to groups |
Users Who Added to Groups | Active Directory Admin Activity | Accounts that added users to groups |
Assets Accessing Excel & Word Files | File Access Activity | See which assets in your organization are being used to access the most text files and/or spreadsheets. |
DNS Queries to Uncommon Domains By Asset | DNS Query | Quickly see which assets are making requests to domains with uncommon public suffixes. This may help you determine if a specific asset is making unwanted requests to strange domains (possibly an indicator of malware). |
DNS Queries to Uncommon Domains by Public Suffix | DNS Query | Visualize request volume to domains that use an uncommon suffix. |
DNS Queries to Uncommon Domains by User | DNS Query | Quickly see which users are making requests to domains with uncommon public suffixes. This may help you determine if a user is making unwanted requests to strange domains. |
DNS Queries to Uncommon Domains over Time | DNS Query | Visualize traffic to uncommon domains over time. This may help you see patterns, trends or anomalies in your organizations internet activity. |
Total DNS Traffic over time | DNS Query | Visualize your organization's total DNS traffic over time. This may help you see patterns, trends or anomalies. |
Denied Traffic by port | Firewall Activity | Quickly visualize which destination ports have the most firewall denies. |
Denied Traffic over time | Firewall Activity | Visualize the volume of firewall denies over time. This may help you see patterns, trends or anomalies in denied network traffic. |
Inbound & Outbound traffic from Non-US countries by User | Firewall Activity | Track international traffic volume by user over time. This may help you see patterns, trends or anomalies in user activity. |
Inbound & Outbound traffic to Non-US countries by country | Firewall Activity | Track international traffic volume by country over time. This may help you see patterns, trends or anomalies in total international network traffic. |
Inbound Traffic from a Non-US Country by Port | Firewall Activity | Track international traffic volume by destination port over time. This may help you see patterns, trends or anomalies in application-specific traffic. |
Traffic to or from a Non-US country | Firewall Activity | Visualize the volume of all international network traffic by country. |
Traffic to or from a Non-US country ordered by User | Firewall Activity | Quickly see which users are generating the most international network traffic. |
Disabled Users Authenticating | Asset Authentication | Quickly see authentication attempts to disabled users. This may help you determine if there is a misconfiguration in your organization, or show you an indicator of brute force attempts against a specific disabled user. |
Failed Authentications - Users | Asset Authentication | Show all failed authentication activity by user |
Failed Authentications by Type | Asset Authentication | Show all failed authentication activity by type |
Failed Logins by Destination Asset | Asset Authentication | Quickly see which assets have the most failed authentications. This may be a misconfiguration or an indicator of a brute force attack on a specific asset. |
Failed Logins by User | Asset Authentication | Quickly see which users have the most failed authentications. |
Failed Logins over time | Asset Authentication | Track failed authentications over time. This may help you see patterns, trends or anomalies in overall failed authentications within your organization. |
First Time Authentication from Unfamiliar Source Asset | Asset Authentication | Shows users who have logged into an asset from an unfamiliar source asset |
First Time Authentications by User | Asset Authentication | Shows the number of first time authentications, sorted by user |
Interactive Authentications by System | Asset Authentication | Show which systems users have logged into interactively or remotely (remote here means via Remote Desktop) |
Local Administrator Network Logon Activity | Asset Authentication | Visualize local administrator authentications by asset. |
Login Count by Type | Asset Authentication | Quickly see the number of successful authentications by asset type. |
Logon Types | Asset Authentication | Show all the different types of authentication |
File Access by Name & Extension | File Access Activity | Quickly see the most accessed files in your network by filename and extension. |
File Access over time | File Access Activity | Visualize your organization's total file access activity over time. This may help you see patterns, trends or anomalies. |
File Share Access by Source Asset | File Access Activity | Quickly see which assets connect to your organization's file shares most often. |
File Share Access by User | File Access Activity | Quickly see which users access your organization's file shares most often. |
Users Accessing Excel & Word Files | File Access Activity | See which users in your organization are accessing the most text files and/or spreadsheets. |
High Severity IDS Alerts | IDS Alert | The number of high severity IDS alerts that have fired |
Medium Severity IDS Alerts | IDS Alert | The number of medium severity IDS alerts that have fired |
Low Severity IDS Alerts | IDS Alert | The number of low severity IDS alerts that have fired |
IDS Alert by Rule | IDS Alert | Breakdown your IDS alerts by rule |
IDS Alerts by Country | IDS Alert | Quickly see which countries are associated with IDS alerts in your environment |
IDS Alerts by User | IDS Alert | Visualize which users have IDS alerts attributed to them |
IDS Alerts for Unknown User by Source IP | IDS Alert | Visualize your IDS alerts which did not have a known User attributed to them |
IDS alerts by Asset | IDS Alert | Breakdown your IDS alerts by Asset |
IDS alerts for unknown Assets by IP | IDS Alert | Visualize your IDS alerts which did not have a known Asset attributed to them |
Ingress Authentications by ISP | Ingress Authentication | Breakdown ingress activity by which Service Provider the activity is originating from |
Ingress Authentications by Location | Ingress Authentication | See where in the world your users are connecting to your network from |
Ingress Authentications by Service | Ingress Authentication | Visualize ingress into your network by the cloud service it originated from |
Ingress Authentications from China | Ingress Authentication | Quickly see which users are ingressing into your network from China |
Ingress Authentications from Russia | Ingress Authentication | Quickly see which users are ingressing into your network from Russia |
Ingress Authentications from outside the US by user | Ingress Authentication | Quickly see which users are ingressing into your network from outside the United States |
Ingress Authentications over the last 24 hours | Ingress Authentication | Visualize trends in ingress activity over 24 hours |
Ingress Authentications over the last 24 hours from Outside the US | Ingress Authentication | Visualize international ingress activity over 24 hours |
Virus Alerts Over Last 24 Hours | Virus Alert | Visualize AV trends over time |
Virus Alerts by Asset | Virus Alert | See which assets in your network are potentially infected |
Virus Alerts by File | Virus Alert | Breakdown the virus alerts in your network by the files being alerted upon |
Virus Alerts by User | Virus Alert | Quickly see which users have the most AV activity associated with them |
Build Your Own Card
If you decide to build your own visual card, you need to provide a query and select the log(s) you want to apply the query to. Learn how to Build a Query or use Example Queries when building your own card.
After selecting an option, you will see a live preview of the results of your query. Visualizations that are not compatible with your query are greyed out.


Manage Cards
Each visual card has a cogwheel of options. From here, you can:
- view applicable logs.
- edit the card.
- copy the card.
- remove the card from the dashboard.
- export the card to PDF.
- export the log data to a CSV file.

Exported log data and exported PDFs are available in the "Report Archive".