Page Comparison

1. In AMP, go to the?Log Search?screen.
2. Click on?Visualizations.
3. Click the?Create new visualization?button.
4. In the New Visualization pop up, select the?Pie Chart?visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. One bucket is needed to configure this visualization. Under Buckets, click the?Add?button, making sure to select?Split Slices.
10. In the Aggregation drop down, select?Terms.
11. In the?Field?box, enter "vulnerability.severity" or search for it.
12. Order by, Order and Size should all remain with their default values. Properly configured, the bucket configuration will look like the screenshot below:
    Image Modified
    
13. When the bucket is configured, click the?Apply Changes?button.
14. Set the date range for the visualization.
15. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
16. Save the visualization by clicking?Save?in the top left of the screen.

Users can view previous visualizations by clicking?Visualizations?and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Data Table visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      Image Modified
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. 4 buckets are needed to configure this visualization.
10. Bucket configuration for Bucket 1
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "host.ip" or search for it.
    4. Order by, Order and Size should all remain with their default values. Properly configured, the first bucket configuration will look like the screenshot below:
       Image Modified
11. Bucket configuration for Bucket 2
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "vulnerability.description" or search for it.
    4. Order by, Order and Size should all remain with their default values. Properly configured, the second bucket configuration will look like the screenshot below:
       Image Modified
12. Bucket configuration for Bucket 3
    1. Under Buckets, click the Add button, and select Split table.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "host.hostname" or search for it.
    4. Order by, Order and Size should all remain with their default values. Properly configured, the third bucket configuration will look like the screenshot below:
       Image Modified
13. Bucket configuration for Bucket 4
    1. Under Buckets, click the Add button, and select Split rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "vulnerability.score.base" or search for it.
    4. Set Order by to "Custom Metric"
    5. Set Aggregation to Count
    6. Order and Size should all remain with their default values. Properly configured, the fourth bucket configuration will look like the screenshot below:
       Image Modified
14. When the buckets are configured, click the Apply Changes button.
15. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
16. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Pie Chart visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
   2. Partner accountId may be 1 or another number. Select the source matching the customer account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click SaveImage Modified
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. One bucket is needed to configure this visualization. Under Buckets, click the Add button, making sure to select Split Slices.
10. In the Aggregation drop down, select Date Histogram.
11. In the Field box, enter "vulnerability.first_found" or search for it.
12. Set the value in the Minimum interval box to Weekly
13. A custom label of Week First Found can be added
14. Properly configured, the bucket configuration will look like the screenshot below:
    Image Modified
15. When the bucket is configured, click the Apply Changes button.
16. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
17. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Vertical Bar visualization option.
5. Choose a source
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. Two filters will be applied to this visualization:
   1. Click on Add filter
   2. Set the filter up as seen below.
      Image Modified
   3. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click SaveImage Modified
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. Two buckets are needed to configure this visualization.
10. Under Buckets, click the Add button and select X-Axis
11. In the Aggregation drop down, select Terms.
12. In the Field box, enter "host.hostname" or search for it.
13. Order by, Order and Size should all remain with their default values. Properly configured, the first bucket configuration will look like the screenshot below:
    Image Modified
14. For the second bucket, click the Add button
15. Select Split Series and In the Aggregation drop down, select Terms.
16. In the Field box, enter "vulnerability.severity" or search for it.
17. Order by = Alphabetical, Order and Size should all remain with their default values. A custom label of Severity can be added.
18. Properly configured, the second bucket configuration will look like the screenshot below:
    Image Modified
19. When the buckets are configured, click the Apply Changes button.
20. Set the date range for the visualization.
21. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
22. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Vertical Bar visualization option.
5. Choose a source
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. Three filters will be applied to this visualization:
   1. Click on Add filter
   2. Set the first filter up as seen below.
      Image Modified
   3. Set the second filter up as seen below
      Image Modified
   4. Set the last filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      Image Modified
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. Two buckets are needed to configure this visualization.
10. Under Buckets, click the Add button and select X-Axis
11. In the Aggregation drop down, select Terms.
12. In the Field box, enter "host.hostname" or search for it.
13. Order by = Metric: Vulnerability Count by Severity
14. Order = Descending
15. Size can vary but for this example it is set to 200
16. A custom lable of Hosts can be added
17. Properly configured, the first bucket configuration will look like the screenshot below:
    Image Modified
18. For the second bucket, click the Add button
19. Select Split Series and In the Aggregation drop down, select Terms.
20. In the Field box, enter "vulnerability.severity" or search for it.
21. Order by = Alphabetical, Order and Size should all remain with their default values. A custom label of Severity can be added.
22. Properly configured, the second bucket configuration will look like the screenshot below:
    Image Modified
23. When the buckets are configured, click the Apply Changes button.
24. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
25. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. Click on Visualizations.
2. Click the Create new visualization button.
3. In the New Visualization pop up, select the Vertical Bar visualization option.
4. Choose a source
   
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
5. Log Search will refresh to display the query screen. From here, the visualization can be configured.
6. Two filters will be applied to this visualization:
   1. Click on Add filter
   2. Set the first filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      Image Modified
   3. Set the second filter up as seen below
      
      
7. Under metrics this should already be set to Y-axis Count. No change is needed.
8. Two buckets are needed to configure this visualization.
9. Under Buckets, click the Add button and select X-Axis
10. In the Aggregation drop down, select Terms.
11. In the Field box, enter "host.hostname" or search for it.
12. Order by, Order and Size should all remain with their default values. Properly configured, the first bucket configuration will look like the screenshot below:
    Image Modified
13. For the second bucket, click the Add button
14. Select Split Series and In the Aggregation drop down, select Terms.
15. In the Field box, enter "vulnerability.severity" or search for it.
16. Order by should be set to Alphabetical, Order and Size can remain with their default values. A custom label of Severity can be added. Properly configured, the second bucket configuration will look like the screenshot below:
    Image Modified
17. When the buckets are configured, click the Apply Changes button.
18. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
19. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Data Table visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      Image Modified
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. 3 buckets are needed to configure this visualization.
10. Bucket configuration for Bucket 1
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Date Histogram.
    3. In the Field box, enter "vulnerability.first_found" or search for it.
    4. In the Minimum Interval box, select Daily
    5. A custom label of First Report Containing Vulnerability can be set
    6. Properly configured, the first bucket configuration will look like the screenshot below:
       Image Modified
11. Bucket configuration for Bucket 2
    1. Under Buckets, click the Add button, and select Split rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "vulnerability.description" or search for it.
    4. Order by, Order should remain with their default values.
    5. Size can vary, but for this example it is set to 50
    6. A custom label of Vulnerability Description can be set
    7. Properly configured, the second bucket configuration will look like the screenshot below:
       Image Modified
12. Bucket configuration for Bucket 3
    1. Under Buckets, click the Add button, and select Split rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "vulnerability.id" or search for it.
    4. Order by = Alphabetical, Order and Size should all remain with their default values.
    5. Properly configured, the third bucket configuration will look like the screenshot below:
       Image Modified
13. When the buckets are configured, click the Apply Changes button.
14. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
15. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Pie Chart visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      Image Modified
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. One bucket is needed to configure this visualization. Under Buckets, click the Add button, making sure to select Split Slices.
10. In the Aggregation drop down, select Terms.
11. In the Field box, enter "host.os.full" or search for it.
12. Order by, Order and Size should all remain with their default values.
13. A custom label of Operating System can be set
14. Properly configured, the bucket configuration will look like the screenshot below:
    Image Modified
15. When the bucket is configured, click the Apply Changes button.
16. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
17. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Line visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
   2. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      Image Modified
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. One bucket is needed to configure this visualization
10. Under Buckets, click the Add button and select X-Axis
11. In the Aggregation drop down, select Date Histogram.
12. In the Field box, enter "@timestamp" or search for it.
13. In the Minimum Interval box, select Daily
14. A custom label of Vulnerability Report Date can be set
15. Properly configured, the bucket configuration will look like the screenshot below:
    Image Modified
16. When the bucket is configured, click the Apply Changes button.
17. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
18. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Line visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
   2. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. Two filters will be applied to this visualization:
   1. Click on Add filter
   2. Set the first filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      Image Modified
   3. Set the second filter up as seen below. You will have to manually type in 3, 4 and 5. These are the severity levels
      Image Modified
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. One bucket is needed to configure this visualization
10. Under Buckets, click the Add button and select X-Axis
11. In the Aggregation drop down, select Date Histogram.
12. In the Field box, enter "@timestamp" or search for it.
13. In the Minimum Interval box, select Daily
14. A custom label of Vulnerability Report Date can be set
15. Properly configured, the bucket configuration will look like the screenshot below:
    Image Modified
16. When the bucket is configured, click the Apply Changes button.
17. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
18. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Line visualization option.
5. Choose a source.
1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
   1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
1. Click on Add filter
2. Set the filter up as seen below. You will have to manually type in "trend-hids" in the Value field and click Save
   Image Modified
8. Under metrics this should already be set to Y-axis Count. No change is needed.
9. One bucket is needed to configure this visualization
10. Under Buckets, click the Add button and select X-Axis
11. In the Aggregation drop down, select Date Histogram.
12. In the Field box, enter "@timestamp" or search for it.
13. In the Minimum Interval box, select Daily
14. A custom label of Date can be set
15. Properly configured, the bucket configuration will look like the screenshot below:
    Image Modified
16. When the bucket is configured, click the Apply Changes button.
17. Set the date range for the visualization.
1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
18. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Line visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the filter up as seen below. You will have to manually type in "trend-hids" in the Value field and click Save
      Image Modified
8. Under metrics this should already be set to Metric Count. No change is needed.
9. One bucket is needed to configure this visualization
10. Under Buckets, click the Add button and select Split rows
11. In the Aggregation drop down, select Terms.
12. In the Field box, enter "parsed.trendmicro.name" or search for it.
13. Order by = Metric: Count, Order = Descending, Size = 10
14. A custom label of IDS Event Type Name can be set
15. Properly configured, the bucket configuration will look like the screenshot below:
    Image Modified
16. When the bucket is configured, click the Apply Changes button.
17. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
18. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Vertical Bar visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the filter up as seen below. You will have to manually type in "trend-hids" in the Value field and click Save
      Image Modified
8. Under metrics this should already be set to Y-Axis Count. No change is needed.
9. One bucket is needed to configure this visualization
10. Under Buckets, click the Add button and select X-Axis
11. In the Aggregation drop down, select Terms.
12. In the Field box, enter "hostname" or search for it.
13. Order by, Order, & Size leave at default
14. A custom label of Hostname can be set
15. Properly configured, the bucket configuration will look like the screenshot below:
    Image Modified
16. When the bucket is configured, click the Apply Changes button.
17. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
18. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Data Table visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. Three filters will be applied to this visualization:
   1. Click on Add filter
   2. Set the first filter up as seen below
      Image Modified
   3. Set the second filter up as seen below
      Image Modified
   4. Set the third filter up as seen below
      Image Modified
8. Under metrics this should already be set to Metric Count. No change is needed.
9. One bucket is needed to configure this visualization.
10. Bucket configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "src_geo.country_name" or search for it.
    4. Order = Descending and Size =10 (can vary depending on how long you want the list)
    5. A custom label of Location can be added
    6. Properly configured, the bucket configuration will look like the screenshot below:
       Image Modified
11. When the buckets are configured, click the Apply Changes button.
12. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
13. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Data Table visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the first filter up as seen below. The value in Field is wineventlog.event_id
      Image Modified
8. Under metrics this should already be set to Metric Count. No change is needed.
9. Three buckets are needed to configure this visualization.
10. Bucket 1 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "@timestamp" or search for it.
    4. Order = Descending and Size =5 (can vary depending on how long you want the list)
    5. Properly configured, the first bucket configuration will look like the screenshot below:
       Image Modified
11. Bucket 2 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "hostname" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the second bucket configuration will look like the screenshot below:
       Image Modified
12. Bucket 3 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "message" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the third bucket configuration will look like the screenshot below:
       Image Modified
13. When the buckets are configured, click the Apply Changes button.
14. Set the date range for the visualization.
15. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
16. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Data Table visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. One filter will be applied to this visualization:
   1. Click on Add filter
   2. Set the first filter up as seen below. The value in Field is wineventlog.event_id
      Image Modified
8. Under metrics this should already be set to Metric Count. No change is needed.
9. Three buckets are needed to configure this visualization.
10. Bucket 1 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "@timestamp" or search for it.
    4. Order = Descending and Size =5 (can vary depending on how long you want the list)
    5. Properly configured, the first bucket configuration will look like the screenshot below:
       Image Modified
11. Bucket 2 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "hostname" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the second bucket configuration will look like the screenshot below:
       Image Modified
12. Bucket 3 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "message" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the third bucket configuration will look like the screenshot below:
       Image Modified
13. When the buckets are configured, click the Apply Changes button.
14. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
15. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Data Table visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. Two filters will be applied to this visualization:
   1. Click on Add Filter
   2. Set the first filter up as seen below
      Image Modified
   3. Set the second filter up as seen below
      Image Modified
8. Under metrics this should already be set to Metric Count. No change is needed.
9. Three buckets are needed to configure this visualization.
10. Bucket 1 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "@timestamp" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the first bucket configuration will look like the screenshot below:
       Image Modified
11. Bucket 2 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "hostname" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the second bucket configuration will look like the screenshot below:
       Image Modified
12. Bucket 3 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "message" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the third bucket configuration will look like the screenshot below:
       Image Modified
13. When the buckets are configured, click the Apply Changes button.
14. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
15. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. In the New Visualization pop up, select the Data Table visualization option.
5. Choose a source.
   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
6. Log Search will refresh to display the query screen. From here, the visualization can be configured.
7. Twofilterswillbe applied to this visualization:
   1. Click on Add filter
   2. Set the first filter up as seen below
      Image Modified
      
   3. Set the second filter up as seen below
      Image Modified
8. Under metrics this should already be set to Metric Count. No change is needed.
9. Three buckets are needed to configure this visualization.
10. Bucket 1 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "@timestamp" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the first bucket configuration will look like the screenshot below:
       Image Modified
11. Bucket 2 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "hostname" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the second bucket configuration will look like the screenshot below:
       Image Modified
12. Bucket 3 configuration
    1. Under Buckets, click the Add button, and select Split Rows.
    2. In the Aggregation drop down, select Terms.
    3. In the Field box, enter "message" or search for it.
    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)
    5. Properly configured, the third bucket configuration will look like the screenshot below:
       Image Modified
13. When the buckets are configured, click the Apply Changes button.
14. Set the date range for the visualization.
    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.
15. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search
2. Click on Visualizations.
3. Click the Create new visualization
4. Select "Create new visualization" and scroll down and select "Data Table"
5. In sources, select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
6. Partner account Id may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
7. Log Search will refresh to display the query screen. From here, the visualization can be configured.
8. Under "Buckets", select "Add" and then "Split Rows"
   Image Modified
9. Select "Terms" for the Aggregation, and type in "vulnerability.pci_flag" for the field and hit the blue arrow at the top of the box
   Image Modified
10. Next, select "+Add filter" , and type "vulnerability.description" for Field, "Exists" as the Operator and hit "Save"
    Image Modified
11. Add another filter by selecting ''+Add filter", and type ''vulnerability.pci_flag" for Field, and "is" for Operator. Type the number "1" in Value and hit "Save"
    Image Modified
12. Make sure to adjust the time if you are not getting any data to populate.
13. Don't forget to save your Visualization at the top left.

Image Modified

1. In AMP, go to the Log Search screen.
2. Click on Visualizations.
3. Click the Create new visualization button.
4. Select "Create new visualization" and scroll down and select "Pie"
5. Choose a
6. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
7. Partner account Id may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".
8. Log Search will refresh to display the query screen. From here, the visualization can be configured.
9. Click "Add filter" to filter to the failed report data:
10. Type ''event.outcome" in Operator is ''is'', and Value is "FAIL". Then hit ''Save"
    Image Modified
    
    1. (If you receive an error, change the time field to the last 30 days to expand your search)
11. Navigate to Buckets, add bucket and select "Split slices"
    Image Modified
12. Aggregation= Terms, type ''event.severity'' for Field
    Image Modified
    1. To confirm those changes, click the blue box with a triangle:
       Image Modified
13. Don't forget to save your Visualization at the top left

Image Modified