Versions Compared

Version Old Version 8 New Version 9
Changes made by

Sharon Traineanu

Sharon Traineanu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: convert to new editor

...

...

Severity Resources & Threat Breakdown

...

The Severity Resources & Threat Breakdown report provides visualization broken by Severity and Threat Category for resources. Most inner group shows the severity; middle circle reflect the assets and severity; the outer circle show the Threat category.

...

  1. In AMP, go to the Log Search screen to access ChaosSearch.

  2. Click on Visualizations

    chaossearch nav menuImage Modified

  3. Click the Create new visualization button.

...

  1. create new visualizationImage Added

  2. In the New Visualization pop up, select the Pie visualization option.

...

  1. select pie visualizationImage Added

  2. Choose a source.

...

  1. Image Added

  2. Log Search will refresh to display the query screen. From here, the visualization can be configured.

    visualization editorImage Modified

  3. Click Add filter.

...

  1. add filter buttonImage Added

  2. Populate the following filters (Case sensitive):

    Field

    Operator

    Value

    Note

    type

    is

    carbon-black


    event.type

    is one of

    WATCHLIST, CB_ANALYTICS


    Data_type

    Is

    armor-security-logs


    event.severity

    Is one of

    8, 9, 10

    Optional if you want to filter higher severities

  3. Two buckets are needed to configure this visualization. Under Buckets, click the Add button, making sure to select split slices.

  4. In the Aggregation drop down, select Terms.

  5. In the Field box, enter "event.severity" or search for it.

  6. Order by, Order and Size should all remain with their default values. Properly configured, the first bucket will look like the screenshot below:

...

  1. Image Added

  2. To add the second bucket, click the Add button underneath Buckets, making sure to select split slices.

  3. In the Sub aggregation dropdown, select Terms.

  4. In the Field, enter "external_id" to select it. (External Id is the same as CoreInstanceId)

  5. Order by, Order and Size will be set to default. Properly configured, the second bucket will look like the screenshot below:

...

  1. bucket configurationImage Added

  2. To add the second bucket, click the Add button underneath Buckets, making sure to select split slices.

  3. In the Sub aggregation dropdown, select Terms.

  4. In the Field, enter "threat.blocked_threat_category" to select it.

  5. Order by, Order and Size will be set to default. Properly configured, the second bucket will look like the screenshot below:

...

  1. bucket configurationImage Added

  2. Optional step if you like to display labels, click Options tab:

...

  1. Image Added

  2. When both buckets are configured, click the Apply Changes button.

...

  1. apply changes buttonImage Added

  2. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added.

...

    1. date range filterImage Added

  2. Save the visualization by clicking Save in the top left of the screen.

...

  1. save buttonImage Added

    Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.