Page Comparison

1. In AMP, go to the?Log Search?screen.

2. Click on?Visualizations.

3. Click the?Create new visualization?button.

4. In the New Visualization pop up, select the?Pie Chart?visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save

8. Under metrics this should already be set to Y-axis Count. No change is needed.

9. One bucket is needed to configure this visualization. Under Buckets, click the?Add?button, making sure to select?Split Slices.

10. In the Aggregation drop down, select?Terms.

11. In the?Field?box, enter "vulnerability.severity" or search for it.

12. Order by, Order and Size should all remain with their default values. Properly configured, the bucket configuration will look like the screenshot below:
    Image Added
    

13. When the bucket is configured, click the?Apply Changes?button.

14. Set the date range for the visualization.

15. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

16. Save the visualization by clicking?Save?in the top left of the screen.
    

Users can view previous visualizations by clicking?Visualizations?and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Data Table visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      

      Image Added

8. Under metrics this should already be set to Y-axis Count. No change is needed.

9. 4 buckets are needed to configure this visualization.

10. Bucket configuration for Bucket 1

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "host.ip" or search for it.

    4. Order by, Order and Size should all remain with their default values. Properly configured, the first bucket configuration will look like the screenshot below:
       

       Image Added

11. Bucket configuration for Bucket 2

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "vulnerability.description" or search for it.

    4. Order by, Order and Size should all remain with their default values. Properly configured, the second bucket configuration will look like the screenshot below:
       

       Image Added

12. Bucket configuration for Bucket 3

    1. Under Buckets, click the Add button, and select Split table.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "host.hostname" or search for it.

    4. Order by, Order and Size should all remain with their default values. Properly configured, the third bucket configuration will look like the screenshot below:
       

       Image Added

13. Bucket configuration for Bucket 4

    1. Under Buckets, click the Add button, and select Split rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "vulnerability.score.base" or search for it.

    4. Set Order by to "Custom Metric"

    5. Set Aggregation to Count

    6. Order and Size should all remain with their default values. Properly configured, the fourth bucket configuration will look like the screenshot below:
       

       Image Added

14. When the buckets are configured, click the Apply Changes button.

15. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

16. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Pie Chart visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

   2. Partner accountId may be 1 or another number. Select the source matching the customer account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save

      Image Added

8. Under metrics this should already be set to Y-axis Count. No change is needed.

9. One bucket is needed to configure this visualization. Under Buckets, click the Add button, making sure to select Split Slices.

10. In the Aggregation drop down, select Date Histogram.

11. In the Field box, enter "vulnerability.first_found" or search for it.

12. Set the value in the Minimum interval box to Weekly

13. A custom label of Week First Found can be added

14. Properly configured, the bucket configuration will look like the screenshot below:
    

    Image Added

15. When the bucket is configured, click the Apply Changes button.

16. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

17. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Vertical Bar visualization option.

5. Choose a source

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. Two filters will be applied to this visualization:

   1. Click on Add filter

   2. Set the filter up as seen below.
      

      Image Added

   3. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save

      Image Added

8. Under metrics this should already be set to Y-axis Count. No change is needed.

9. Two buckets are needed to configure this visualization.

10. Under Buckets, click the Add button and select X-Axis

11. In the Aggregation drop down, select Terms.

12. In the Field box, enter "host.hostname" or search for it.

13. Order by, Order and Size should all remain with their default values. Properly configured, the first bucket configuration will look like the screenshot below:
    

    Image Added

14. For the second bucket, click the Add button

15. Select Split Series and In the Aggregation drop down, select Terms.

16. In the Field box, enter "vulnerability.severity" or search for it.

17. Order by = Alphabetical, Order and Size should all remain with their default values. A custom label of Severity can be added.

18. Properly configured, the second bucket configuration will look like the screenshot below:
    

    Image Added

19. When the buckets are configured, click the Apply Changes button.

20. Set the date range for the visualization.

21. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

22. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Vertical Bar visualization option.

5. Choose a source

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. Three filters will be applied to this visualization:

   1. Click on Add filter

   2. Set the first filter up as seen below.
      

      Image Added

   3. Set the second filter up as seen below
      

      Image Added

   4. Set the last filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      

      Image Added

8. Under metrics this should already be set to Y-axis Count. No change is needed.

9. Two buckets are needed to configure this visualization.

10. Under Buckets, click the Add button and select X-Axis

11. In the Aggregation drop down, select Terms.

12. In the Field box, enter "host.hostname" or search for it.

13. Order by = Metric: Vulnerability Count by Severity

14. Order = Descending

15. Size can vary but for this example it is set to 200

16. A custom lable of Hosts can be added

17. Properly configured, the first bucket configuration will look like the screenshot below:
    

    Image Added

18. For the second bucket, click the Add button

19. Select Split Series and In the Aggregation drop down, select Terms.

20. In the Field box, enter "vulnerability.severity" or search for it.

21. Order by = Alphabetical, Order and Size should all remain with their default values. A custom label of Severity can be added.

22. Properly configured, the second bucket configuration will look like the screenshot below:
    

    Image Added

23. When the buckets are configured, click the Apply Changes button.

24. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

25. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. Click on Visualizations.

2. Click the Create new visualization button.

3. In the New Visualization pop up, select the Vertical Bar visualization option.

4. Choose a source
   

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.
      

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

5. Log Search will refresh to display the query screen. From here, the visualization can be configured.

6. Two filters will be applied to this visualization:

   1. Click on Add filter

   2. Set the first filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      

      Image Added

   3. Set the second filter up as seen below
      
      

7. Under metrics this should already be set to Y-axis Count. No change is needed.

8. Two buckets are needed to configure this visualization.

9. Under Buckets, click the Add button and select X-Axis

10. In the Aggregation drop down, select Terms.

11. In the Field box, enter "host.hostname" or search for it.

12. Order by, Order and Size should all remain with their default values. Properly configured, the first bucket configuration will look like the screenshot below:
    

    Image Added

13. For the second bucket, click the Add button

14. Select Split Series and In the Aggregation drop down, select Terms.

15. In the Field box, enter "vulnerability.severity" or search for it.

16. Order by should be set to Alphabetical, Order and Size can remain with their default values. A custom label of Severity can be added. Properly configured, the second bucket configuration will look like the screenshot below:
    

    Image Added

17. When the buckets are configured, click the Apply Changes button.

18. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

19. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Data Table visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      

      Image Added

8. Under metrics this should already be set to Y-axis Count. No change is needed.

9. 3 buckets are needed to configure this visualization.

10. Bucket configuration for Bucket 1

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Date Histogram.

    3. In the Field box, enter "vulnerability.first_found" or search for it.

    4. In the Minimum Interval box, select Daily

    5. A custom label of First Report Containing Vulnerability can be set

    6. Properly configured, the first bucket configuration will look like the screenshot below:
       

       Image Added

11. Bucket configuration for Bucket 2

    1. Under Buckets, click the Add button, and select Split rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "vulnerability.description" or search for it.

    4. Order by, Order should remain with their default values.

    5. Size can vary, but for this example it is set to 50

    6. A custom label of Vulnerability Description can be set

    7. Properly configured, the second bucket configuration will look like the screenshot below:
       

       Image Added

12. Bucket configuration for Bucket 3

    1. Under Buckets, click the Add button, and select Split rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "vulnerability.id" or search for it.

    4. Order by = Alphabetical, Order and Size should all remain with their default values.

    5. Properly configured, the third bucket configuration will look like the screenshot below:
       

       Image Added

13. When the buckets are configured, click the Apply Changes button.

14. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

15. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Pie Chart visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      

      Image Added

8. Under metrics this should already be set to Y-axis Count. No change is needed.

9. One bucket is needed to configure this visualization. Under Buckets, click the Add button, making sure to select Split Slices.

10. In the Aggregation drop down, select Terms.

11. In the Field box, enter "host.os.full" or search for it.

12. Order by, Order and Size should all remain with their default values.

13. A custom label of Operating System can be set

14. Properly configured, the bucket configuration will look like the screenshot below:
    

    Image Added

15. When the bucket is configured, click the Apply Changes button.

16. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

17. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Line visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

   2. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      

      Image Added

8. Under metrics this should already be set to Y-axis Count. No change is needed.

9. One bucket is needed to configure this visualization

10. Under Buckets, click the Add button and select X-Axis

11. In the Aggregation drop down, select Date Histogram.

12. In the Field box, enter "@timestamp" or search for it.

13. In the Minimum Interval box, select Daily

14. A custom label of Vulnerability Report Date can be set

15. Properly configured, the bucket configuration will look like the screenshot below:
    

    Image Added

16. When the bucket is configured, click the Apply Changes button.

17. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

18. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Line visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

   2. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. Two filters will be applied to this visualization:

   1. Click on Add filter

   2. Set the first filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save
      

      Image Added

   3. Set the second filter up as seen below. You will have to manually type in 3, 4 and 5. These are the severity levels
      

      Image Added

8. Under metrics this should already be set to Y-axis Count. No change is needed.

9. One bucket is needed to configure this visualization

10. Under Buckets, click the Add button and select X-Axis

11. In the Aggregation drop down, select Date Histogram.

12. In the Field box, enter "@timestamp" or search for it.

13. In the Minimum Interval box, select Daily

14. A custom label of Vulnerability Report Date can be set

15. Properly configured, the bucket configuration will look like the screenshot below:
    

    Image Added

16. When the bucket is configured, click the Apply Changes button.

17. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

18. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Line visualization option.

5. Choose a source.

6. 1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

7. Log Search will refresh to display the query screen. From here, the visualization can be configured.

8. One filter will be applied to this visualization:

9. 1. Click on Add filter

   2. Set the filter up as seen below. You will have to manually type in "trend-hids" in the Value field and click Save
      

      Image Added

10. Under metrics this should already be set to Y-axis Count. No change is needed.

11. One bucket is needed to configure this visualization

12. Under Buckets, click the Add button and select X-Axis

13. In the Aggregation drop down, select Date Histogram.

14. In the Field box, enter "@timestamp" or search for it.

15. In the Minimum Interval box, select Daily

16. A custom label of Date can be set

17. Properly configured, the bucket configuration will look like the screenshot below:
    

    Image Added

18. When the bucket is configured, click the Apply Changes button.

19. Set the date range for the visualization.

20. 1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

21. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Line visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the filter up as seen below. You will have to manually type in "trend-hids" in the Value field and click Save
      

      Image Added

8. Under metrics this should already be set to Metric Count. No change is needed.

9. One bucket is needed to configure this visualization

10. Under Buckets, click the Add button and select Split rows

11. In the Aggregation drop down, select Terms.

12. In the Field box, enter "parsed.trendmicro.name" or search for it.

13. Order by = Metric: Count, Order = Descending, Size = 10

14. A custom label of IDS Event Type Name can be set

15. Properly configured, the bucket configuration will look like the screenshot below:
    

    Image Added

16. When the bucket is configured, click the Apply Changes button.

17. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

18. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Vertical Bar visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the filter up as seen below. You will have to manually type in "trend-hids" in the Value field and click Save
      

      Image Added

8. Under metrics this should already be set to Y-Axis Count. No change is needed.

9. One bucket is needed to configure this visualization

10. Under Buckets, click the Add button and select X-Axis

11. In the Aggregation drop down, select Terms.

12. In the Field box, enter "hostname" or search for it.

13. Order by, Order, & Size leave at default

14. A custom label of Hostname can be set

15. Properly configured, the bucket configuration will look like the screenshot below:
    

    Image Added

16. When the bucket is configured, click the Apply Changes button.

17. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

18. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Data Table visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. Three filters will be applied to this visualization:

   1. Click on Add filter

   2. Set the first filter up as seen below
      

      Image Added

   3. Set the second filter up as seen below
      

      Image Added

   4. Set the third filter up as seen below
      

      Image Added

8. Under metrics this should already be set to Metric Count. No change is needed.

9. One bucket is needed to configure this visualization.

10. Bucket configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "src_geo.country_name" or search for it.

    4. Order = Descending and Size =10 (can vary depending on how long you want the list)

    5. A custom label of Location can be added

    6. Properly configured, the bucket configuration will look like the screenshot below:
       

       Image Added

11. When the buckets are configured, click the Apply Changes button.

12. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

13. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Data Table visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the first filter up as seen below. The value in Field is wineventlog.event_id
      

      Image Added

8. Under metrics this should already be set to Metric Count. No change is needed.

9. Three buckets are needed to configure this visualization.

10. Bucket 1 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "@timestamp" or search for it.

    4. Order = Descending and Size =5 (can vary depending on how long you want the list)

    5. Properly configured, the first bucket configuration will look like the screenshot below:
       

       Image Added

11. Bucket 2 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "hostname" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the second bucket configuration will look like the screenshot below:
       

       Image Added

12. Bucket 3 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "message" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the third bucket configuration will look like the screenshot below:
       

       Image Added

13. When the buckets are configured, click the Apply Changes button.

14. Set the date range for the visualization.

15. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

16. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Data Table visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. One filter will be applied to this visualization:

   1. Click on Add filter

   2. Set the first filter up as seen below. The value in Field is wineventlog.event_id
      

      Image Added

8. Under metrics this should already be set to Metric Count. No change is needed.

9. Three buckets are needed to configure this visualization.

10. Bucket 1 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "@timestamp" or search for it.

    4. Order = Descending and Size =5 (can vary depending on how long you want the list)

    5. Properly configured, the first bucket configuration will look like the screenshot below:
       

       Image Added

11. Bucket 2 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "hostname" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the second bucket configuration will look like the screenshot below:
       

       Image Added

12. Bucket 3 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "message" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the third bucket configuration will look like the screenshot below:
       

       Image Added

13. When the buckets are configured, click the Apply Changes button.

14. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

15. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Data Table visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. Two filters will be applied to this visualization:

   1. Click on Add Filter

   2. Set the first filter up as seen below
      

      Image Added

   3. Set the second filter up as seen below
      

      Image Added

8. Under metrics this should already be set to Metric Count. No change is needed.

9. Three buckets are needed to configure this visualization.

10. Bucket 1 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "@timestamp" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the first bucket configuration will look like the screenshot below:
       

       Image Added

11. Bucket 2 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "hostname" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the second bucket configuration will look like the screenshot below:
       

       Image Added

12. Bucket 3 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "message" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the third bucket configuration will look like the screenshot below:
       

       Image Added

13. When the buckets are configured, click the Apply Changes button.

14. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

15. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. In the New Visualization pop up, select the Data Table visualization option.

5. Choose a source.

   1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

7. Two filters will be applied to this visualization:

   1. Click on Add filter

   2. Set the first filter up as seen below
      Image Added
      

   3. Set the second filter up as seen below
      

      Image Added

8. Under metrics this should already be set to Metric Count. No change is needed.

9. Three buckets are needed to configure this visualization.

10. Bucket 1 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "@timestamp" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the first bucket configuration will look like the screenshot below:
       

       Image Added

11. Bucket 2 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "hostname" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the second bucket configuration will look like the screenshot below:
       

       Image Added

12. Bucket 3 configuration

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "message" or search for it.

    4. Order = Descending and Size =1000 (can vary depending on how long you want the list)

    5. Properly configured, the third bucket configuration will look like the screenshot below:
       

       Image Added

13. When the buckets are configured, click the Apply Changes button.

14. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

15. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

1. In AMP, go to the Log Search

2. Click on Visualizations.

3. Click the Create new visualization

4. Select "Create new visualization" and scroll down and select "Data Table"

5. In sources, select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

6. Partner account Id may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

7. Log Search will refresh to display the query screen. From here, the visualization can be configured.

8. Under "Buckets", select "Add" and then "Split Rows"
   

   Image Added

9. Select "Terms" for the Aggregation, and type in "vulnerability.pci_flag" for the field and hit the blue arrow at the top of the box
   

   Image Added

10. Next, select "+Add filter" , and type "vulnerability.description" for Field, "Exists" as the Operator and hit "Save"
    

    Image Added

11. Add another filter by selecting ''+Add filter", and type ''vulnerability.pci_flag" for Field, and "is" for Operator. Type the number "1" in Value and hit "Save"
    

    Image Added

12. Make sure to adjust the time if you are not getting any data to populate.

13. Don't forget to save your Visualization at the top left.

1. In AMP, go to the Log Search screen.

2. Click on Visualizations.

3. Click the Create new visualization button.

4. Select "Create new visualization" and scroll down and select "Pie"

5. Choose a

6. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

7. Partner account Id may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

8. Log Search will refresh to display the query screen. From here, the visualization can be configured.

9. Click "Add filter" to filter to the failed report data:

10. Type ''event.outcome" in Operator is ''is'', and Value is "FAIL". Then hit ''Save"
    

    Image Added

    
    

    1. (If you receive an error, change the time field to the last 30 days to expand your search)

11. Navigate to Buckets, add bucket and select "Split slices"
    

    Image Added

12. Aggregation= Terms, type ''event.severity'' for Field
    

    Image Added

    1. To confirm those changes, click the blue box with a triangle:
       

       Image Added

13. Don't forget to save your Visualization at the top left