Standard Visualizations

Owned by Aaron Gabriel (Deactivated)
Last updated: 12 December 2023 by Aaron Gabriel (Deactivated)
28 min read

 

Vulnerability Distribution by Severity

The Vulnerability Distribution by Severity report will show you the vulnerability by a severity number

 

  1. In AMP, go to the?Log Search?screen.

  2. Click on?Visualizations.

  3. Click the?Create new visualization?button.

  4. In the New Visualization pop up, select the?Pie Chart?visualization option.

  5. Choose a source.

    1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

  6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

  7. One filter will be applied to this visualization:

    1. Click on Add filter

    2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save

  8. Under metrics this should already be set to Y-axis Count. No change is needed.

  9. One bucket is needed to configure this visualization. Under Buckets, click the?Add?button, making sure to select?Split Slices.

  10. In the Aggregation drop down, select?Terms.

  11. In the?Field?box, enter "vulnerability.severity" or search for it.

  12. Order by, Order and Size should all remain with their default values. Properly configured, the bucket configuration will look like the screenshot below:


  13. When the bucket is configured, click the?Apply Changes?button.

  14. Set the date range for the visualization.

  15. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

  16. Save the visualization by clicking?Save?in the top left of the screen.

Users can view previous visualizations by clicking?Visualizations?and selecting the desired visualization from the list.

 

 

 

 

Vulnerability by Host

The Vulnerability by Host report will show you the top vulnerabilities by hostname

 

  1. In AMP, go to the Log Search screen.

  2. Click on Visualizations.

  3. Click the Create new visualization button.

  4. In the New Visualization pop up, select the Data Table visualization option.

  5. Choose a source.

    1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

      1. Partner accountId may be 1 or another number. Select the source matching the account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

  6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

  7. One filter will be applied to this visualization:

    1. Click on Add filter

    2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save

  8. Under metrics this should already be set to Y-axis Count. No change is needed.

  9. 4 buckets are needed to configure this visualization.

  10. Bucket configuration for Bucket 1

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "host.ip" or search for it.

    4. Order by, Order and Size should all remain with their default values. Properly configured, the first bucket configuration will look like the screenshot below:

  11. Bucket configuration for Bucket 2

    1. Under Buckets, click the Add button, and select Split Rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "vulnerability.description" or search for it.

    4. Order by, Order and Size should all remain with their default values. Properly configured, the second bucket configuration will look like the screenshot below:

  12. Bucket configuration for Bucket 3

    1. Under Buckets, click the Add button, and select Split table.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "host.hostname" or search for it.

    4. Order by, Order and Size should all remain with their default values. Properly configured, the third bucket configuration will look like the screenshot below:

  13. Bucket configuration for Bucket 4

    1. Under Buckets, click the Add button, and select Split rows.

    2. In the Aggregation drop down, select Terms.

    3. In the Field box, enter "vulnerability.score.base" or search for it.

    4. Set Order by to "Custom Metric"

    5. Set Aggregation to Count

    6. Order and Size should all remain with their default values. Properly configured, the fourth bucket configuration will look like the screenshot below:

  14. When the buckets are configured, click the Apply Changes button.

  15. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

  16. Save the visualization by clicking Save in the top left of the screen.



Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.

 

 

 

 

Vulnerability Distribution by First Found

The Vulnerability Distribution by First Found report will show you the vulnerabilities by the date they were first discovered.

 

  1. In AMP, go to the Log Search screen.

  2. Click on Visualizations.

  3. Click the Create new visualization button.

  4. In the New Visualization pop up, select the Pie Chart visualization option.

  5. Choose a source.

    1. In sources select <PARTNER_ACCT_ID>_<CUSTOMER_ACCT>_customer.

    2. Partner accountId may be 1 or another number. Select the source matching the customer account number in the top right corner of the AMP page or listed on the Account page followed by "_customer".

  6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

  7. One filter will be applied to this visualization:

    1. Click on Add filter

    2. Set the filter up as seen below. You will have to manually type in "ecs-1.5.0-vulnerability in the Value field and click Save

  8. Under metrics this should already be set to Y-axis Count. No change is needed.

  9. One bucket is needed to configure this visualization. Under Buckets, click the Add button, making sure to select Split Slices.

  10. In the Aggregation drop down, select Date Histogram.

  11. In the Field box, enter "vulnerability.first_found" or search for it.

  12. Set the value in the Minimum interval box to Weekly

  13. A custom label of Week First Found can be added

  14. Properly configured, the bucket configuration will look like the screenshot below:

  15. When the bucket is configured, click the Apply Changes button.

  16. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added to narrow down the results if desired.

  17. Save the visualization by clicking Save in the top left of the screen.

Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.



 

 

 

 

Top 5 Hosts by Count of High Severity Vulnerabilities

The Top 5 Hosts by Count of High Severity Vulnerabilities report will show you the top 5 hosts by count of high severity vulnerabilities

 

 

 

 

 

Top 5 Hosts by Count of Vulnerabilities

The Top 5 Hosts by Count of Vulnerabilities report will show you the top 5 hosts by count of total vulnerabilities

 

 

 

 

 

 

Top 5 Hosts by Count of Net New Vulnerabilities

The Top 5 Hosts by Count of Net New Vulnerabilities report will show you the top 5 hosts by count of net new vulnerabilities

 

 

 

 

 

 

Vulnerabilities Sorted from First to Last Discovered

The Vulnerabilities Sorted From First to Last Discovered report will show you a data table of all vulnerabilities sorted from first to last by discovered date

 

 

 

 

 

 

Vulnerability Distribution by OS

The Vulnerability Distribution by OS report will show you the vulnerabilities by Operating System type

 

 

 

 

 

 

Count of Vulnerabilities by Report Date

The Count of Vulnerabilities By Report Date report will show you a line graph of vulnerability count by report date

 

 

 

 

 

 

Count of High Severity Vulnerabilities by Report Date

The Count of High Severity Vulnerabilities By Report Date report will show you a line graph of the count of high severity vulnerabilities by date

 

 

 

 

 

 

Count of IDS Events

The Count of IDS Events report will show you a line graph count of IDS events

 

 

 

 

 

 

Top 10 IDS Event Types

The Top 10 IDS Event Types report will show you a data table of the Top 10 types of IDS event

 

 

 

 

 

 

Top 5 Systems by IDS Event Count

The Top 5 Systems By IDS Event Count report will show you a vertical bar graph of the Top 5 systems by the total count of IDS events

 

 

 

 

 

 

Security - IPRM Location

The Security — IPRM Location report will show you a data table with geographic country locations and security event counts coming from each country

 

 

 

 

 

 

Windows Successful Logins

The Windows Successful Logins report will show you a data table listing hostname, timestamp and the message log for successful logins on Windows systems

 

 

 

 

 

 

Windows Failed Logins

The Windows Failed Logins report will show you a data table listing hostname, timestamp and the message log for failed logins on Windows systems

 

 

 

 

 

 

Linux Successful Logins

The Linux Successful Logins report will show you a data table listing hostname, timestamp and the message log for successful logins on Linux systems

 

 

 

 

 

 

Linux Failed Logins

The Linux Failed Logins report will show you a data table listing hostname, timestamp and the message log for failed logins on Linux systems

 

 

 

 

 

 

PCI Flagged Vulnerabilities

 

 

 

 

 

 

CSPM: Failed by Severity

The CSPM: Failed by Severity visualization is a pie chart that displays failed reports by severity.

 

 

 

Â