Adding a Table to Display Sensors with the Most Events
To add a table that displays the top 5 sensor with the most events to your custom dashboard:
-
Click the Visualize menu and locate the Custom menu block.
-
Click the dashboard you want to edit. The dashboard appears.
-
Click Edit. The display switches to the editing canvas.
-
Click New table. The Chart Builder dialog box appears.
-
Enter the Chart Name. Ours is Top 5 Sensor IDs. This field does not support multibyte characters.
Special characters are not permitted in name fields for Queries, Lookup lists, Reports/Dashboards. Letters, underscores, spaces, dashes, numbers and periods are permitted.
-
Choose the Tenant. We chose All Tenants.
-
Choose the Indices. We chose Security Events.
-
Leave the query as None. The query is optional.
-
Choose Groupings for the Table Type.
-
Click Next. The Groupings tab appears.
-
Click + Add Grouping twice to add a total of three groupings. The groupings are processed sequentially, and you can move them to change the configuration.
-
Open the Column 1 grouping.
-
Enter a better Column Label. We chose IP Address.
-
Choose Filter for the Aggregation.
-
Click + Query String Filter.
-
Name the filter scrip exists.
-
Enter _exists_:srcip for the Query String.
-
Click + Filter.
-
Name the filter dstip exists.
-
Choose dstip for the Field.
-
Choose field exists for the Operator.
-
Open the Column 2 grouping.
-
Enter a Column Label. We chose Sensor engid.
-
For the remaining fields:
-
Aggregation: Term
-
Field: engid
-
Metric: Count
-
Order: Descending
-
Size: 5
-
-
Open the Column 3 grouping.
-
Enter a Column Label. We chose Number of IPs.
-
For the remaining fields:
-
Aggregation: Metric
-
Metric: Count
-
-
Click Next. The Options tab appears.
-
Click Submit. The table is added and the editing canvas appears.
-
Click Save. The dashboard appears with your new table.
