Adding a Table to Display Sensors with the Most Events
This example illustrates how to add a table that displays the top five sensors with the most events to your custom dashboard.
For detailed explanations of the settings in this example, see Custom Dashboard Components.
-
Select Dashboards | CUSTOM and select the dashboard you want to edit.
The dashboard appears.
-
Select Open in Visualizer and then select Edit.
The display switches to the editing canvas.
-
Select New table.
The Chart Builder dialog box appears with the Chart Type section on display and Table selected.
-
Select Next to enter the General section and enter the following settings:
Chart Name: Top 5 Sensor IDs
Tenant: All Tenants
Indices: Alerts
Table Type: Groupings
-
Select Next to advance to the Query section, leave Query as None, and select Next again.
The Groupings section appears.
-
Select + Add Grouping twice to create a total of three groupings.
The groupings are processed sequentially, and you can rearrange them to change the configuration.
-
Expand the Column 1 grouping and enter the following:
Column Label: IP Address
Aggregation: Filter
-
Select + Query String Filter and enter the following:
Custom name for filter: srcip exists
Query String: _exists_:srcip
-
Select + Filter and enter the following to define it:
Custom name for filter: dstip exists
Field: dstip; Operator: field exists
-
Expand the Column 2 grouping and enter the following:
Column Label: Sensor engid
Aggregation: Term; Field: engid
Metric: Count
Order: Descending
Size: 5
-
Expand the Column 3 grouping and enter the following:
Column Label: Number of IP Addresses
Aggregation: Metric; Metric: Count
-
Select Next to save your configuration and advance to the Options section.
-
Leave Rows per Page at 20 and Filter by event status enabled, and then select Submit.
Stellar Cyber adds the table and displays it on the editing canvas.
-
Select Save.
The dashboard appears with your new table.
