Hey Jirka,
I haven't really had opportunities to test it, but something like this probably:
select srccountry, attack, severity, ref, sum(totalnum) as totalnum from ###(select srccountry, attack, severity, ref, count(*) as totalnum from $log where $filter and nullifna(attack) is not null group by srccountry, attack, severity, ref order by totalnum desc)### t where severity='critical' group by srccountry, attack, severity, ref order by totalnum desc
Original dataset is 'App-Risk-Top-Critical-Threat-Vectors'; I added 'srccountry'.
-> you would have to clone the dataset I mentioned above, or create a new one and paste the text in
-> you would need a new chart and map the columns accordingly (the original chart for the original dataset is "Top Critical Severity IPS Events")
-> there are other datasets/charts for other severities, which you can modify in the same vein (add 'srccountry' in the same places)
If there are other IPS charts that give you a better overview, you can do something very much the same:
- clone the dataset
- add 'srccountry' in each 'select <> from' section
- add 'srccountry' to each 'group by <>' section
- clone the chart
- add a new column to map 'srccountry' to it
-> please note that charts of type drill-down are somewhat rigid and difficult to modify, I would NOT recommend trying to clone and change one of those if you're just starting out with customizing charts and datasets
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
