| Policy events | Hide Query Show Query metadata.eventType = UserActivityAuditEvent | e metadata.customerIDString = ?cid| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) | count()
| Gauge |
| Detections | Hide Query Show Query metadata.eventType=DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid |SensorId := event.SensorId| ComputerName:=event.ComputerName|User:=event.UserName|DetectName:=event.DetectName|Severity:=event.SeverityName|LocalIP:=event.LocalIP|Tactic:=event.Tactic|Technique:= event.Technique| Description:= event.DetectDescription|Objective:=event.Objective |table([@timestamp,SensorId,ComputerName,User,DetectName,Severity,LocalIP,Tactic,Technique,Objective,Description])
| Table |
| Policty events by Users |
Displays aggregated, policy-related events by user using metadata.
Hide Query Show Query metadata.eventType = UserActivityAuditEvent | metadata.customerIDString = ?cid| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) |User:=event.UserId|groupby(User)|events:=rename(_count)
| Pie Chart |
| Techniques over Time | Hide Query Show Query metadata.eventType = DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|timechart(span=1h, event.Technique)
| Time Chart |
| Detection Events | Hide Query Show Query metadata.eventType = DetectionSummaryEvent|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|count("metadata.eventType")
| Gauge |
| Firewall Events | Hide Query Show Query * | metadata.eventType=FirewallMatchEvent |select([event.HostName,event.DeviceId,event.EventType,event.PolicyName,event.RuleName,event.HostName,event.CommandLine,event.ImageFileName,event.LocalAddress,event.RemoteAddress])
| Table |
| Outbound Blocked Requests | Hide Query Show Query * | metadata.eventType=FirewallMatchEvent
| event.RuleId = 1|sankey(source="event.LocalAddress",target="event.RemoteAddress")
| Sankey |
| Blocked Requests - Outbound | Hide Query Show Query * | metadata.eventType=FirewallMatchEvent event.RuleId=1|count()
| Gauge |
| Detections by Technique | Hide Query Show Query metadata.eventType = DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|top(event.Technique)
| Bar Chart |
| Detection by Tactic | Hide Query Show Query metadata.eventType=DetectionSummaryEvent |groupby(event.Tactic)
| Bar Chart |
| Tactic over Time | Hide Query Show Query metadata.eventType = DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|timechart(span=1h, event.Tactic)
| Time Chart |
| User Activity by ServiceName | Hide Query Show Query * | metadata.eventType=UserActivityAuditEvent|metadata.customerIDString = ?cid|groupby(event.ServiceName)
| Bar Chart |
| Policy events types | Hide Query Show Query metadata.eventType = UserActivityAuditEvent | metadata.customerIDString = ?cid|event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) | groupby(event.OperationName)
| Pie Chart |
| Tactics | Hide Query Show Query metadata.eventType = DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|top(event.Tactic)
| Pie Chart |
| Events by eventtype | Hide Query Show Query metadata.customerIDString = ?cid|metadata.eventType!=ReconNotificationSummary*|groupBy(metadata.eventType)
| Bar Chart |
| User Activity Events | Hide Query Show Query * | metadata.eventType=UserActivityAuditEvent| metadata.customerIDString = ?cid|count()
| Gauge |
| User Activity Events | Hide Query Show Query metadata.eventType = UserActivityAuditEvent | event.OperationName = *| metadata.customerIDString = ?cid|akey0:=event.AuditKeyValues[0].Key
|aval0:=event.AuditKeyValues[0].ValueString
|akey1:=event.AuditKeyValues[1].Key
|aval1:=event.AuditKeyValues[1].ValueString
|akey2:=event.AuditKeyValues[2].Key
|aval2:=event.AuditKeyValues[2].ValueString
|akey3:=event.AuditKeyValues[3].Key
|aval3:=event.AuditKeyValues[3].ValueString
|akey4:=event.AuditKeyValues[4].Key
|aval4:=event.AuditKeyValues[4].ValueString
|akey5:=event.AuditKeyValues[5].Key
|aval5:=event.AuditKeyValues[5].ValueString
|akey6:=event.AuditKeyValues[6].Key
|aval6:=event.AuditKeyValues[6].ValueString
|akey7:=event.AuditKeyValues[7].Key
|aval7:=event.AuditKeyValues[7].ValueString
|akey8:=event.AuditKeyValues[8].Key
|aval8:=event.AuditKeyValues[8].ValueString
|akey9:=event.AuditKeyValues[9].Key
|aval9:=event.AuditKeyValues[9].ValueString
|akey10:=event.AuditKeyValues[10].Key
|aval10:=event.AuditKeyValues[10].ValueString
|akey11:=event.AuditKeyValues[11].Key
|aval11:=event.AuditKeyValues[11].ValueString
|akey12:=event.AuditKeyValues[12].Key
|aval12:=event.AuditKeyValues[12].ValueString
|akey13:=event.AuditKeyValues[13].Key
|aval13:=event.AuditKeyValues[13].ValueString
|akey14:=event.AuditKeyValues[14].Key
|aval14:=event.AuditKeyValues[14].ValueString
|akey15:=event.AuditKeyValues[15].Key
|aval15:=event.AuditKeyValues[15].ValueString
|akey16:=event.AuditKeyValues[16].Key
|aval16:=event.AuditKeyValues[16].ValueString
|akey17:=event.AuditKeyValues[17].Key
|aval17:=event.AuditKeyValues[17].ValueString
|akey18:=event.AuditKeyValues[18].Key
|aval18:=event.AuditKeyValues[18].ValueString
|akey19:=event.AuditKeyValues[19].Key
|aval19:=event.AuditKeyValues[19].ValueString
|akey20:=event.AuditKeyValues[20].Key
|aval20:=event.AuditKeyValues[20].ValueString
|rename(metadata.customerIDString, as="Customer ID")|User := rename(event.UserId)|UserIP := rename(event.UserIp) |Service:=event.ServiceName |Operation:=event.OperationName|table([@timestamp,"Customer ID",User,UserIP,Service,Operation,akey0,aval0,akey1,aval1,akey2,aval2,akey3,aval3,akey4,aval4,akey5,aval5,akey6,aval6,akey7,aval7,akey8,aval8,akey9,aval9,akey10,aval10])
| Table |
| Blocked Requests - Inbound |
Displays a list of blocked inbound access requests using metadata.
Hide Query Show Query * | metadata.eventType=FirewallMatchEvent event.RuleId=3|count()
| Gauge |
| Identity Protection Events | Hide Query Show Query * | metadata.eventType=IdentityProtectionEvent|count()
| Gauge |
| Events over time |
Displays a list of hvknjkicviur
Hide Query Show Query metadata.eventType!=ReconNotificationSummary* |metadata.customerIDString = ?cid|timechart(span=5m,metadata.eventType)
| Time Chart |
| Inbound Blocked Requests | Hide Query Show Query * | metadata.eventType=FirewallMatchEvent
| event.RuleId = 3|sankey(source=event.RemoteAddress, target=event.LocalAddress)
| Sankey |
