Fortinet white logo
Fortinet white logo

Dataset Reference List

Dataset Reference List

The following tables list the datasets included with FortiAnalyzer. The tables contain the name, SQL query syntax, and log category for each dataset.

Dataset Name

Description

Log Category

Traffic-Bandwidth-Summary-Day-Of-Month

Traffic bandwidth timeline

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_BANDWIDTH_SESSION}})### t group by hodex having sum(traffic_out+traffic_in)>0 order by hodex

Dataset Name

Description

Log Category

Session-Summary-Day-Of-Month

Number of session timeline

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_BANDWIDTH_SESSION}})### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Users-By-Bandwidth

Bandwidth application top users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-App-By-Bandwidth

Top applications by bandwidth usage

traffic

select 
  app_group_name(app) as app_group, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app_group 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-User-Source-By-Sessions

Top user source by session count

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  user_src 
order by 
  sessions desc

Dataset Name

Description

Log Category

Top-App-By-Sessions

Top applications by session count

traffic

select 
  app_group_name(app) as app_group, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app_group 
order by 
  sessions desc

Dataset Name

Description

Log Category

Top-Destination-Addresses-By-Sessions

Top destinations by session count

traffic

select 
  coalesce(
    nullifna(
      root_domain(hostname)
    ), 
    ipstr(dstip)
  ) as domain, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  domain 
order by 
  sessions desc

Dataset Name

Description

Log Category

Top-Destination-Addresses-By-Bandwidth

Top destinations by bandwidth usage

traffic

select 
  coalesce(
    nullifna(
      root_domain(hostname)
    ), 
    ipstr(dstip)
  ) as domain, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and coalesce(
    nullifna(
      root_domain(hostname)
    ), 
    ipstr(`dstip`)
  ) is not null 
group by 
  domain 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

DHCP-Summary-By-Port

Event top dhcp summary

event

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; 
drop 
  table if exists rpt_tmptbl_3; create temporary table rpt_tmptbl_1 as ###(select concat(interface, '.', devid) as intf, mac from $log where $last3day_period $filter  and logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by interface, devid, mac)###; create temporary table rpt_tmptbl_2 as ###(select concat(interface, '.', devid) as intf, mac from $log where $filter and logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by interface, devid, mac)###; create temporary table rpt_tmptbl_3 as select distinct on (1) intf, cast(used*100.0/total as decimal(18,2)) as percent_of_allocated_ip from ###(select distinct on (1) concat(interface, '.', devid) as intf, used, total, itime from $log where $filter and logid_to_int(logid)=26003 and total>0 /*SkipSTART*/order by intf, itime desc/*SkipEND*/)### t order by intf, itime desc; select t1.intf as interface, percent_of_allocated_ip, new_cli_count from rpt_tmptbl_3 t1 inner join (select intf, count(mac) as new_cli_count from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.mac=rpt_tmptbl_1.mac) group by intf) t2 on t1.intf=t2.intf order by interface, percent_of_allocated_ip desc

Dataset Name

Description

Log Category

Top-Wifi-Client-By-Bandwidth

Traffic top WiFi client by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  srcssid, 
  devtype, 
  coalesce(
    nullifna(`srcname`), 
    `srcmac`
  ) as hostname_mac, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
group by 
  user_src, 
  srcssid, 
  devtype, 
  hostname_mac 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Traffic-History-By-Active-User

Traffic history by active user

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  count(
    distinct(user_src)
  ) as total_user 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_BANDWIDTH_SESSION}})### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Allowed-Websites-By-Requests

UTM top allowed web sites by request

traffic

select 
  hostname, 
  catdesc, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
  and hostname is not null 
  and (
    utmaction not in ('block', 'blocked') 
    or action != 'deny'
  ) 
group by 
  hostname, 
  catdesc 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-50-Websites-By-Bandwidth

Webfilter top allowed web sites by bandwidth usage

webfilter

select 
  domain, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and utmaction!='blocked' and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by domain, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by domain, catdesc order by bandwidth desc

Dataset Name

Description

Log Category

Top-Blocked-Websites

UTM top blocked web sites by request

traffic

select 
  hostname, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
  and hostname is not null 
  and (
    utmaction in ('block', 'blocked') 
    or action = 'deny'
  ) 
group by 
  hostname 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-Web-Users-By-Request

UTM top web users by request

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  devtype, 
  srcname, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
group by 
  user_src, 
  devtype, 
  srcname 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-Allowed-WebSites-By-Bandwidth

UTM top allowed websites by bandwidth usage

traffic

select 
  appid, 
  hostname, 
  catdesc, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
  and hostname is not null 
group by 
  appid, 
  hostname, 
  catdesc 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Blocked-Web-Users

UTM top blocked web users

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  devtype, 
  srcname, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
  and (
    utmaction in ('block', 'blocked') 
    or action = 'deny'
  ) 
group by 
  user_src, 
  devtype, 
  srcname 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-20-Web-Users-By-Bandwidth

Webfilter top web users by bandwidth usage

webfilter

select 
  user_src, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by user_src having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by user_src order by bandwidth desc

Dataset Name

Description

Log Category

Top-Web-Users-By-Bandwidth

UTM top web users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  devtype, 
  srcname, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
group by 
  user_src, 
  devtype, 
  srcname 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Video-Streaming-Websites-By-Bandwidth

UTM top video streaming websites by bandwidth usage

traffic

select 
  appid, 
  hostname, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and catdesc in ('Streaming Media and Download') 
group by 
  appid, 
  hostname 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Email-Senders-By-Count

Default top email senders by count

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and service in (
    'smtp', 'SMTP', '25/tcp', '587/tcp', 
    'smtps', 'SMTPS', '465/tcp'
  ) 
group by 
  user_src 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-Email-Receivers-By-Count

Default email top receivers by count

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and service in (
    'pop3', 'POP3', '110/tcp', 'imap', 
    'IMAP', '143/tcp', 'imaps', 'IMAPS', 
    '993/tcp', 'pop3s', 'POP3S', '995/tcp'
  ) 
group by 
  user_src 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-Email-Senders-By-Bandwidth

Default email top senders by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and service in (
    'smtp', 'SMTP', '25/tcp', '587/tcp', 
    'smtps', 'SMTPS', '465/tcp'
  ) 
group by 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Email-Receivers-By-Bandwidth

Default email top receivers by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and service in (
    'pop3', 'POP3', '110/tcp', 'imap', 
    'IMAP', '143/tcp', 'imaps', 'IMAPS', 
    '993/tcp', 'pop3s', 'POP3S', '995/tcp'
  ) 
group by 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Malware-By-Name

UTM top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  (
    case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end
  ) as malware_type, 
  sum(totalnum) as totalnum 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc

Dataset Name

Description

Log Category

Top-Virus-By-Name

UTM top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  (
    case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end
  ) as malware_type, 
  sum(totalnum) as totalnum 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc

Dataset Name

Description

Log Category

Top-Virus-Victim

UTM top virus user

virus

select 
  user_src, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by user_src /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by user_src order by totalnum desc

Dataset Name

Description

Log Category

Top-Attack-Source

UTM top attack source

attack

select 
  coalesce(
    nullifna(`user`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
group by 
  user_src 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Top-Attack-Victim

UTM top attack dest

attack

select 
  dstip, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and dstip is not null 
group by 
  dstip 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Top-Static-IPSEC-Tunnels-By-Bandwidth

Top static IPsec tunnels by bandwidth usage

event

select 
  vpn_name, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      vpn_name, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_IPSEC_TUNNEL_BANDWIDTH}})### t where (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_in+traffic_out)>0 order by bandwidth desc

Dataset Name

Description

Log Category

Top-SSL-VPN-Tunnel-Users-By-Bandwidth

Top SSL VPN tunnel users by bandwidth usage

event

select 
  user_src, 
  remip as remote_ip, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      user_src, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_SSL_VPN_TUNNEL_USERS}})### t where tunneltype='ssl-tunnel' group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src, remote_ip order by bandwidth desc

Dataset Name

Description

Log Category

Top-Dial-Up-IPSEC-Tunnels-By-Bandwidth

Top dial up IPsec tunnels by bandwidth usage

event

select 
  vpn_name, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      tunnelid, 
      remip, 
      vpn_name, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_TUNNELS}})### t where not (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_out+traffic_in)>0 order by bandwidth desc

Dataset Name

Description

Log Category

Top-Dial-Up-IPSEC-Users-By-Bandwidth

Top dial up IPsec users by bandwidth usage

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as user_src, 
  remip, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_BANDWIDTH}})### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src, remip order by bandwidth desc

Dataset Name

Description

Log Category

Top-Dial-Up-IPSEC-Users-By-Duration

Top dial up IPsec users by duration

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as user_src, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(duration) as duration, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end
      ) as duration, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_BANDWIDTH}})### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src order by duration desc

Dataset Name

Description

Log Category

Top-SSL-VPN-Web-Mode-Users-By-Bandwidth

Top SSL VPN web mode users by bandwidth usage

event

select 
  user_src, 
  remip as remote_ip, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      user_src, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_SSL_VPN_TUNNEL_USERS}})### t group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src, remote_ip order by bandwidth desc

Dataset Name

Description

Log Category

Top-SSL-VPN-Web-Mode-Users-By-Duration

Top SSL VPN web mode users by duration

event

select 
  user_src, 
  remip as remote_ip, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  (
    max(e_time)- min(s_time)
  ) as duration 
from 
  (
    select 
      devid, 
      vd, 
      user_src, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time 
    from 
      ###({{FGT_DATASET_BASE_EVENT_SSL_VPN_TUNNEL_USERS}})### t where tunneltype='ssl-web' group by devid, vd, user_src, remip, tunnelid) tt group by user_src, remote_ip order by duration desc

Dataset Name

Description

Log Category

Top-SSL-VPN-Users-By-Duration

Top SSL VPN users by duration

event

select 
  user_src, 
  tunneltype, 
  sum(duration) as duration, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      user_src, 
      tunneltype, 
      tunnelid, 
      (
        case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end
      ) as duration, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth 
    from 
      ###({{FGT_DATASET_BASE_EVENT_SSL_VPN_TUNNEL_USERS}})### t group by devid, vd, remip, user_src, tunnelid, tunneltype) tt where bandwidth>0 group by user_src, tunneltype order by duration desc

Dataset Name

Description

Log Category

vpn-Top-Dial-Up-VPN-Users-By-Duration

Top dial up VPN users by duration

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as user_src, 
  t_type as tunneltype, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(duration) as duration, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      t_type, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end
      ) as duration, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_USERS}})### t where (t_type like 'ssl%' or (t_type like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0'))) group by devid, vd, remip, t_type, tunnelid) tt where bandwidth>0 group by user_src, tunneltype order by duration desc

Dataset Name

Description

Log Category

vpn-User-Login-history

VPN user login history

event

select 
  $flex_timescale(timestamp) as hodex, 
  sum(total_num) as total_num 
from 
  (
    select 
      timestamp, 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      sum(tunnelup) as total_num, 
      max(traffic_in) as traffic_in, 
      max(traffic_out) as traffic_out 
    from 
      ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as traffic_in from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null group by timestamp, action, devid, vd, remip, tunnelid /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timestamp, devid, vd, remip, tunnelid having max(tunnelup) > 0 and max(traffic_in)+max(traffic_out)>0) t group by hodex order by total_num desc

Dataset Name

Description

Log Category

vpn-Failed-Login-Atempts

VPN failed logins

event

select 
  f_user, 
  tunneltype, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype='ipsec' or left(tunneltype, 3)='ssl') and action in ('ssl-login-fail', 'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user, tunneltype)### t group by f_user, tunneltype order by total_num desc

Dataset Name

Description

Log Category

vpn-Authenticated-Logins

VPN authenticated logins

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as f_user, 
  t_type as tunneltype, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(total_num) as total_num, 
  sum(duration) as duration 
from 
  (
    select 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      t_type, 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end
      ) as duration, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      sum(tunnelup) as total_num 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_USERS}})### t group by t_type, devid, vd, remip, tunnelid having max(tunnelup) > 0) tt where bandwidth>0 group by f_user, tunneltype order by total_num desc

Dataset Name

Description

Log Category

vpn-Traffic-Usage-Trend-VPN-Summary

VPN traffic usage trend

event

select 
  hodex, 
  sum(ssl_traffic_bandwidth) as ssl_bandwidth, 
  sum(ipsec_traffic_bandwidth) as ipsec_bandwidth 
from 
  (
    select 
      $flex_timescale(timestamp) as hodex, 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      (
        case when t_type like 'ssl%' then (
          case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
        ) else 0 end
      ) as ssl_traffic_bandwidth, 
      (
        case when t_type like 'ipsec%' then (
          case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
        ) else 0 end
      ) as ipsec_traffic_bandwidth, 
      min(s_time) as s_time, 
      max(e_time) as e_time 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_TRAFFIC_USAGE}})### t group by hodex, devid, t_type, vd, remip, tunnelid) tt group by hodex order by hodex

Dataset Name

Description

Log Category

Top-S2S-IPSEC-Tunnels-By-Bandwidth-and-Availability

Top S2S IPsec tunnels by bandwidth usage and avail

event

select 
  vpntunnel, 
  tunneltype, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in, 
  sum(bandwidth) as bandwidth, 
  sum(uptime) as uptime 
from 
  (
    select 
      vpntunnel, 
      tunneltype, 
      tunnelid, 
      devid, 
      vd, 
      sum(sent_end - sent_beg) as traffic_out, 
      sum(rcvd_end - rcvd_beg) as traffic_in, 
      sum(
        sent_end - sent_beg + rcvd_end - rcvd_beg
      ) as bandwidth, 
      sum(duration_end - duration_beg) as uptime 
    from 
      ###(select tunnelid, tunneltype, vpntunnel, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype like 'ipsec%' and (tunnelip is null or tunnelip='0.0.0.0') and nullifna(`user`) is null and tunnelid is not null and tunnelid!=0 group by tunnelid, tunneltype, vpntunnel, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by vpntunnel, tunneltype, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by vpntunnel, tunneltype order by bandwidth desc

Dataset Name

Description

Log Category

Top-Dialup-IPSEC-By-Bandwidth-and-Availability

Top dialup IPsec users by bandwidth usage and avail

event

select 
  user_src, 
  remip, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in, 
  sum(bandwidth) as bandwidth, 
  sum(uptime) as uptime 
from 
  (
    select 
      user_src, 
      remip, 
      tunnelid, 
      devid, 
      vd, 
      sum(sent_end - sent_beg) as traffic_out, 
      sum(rcvd_end - rcvd_beg) as traffic_in, 
      sum(
        sent_end - sent_beg + rcvd_end - rcvd_beg
      ) as bandwidth, 
      sum(duration_end - duration_beg) as uptime 
    from 
      ###(select tunnelid, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and tunnelid is not null and tunnelid!=0 group by tunnelid, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by user_src, remip, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by user_src, remip order by bandwidth desc

Dataset Name

Description

Log Category

Top-SSL-Tunnel-Mode-By-Bandwidth-and-Availability

Top SSL tunnel users by bandwidth usage and avail

event

select 
  user_src, 
  remote_ip, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in, 
  sum(bandwidth) as bandwidth, 
  sum(uptime) as uptime 
from 
  (
    select 
      user_src, 
      remip as remote_ip, 
      tunnelid, 
      devid, 
      vd, 
      sum(sent_end - sent_beg) as traffic_out, 
      sum(rcvd_end - rcvd_beg) as traffic_in, 
      sum(
        sent_end - sent_beg + rcvd_end - rcvd_beg
      ) as bandwidth, 
      sum(duration_end - duration_beg) as uptime 
    from 
      ###(select tunnelid, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype in ('ssl-tunnel', 'ssl') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by tunnelid, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by user_src, remote_ip, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by user_src, remote_ip order by bandwidth desc

Dataset Name

Description

Log Category

Top-SSL-Web-Mode-By-Bandwidth-and-Availability

Top SSL web users by bandwidth usage and avail

event

select 
  user_src, 
  remote_ip, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in, 
  sum(bandwidth) as bandwidth, 
  sum(uptime) as uptime 
from 
  (
    select 
      user_src, 
      remip as remote_ip, 
      tunnelid, 
      devid, 
      vd, 
      sum(sent_end - sent_beg) as traffic_out, 
      sum(rcvd_end - rcvd_beg) as traffic_in, 
      sum(
        sent_end - sent_beg + rcvd_end - rcvd_beg
      ) as bandwidth, 
      sum(duration_end - duration_beg) as uptime 
    from 
      ###(select tunnelid, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype='ssl-web' and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by tunnelid, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by user_src, remote_ip, tunnelid, devid, vd having sum(sent_end-sent_beg+rcvd_end-rcvd_beg)>0 order by bandwidth desc) t where bandwidth>0 group by user_src, remote_ip order by bandwidth desc

Dataset Name

Description

Log Category

Admin-Login-Summary

Event admin login summary

event

select 
  f_user, 
  ui, 
  sum(login) as total_num, 
  sum(login_duration) as total_duration, 
  sum(config_change) as total_change 
from 
  (
    select 
      `user` as f_user, 
      ui, 
      (
        case when logid_to_int(logid)= 32001 then 1 else 0 end
      ) as login, 
      (
        case when logid_to_int(logid)= 32003 then duration else 0 end
      ) as login_duration, 
      (
        case when logid_to_int(logid)= 32003 
        and state is not null then 1 else 0 end
      ) as config_change 
    from 
      $log 
    where 
      $filter 
      and nullifna(`user`) is not null 
      and logid_to_int(logid) in (32001, 32003)
  ) t 
group by 
  f_user, 
  ui 
having 
  sum(login)+ sum(config_change)& gt; 0 
order by 
  total_num desc

Dataset Name

Description

Log Category

Admin-Login-Summary-By-Date

Event admin login summary by date

event

select 
  $flex_timescale(timestamp) as dom, 
  sum(total_num) as total_num, 
  sum(total_change) as total_change 
from 
  ###(select timestamp, sum(login) as total_num, sum(config_change) as total_change from (select $flex_timestamp as timestamp, (case when logid_to_int(logid)=32001 then 1 else 0 end) as login, (case when logid_to_int(logid)=32003 and state is not null then 1 else 0 end) as config_change from $log where $filter and logid_to_int(logid) in (32001, 32003)) t group by timestamp having sum(login)+sum(config_change)>0 /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom

Dataset Name

Description

Log Category

Admin-Failed-Login-Summary

Event admin failed login summary

event

select 
  `user` as f_user, 
  ui, 
  count(status) as total_failed 
from 
  $log 
where 
  $filter 
  and nullifna(`user`) is not null 
  and logid_to_int(logid) = 32002 
group by 
  ui, 
  f_user 
order by 
  total_failed desc

Dataset Name

Description

Log Category

System-Summary-By-Severity

Event system summary by severity

event

select 
  severity_tmp as severity, 
  sum(count) as total_num 
from 
  ###({{FGT_DATASET_BASE_EVENT_SYSTEM_EVENTS}})### t group by severity order by total_num desc

Dataset Name

Description

Log Category

System-Summary-By-Date

Event system summary by date

event

select 
  $flex_timescale(timestamp) as dom, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium 
from 
  ###(select $flex_timestamp as timestamp, sum(case when level in ('critical', 'alert', 'emergency') then 1 else 0 end) as critical, sum(case when level = 'error' then 1 else 0 end) as high, sum(case when level = 'warning' then 1 else 0 end) as medium from $log where $filter and subtype='system' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom

Dataset Name

Description

Log Category

Important-System-Summary-By-Date

Event system summary by date

event

select 
  $flex_timescale(timestamp) as dom, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium 
from 
  ###(select $flex_timestamp as timestamp, sum(case when level in ('critical', 'alert', 'emergency') then 1 else 0 end) as critical, sum(case when level = 'error' then 1 else 0 end) as high, sum(case when level = 'warning' then 1 else 0 end) as medium from $log where $filter and subtype='system' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom

Dataset Name

Description

Log Category

System-Critical-Severity-Events

Event system critical severity events

event

select 
  msg_desc as msg, 
  severity_tmp as severity, 
  sum(count) as counts 
from 
  ###({{FGT_DATASET_BASE_EVENT_SYSTEM_EVENTS}})### t where severity_tmp='Critical' group by msg, severity_tmp order by counts desc

Dataset Name

Description

Log Category

System-High-Severity-Events

Event system high severity events

event

select 
  msg_desc as msg, 
  severity_tmp as severity, 
  sum(count) as counts 
from 
  ###({{FGT_DATASET_BASE_EVENT_SYSTEM_EVENTS}})### t where severity_tmp='High' group by msg, severity_tmp order by counts desc

Dataset Name

Description

Log Category

System-Medium-Severity-Events

Event system medium severity events

event

select 
  msg_desc as msg, 
  severity_tmp as severity, 
  sum(count) as counts 
from 
  ###({{FGT_DATASET_BASE_EVENT_SYSTEM_EVENTS}})### t where severity_tmp='Medium' group by msg, severity_tmp order by counts desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Traffic-Summary

UTM drilldown traffic summary

traffic

select 
  srcip, 
  srcname 
from 
  ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, srcname, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) group by user_src, srcip, srcname order by bandwidth desc)### t where $filter-drilldown group by srcip, srcname

Dataset Name

Description

Log Category

utm-drilldown-Top-User-Destination

UTM drilldown top user destination

traffic

select 
  appid, 
  app, 
  dstip, 
  sum(sessions) as sessions, 
  sum(bandwidth) as bandwidth 
from 
  ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, appid, app, dstip, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and dstip is not null and nullifna(app) is not null group by user_src, appid, app, dstip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t where $filter-drilldown group by appid, app, dstip order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Email-Senders-Summary

UTM drilldown email senders summary

traffic

select 
  sum(requests) as requests, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_EMAIL_SENDERS}})### t where $filter-drilldown

Dataset Name

Description

Log Category

utm-drilldown-Email-Receivers-Summary

UTM drilldown email receivers summary

traffic

select 
  sum(requests) as requests, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_EMAIL_RECIPIENTS}})### t where $filter-drilldown

Dataset Name

Description

Log Category

utm-drilldown-Top-Email-Recipients-By-Bandwidth

UTM drilldown top email recipients

traffic

select 
  recipient, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_EMAIL_RECIPIENTS}})### t where $filter-drilldown group by recipient having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Email-Senders-By-Bandwidth

UTM drilldown top email senders

traffic

select 
  sender, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_EMAIL_SENDERS}})### t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Allowed-Websites-By-Bandwidth

UTM drilldown top allowed web sites by bandwidth

traffic

select 
  appid, 
  hostname, 
  sum(bandwidth) as bandwidth 
from 
  ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, appid, hostname, (case when utmaction in ('block', 'blocked') then 1 else 0 end) as blocked, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and hostname is not null group by user_src, appid, hostname, blocked order by bandwidth desc)### t where $filter-drilldown and blocked=0 group by appid, hostname order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Blocked-Websites-By-Request

UTM drilldown top blocked web sites by request

webfilter

select 
  appid, 
  hostname, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, 0 as appid, hostname, (case when action='blocked' then 1 else 0 end) as blocked, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and hostname is not null group by user_src, appid, hostname, blocked order by requests desc)### t where $filter-drilldown and blocked=1 group by appid, hostname order by requests desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Virus-By-Name

UTM drilldown top virus

virus

select 
  virus, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by user_src, virus order by totalnum desc)### t where $filter-drilldown group by virus order by totalnum desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Attacks

UTM drilldown top attacks by name

attack

select 
  attack, 
  sum(attack_count) as attack_count 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack order by attack_count desc)### t where $filter-drilldown group by attack order by attack_count desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Vulnerability

UTM drilldown top vulnerability by name

netscan

select 
  vuln, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, vuln, count(*) as totalnum from $log where $filter and action='vuln-detection' and vuln is not null group by user_src, vuln order by totalnum desc)### t where $filter-drilldown group by vuln order by totalnum desc

Dataset Name

Description

Log Category

utm-drilldown-Top-App-By-Bandwidth

UTM drilldown top applications by bandwidth usage

traffic

select 
  appid, 
  app, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_APPS}})### t where $filter-drilldown group by appid, app having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Top-App-By-Sessions

UTM drilldown top applications by session count

traffic

select 
  appid, 
  app, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_APPS}})### t where $filter-drilldown group by appid, app order by sessions desc

Dataset Name

Description

Log Category

Top5-Users-By-Bandwidth

UTM drilldown top users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as dldn_user, 
  count(*) as session, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  dldn_user 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Top-App-By-Bandwidth-Sessions

Top applications by bandwidth usage

traffic

select 
  app_group_name(app) as app_group, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app_group 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Category-By-Bandwidth

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Top-Users-By-Bandwidth-Sessions

Bandwidth application top users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Traffic-By-Active-User-Number

Bandwidth application traffic by active user number

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  count(
    distinct(user_src)
  ) as total_user 
from 
  ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src from $log where $filter and (logflag&1>0) group by timestamp, user_src order by timestamp desc)### t group by hodex order by hodex

Dataset Name

Description

Log Category

bandwidth-app-Top-Dest-By-Bandwidth-Sessions

Bandwidth application top dest by bandwidth usage sessions

traffic

select 
  coalesce(
    nullifna(
      root_domain(hostname)
    ), 
    ipstr(`dstip`)
  ) as domain, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  domain 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Top-Policies-By-Bandwidth-Sessions

Top policies by bandwidth and sessions

traffic

select 
  coalesce(
    cast(poluuid as text), 
    cast(policyid as text)
  ) as polid, 
  sum(
    coalesce(rcvdbyte, 0) + coalesce(sentbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  polid 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Traffic-Statistics

Bandwidth application traffic statistics

traffic

drop 
  table if exists rpt_tmptbl_1; create temporary table rpt_tmptbl_1(
    total_sessions varchar(255), 
    total_bandwidth varchar(255), 
    ave_session varchar(255), 
    ave_bandwidth varchar(255), 
    active_date varchar(255), 
    total_users varchar(255), 
    total_app varchar(255), 
    total_dest varchar(255)
  ); insert into rpt_tmptbl_1 (
    total_sessions, total_bandwidth, 
    ave_session, ave_bandwidth
  ) 
select 
  format_numeric_no_decimal(
    sum(sessions)
  ) as total_sessions, 
  bandwidth_unit(
    sum(bandwidth)
  ) as total_bandwidth, 
  format_numeric_no_decimal(
    cast(
      sum(sessions)/ $days_num as decimal(18, 0)
    )
  ) as ave_session, 
  bandwidth_unit(
    cast(
      sum(bandwidth)/ $days_num as decimal(18, 0)
    )
  ) as ave_bandwidth 
from 
  ###(select count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0))### t; update rpt_tmptbl_1 set active_date=t1.dom from (select dom, sum(sessions) as sessions from ###(select $DAY_OF_MONTH as dom, count(*) as sessions from $log where $filter and (logflag&1>0) group by dom order by sessions desc)### t group by dom order by sessions desc limit 1) as t1; update rpt_tmptbl_1 set total_users=t2.totalnum from (select format_numeric_no_decimal(count(distinct(user_src))) as totalnum from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, count(*) as count from $log where $filter and (logflag&1>0) group by user_src order by count desc)### t) as t2; update rpt_tmptbl_1 set total_app=t3.totalnum from (select format_numeric_no_decimal(count(distinct(app_grp))) as totalnum from ###(select app_group_name(app) as app_grp, count(*) as count from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_grp order by count desc)### t) as t3; update rpt_tmptbl_1 set total_dest=t4.totalnum from (select format_numeric_no_decimal(count(distinct(dstip))) as totalnum from ###(select dstip, count(*) as count from $log where $filter and (logflag&1>0) and dstip is not null group by dstip order by count desc)### t ) as t4; select 'Total Sessions' as summary, total_sessions as stats from rpt_tmptbl_1 union all select 'Total Bytes Transferred' as summary, total_bandwidth as stats from rpt_tmptbl_1 union all select 'Most Active Date By Sessions' as summary, active_date as stats from rpt_tmptbl_1 union all select 'Total Users' as summary, total_users as stats from rpt_tmptbl_1 union all select 'Total Applications' as summary, total_app as stats from rpt_tmptbl_1 union all select 'Total Destinations' as summary, total_dest as stats from rpt_tmptbl_1 union all select 'Average Sessions Per Day' as summary, ave_session as stats from rpt_tmptbl_1 union all select 'Average Bytes Per Day' as summary, ave_bandwidth as stats from rpt_tmptbl_1

Dataset Name

Description

Log Category

Score-Summary-For-All-Users-Devices

Reputation score summary for all users devices

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(scores) as scores 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_CLIENT_REPUTATION_INCIDENTS}})### t group by hodex order by hodex

Dataset Name

Description

Log Category

Number-Of-Incidents-For-All-Users-Devices

Reputation number of incidents for all users devices

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(scores) as scores, 
  sum(totalnum) as totalnum 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_CLIENT_REPUTATION_INCIDENTS}})### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Users-By-Reputation-Scores

Reputation top users by scores

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  user_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

Top-Devices-By-Reputation-Scores

Reputation top devices by scores

traffic

select 
  devtype, 
  coalesce(
    nullifna(`srcname`), 
    nullifna(`srcmac`), 
    ipstr(`srcip`)
  ) as dev_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  devtype, 
  dev_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

Top-Users-With-Increased-Scores

Reputation top users with increased scores

traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and (logflag&1>0) and crscore is not null group by f_user having sum(crscore%65536)>0 order by sum_rp_score desc)###; create temporary table rpt_tmptbl_2 as ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from $log where $filter and (logflag&1>0) and crscore is not null group by f_user having sum(crscore%65536)>0 order by sum_rp_score desc)###; select t1.f_user, sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from rpt_tmptbl_1 as t1 inner join rpt_tmptbl_2 as t2 on t1.f_user=t2.f_user where t2.sum_rp_score > t1.sum_rp_score group by t1.f_user order by delta desc

Dataset Name

Description

Log Category

Top-Devices-With-Increased-Scores

Reputation top devices with increased scores

traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device, devtype, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and (logflag&1>0) and crscore is not null group by f_device, devtype having sum(crscore%65536)>0 order by sum_rp_score desc)###; create temporary table rpt_tmptbl_2 as ###(select coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device, devtype, sum(crscore%65536) as sum_rp_score from $log where $filter and (logflag&1>0) and crscore is not null group by f_device, devtype having sum(crscore%65536)>0 order by sum_rp_score desc)###; select t1.f_device, t1.devtype , sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from rpt_tmptbl_1 as t1 inner join rpt_tmptbl_2 as t2 on t1.f_device=t2.f_device and t1.devtype=t2.devtype where t2.sum_rp_score > t1.sum_rp_score group by t1.f_device, t1.devtype order by delta desc

Dataset Name

Description

Log Category

Attacks-By-Severity

Threat attacks by severity

attack

select 
  (
    case when severity = 'critical' then 'Critical' when severity = 'high' then 'High' when severity = 'medium' then 'Medium' when severity = 'low' then 'Low' when severity = 'info' then 'Info' end
  ) as severity, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
group by 
  severity 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Top-Attacks-Detected

Threat top attacks detected

attack

select 
  attack, 
  attackid, 
  cve, 
  severity, 
  sum(attack_count) as attack_count 
from 
  ###(select attack, attackid, t1.severity, cve, (case when t1.severity = 'critical' then 1 when t1.severity = 'high' then 2 when t1.severity = 'medium'  then 3 when t1.severity = 'low' then 4 else 5 end) as severity_level, count(*) as attack_count from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null group by attack, attackid, t1.severity, severity_level, cve /*SkipSTART*/order by severity_level, attack_count desc/*SkipEND*/)### t group by attack, attackid, severity, severity_level, cve order by severity_level, attack_count desc

Dataset Name

Description

Log Category

Top-Attacks-Blocked

Threat top attacks blocked

attack

select 
  attack, 
  count(*) as attack_count 
from 
  $log 
where 
  $filter 
  and nullifna(attack) is not null 
  and action not in ('detected', 'pass_session') 
group by 
  attack 
order by 
  attack_count desc

Dataset Name

Description

Log Category

Top-Virus-Source

Threat top virus source

virus

select 
  srcip, 
  hostname, 
  sum(totalnum) as totalnum 
from 
  ###(select srcip , ipstr(`dstip`) as hostname, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by srcip, hostname /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by srcip, hostname order by totalnum desc

Dataset Name

Description

Log Category

Intrusion-in-Last-7-Days

Threat intrusion timeline

attack

select 
  $flex_timescale(timestamp) as hodex, 
  sum(totalnum) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Virus-Time-Line

Threat virus timeline

virus

select 
  $flex_datetime(timestamp) as hodex, 
  sum(totalnum) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Spyware-Victims

Threat top spyware victims

virus

select 
  user_src, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter group by user_src, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where  virus like 'Riskware%' group by user_src order by totalnum desc

Dataset Name

Description

Log Category

Top-Spyware-by-Name

Threat top spyware by name

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Riskware%' group by virus order by totalnum desc

Dataset Name

Description

Log Category

Top-Spyware-Source

Threat top spyware source

traffic

select 
  srcip, 
  hostname, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and virus like 'Riskware%' 
group by 
  srcip, 
  hostname 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Spyware-Time-Line

Threat spyware timeline

virus

select 
  $flex_timescale(timestamp) as hodex, 
  sum(totalnum) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter and virus like 'Riskware%' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Adware-Victims

Threat top adware victims

virus

select 
  user_src, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter group by user_src, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Adware%' group by user_src order by totalnum desc

Dataset Name

Description

Log Category

Top-Adware-by-Name

Threat top adware by name

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Adware%' group by virus order by totalnum desc

Dataset Name

Description

Log Category

Top-Adware-Source

Threat top adware source

traffic

select 
  srcip, 
  hostname, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and virus like 'Adware%' 
group by 
  srcip, 
  hostname 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Adware-Time-Line

Threat adware timeline

virus

select 
  $flex_timescale(timestamp) as hodex, 
  sum(totalnum) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter and virus like 'Adware%' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Intrusions-Timeline-By-Severity

Threat intrusions timeline by severity

attack

select 
  $flex_timescale(timestamp) as timescale, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium, 
  sum(low) as low, 
  sum(info) as info 
from 
  ###(select $flex_timestamp as timestamp, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity = 'notice' then 1 else 0 end) as low, sum(case when severity = 'info' or severity = 'debug' then 1 else 0 end) as info from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timescale order by timescale

Dataset Name

Description

Log Category

Important-Intrusions-Timeline-By-Severity

Threat intrusions timeline by severity

attack

select 
  $flex_timescale(timestamp) as timescale, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium, 
  sum(low) as low, 
  sum(info) as info 
from 
  ###(select $flex_timestamp as timestamp, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity = 'notice' then 1 else 0 end) as low, sum(case when severity = 'info' or severity = 'debug' then 1 else 0 end) as info from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timescale order by timescale

Dataset Name

Description

Log Category

Top-Intrusions-By-Types

Threat top intrusions by types

attack

select 
  vuln_type, 
  count(*) as totalnum 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and vuln_type is not null 
group by 
  vuln_type 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Critical-Severity-Intrusions

Threat critical severity intrusions

attack

select 
  attack, 
  attackid, 
  cve, 
  vuln_type, 
  count(*) as totalnum 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and t1.severity = 'critical' 
  and nullifna(attack) is not null 
group by 
  attack, 
  attackid, 
  cve, 
  vuln_type 
order by 
  totalnum desc

Dataset Name

Description

Log Category

High-Severity-Intrusions

Threat high severity intrusions

attack

select 
  attack, 
  attackid, 
  vuln_type, 
  cve, 
  count(*) as totalnum 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and t1.severity = 'high' 
  and nullifna(attack) is not null 
group by 
  attack, 
  attackid, 
  vuln_type, 
  cve 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Medium-Severity-Intrusions

Threat medium severity intrusions

attack

select 
  attack, 
  vuln_type, 
  cve, 
  count(*) as totalnum 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and t1.severity = 'medium' 
  and nullifna(attack) is not null 
group by 
  attack, 
  vuln_type, 
  cve 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Top-Intrusion-Victims

Threat top intrusion victims

attack

select 
  victim, 
  sum(cri_num) as critical, 
  sum(high_num) as high, 
  sum(med_num) as medium, 
  sum(cri_num + high_num + med_num) as totalnum 
from 
  ###(select dstip as victim, sum((case when severity='critical' then 1 else 0 end)) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case when severity='medium' then 1 else 0 end) as med_num from $log where $filter and severity in ('critical', 'high', 'medium') group by victim)### t group by victim order by totalnum desc

Dataset Name

Description

Log Category

Top-Intrusion-Sources

Threat top intrusion sources

attack

select 
  source, 
  sum(cri_num) as critical, 
  sum(high_num) as high, 
  sum(med_num) as medium, 
  sum(cri_num + high_num + med_num) as totalnum 
from 
  ###(select srcip as source, sum(case when severity='critical' then 1 else 0 end) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case when severity='medium' then 1 else 0 end) as med_num from $log where $filter and severity in ('critical', 'high', 'medium') group by source)### t group by source order by totalnum desc

Dataset Name

Description

Log Category

Top-Blocked-Intrusions

Threat top blocked intrusions

attack

select 
  attack, 
  attackid, 
  (
    case when t1.severity = 'critical' then 'Critical' when t1.severity = 'high' then 'High' when t1.severity = 'medium' then 'Medium' when t1.severity = 'low' then 'Low' when t1.severity = 'info' then 'Info' end
  ) as severity_name, 
  count(*) as totalnum, 
  vuln_type, 
  (
    case when t1.severity = 'critical' then 0 when t1.severity = 'high' then 1 when t1.severity = 'medium' then 2 when t1.severity = 'low' then 3 when t1.severity = 'info' then 4 else 5 end
  ) as severity_number 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and nullifna(attack) is not null 
  and action not in ('detected', 'pass_session') 
group by 
  attack, 
  attackid, 
  t1.severity, 
  vuln_type 
order by 
  severity_number, 
  totalnum desc

Dataset Name

Description

Log Category

Top-Monitored-Intrusions

Threat top monitored intrusions

attack

select 
  attack, 
  attackid, 
  (
    case when t1.severity = 'critical' then 'Critical' when t1.severity = 'high' then 'High' when t1.severity = 'medium' then 'Medium' when t1.severity = 'low' then 'Low' when t1.severity = 'info' then 'Info' end
  ) as severity_name, 
  count(*) as totalnum, 
  vuln_type, 
  (
    case when t1.severity = 'critical' then 0 when t1.severity = 'high' then 1 when t1.severity = 'medium' then 2 when t1.severity = 'low' then 3 when t1.severity = 'info' then 4 else 5 end
  ) as severity_number 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and nullifna(attack) is not null 
  and action in ('detected', 'pass_session') 
group by 
  attack, 
  attackid, 
  t1.severity, 
  vuln_type 
order by 
  severity_number, 
  totalnum desc

Dataset Name

Description

Log Category

Attacks-Over-HTTP-HTTPs

Threat attacks over HTTP HTTPs

attack

select 
  attack, 
  attackid, 
  (
    case when severity = 'critical' then 'Critical' when severity = 'high' then 'High' when severity = 'medium' then 'Medium' when severity = 'low' then 'Low' when severity = 'info' then 'Info' end
  ) as severity, 
  count(*) as totalnum, 
  (
    case when severity = 'critical' then 0 when severity = 'high' then 1 when severity = 'medium' then 2 when severity = 'low' then 3 when severity = 'info' then 4 else 5 end
  ) as severity_number 
from 
  $log 
where 
  $filter 
  and severity in ('critical', 'high', 'medium') 
  and upper(service) in ('HTTP', 'HTTPS') 
group by 
  attack, 
  attackid, 
  severity, 
  severity_number 
order by 
  severity_number, 
  totalnum desc

Dataset Name

Description

Log Category

default-AP-Detection-Summary-by-Status-OffWire

Default access point detection summary by status off-wire

event

select 
  (
    case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  count(*) as totalnum 
from 
  (
    select 
      apstatus, 
      bssid, 
      ssid 
    from 
      ###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and onwire='no' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc

Dataset Name

Description

Log Category

default-AP-Detection-Summary-by-Status-OffWire_table

Default access point detection summary by status off-wire

event

select 
  (
    case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  count(*) as totalnum 
from 
  (
    select 
      apstatus, 
      bssid, 
      ssid 
    from 
      ###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and onwire='no' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc

Dataset Name

Description

Log Category

default-AP-Detection-Summary-by-Status-OnWire

Default access point detection summary by status on-wire

event

select 
  (
    case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  count(*) as totalnum 
from 
  (
    select 
      apstatus, 
      bssid, 
      ssid 
    from 
      ###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and onwire='yes' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc

Dataset Name

Description

Log Category

default-AP-Detection-Summary-by-Status-OnWire_table

Default access point detection summary by status on-wire

event

select 
  (
    case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  count(*) as totalnum 
from 
  (
    select 
      apstatus, 
      bssid, 
      ssid 
    from 
      ###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and onwire='yes' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc

Dataset Name

Description

Log Category

default-Managed-AP-Summary

Default managed access point summary

event

select 
  (
    case when (
      action like '%join%' 
      and logid_to_int(logid) in (43522, 43551)
    ) then 'Authorized' else 'Unauthorized' end
  ) as ap_status, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and logid_to_int(logid) in (43522, 43551) 
group by 
  ap_status 
order by 
  totalnum desc

Dataset Name

Description

Log Category

default-Managed-AP-Summary_table

Default managed access point summary

event

select 
  (
    case when (
      action like '%join%' 
      and logid_to_int(logid) in (43522, 43551)
    ) then 'Authorized' else 'Unauthorized' end
  ) as ap_status, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and logid_to_int(logid) in (43522, 43551) 
group by 
  ap_status 
order by 
  totalnum desc

Dataset Name

Description

Log Category

default-Unclassified-AP-Summary

Default unclassified access point summary

event

select 
  (
    case onwire when 'no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end
  ) as ap_status, 
  count(*) as totalnum 
from 
  ###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by totalnum desc

Dataset Name

Description

Log Category

default-Unclassified-AP-Summary_table

Default unclassified access point summary

event

select 
  (
    case onwire when 'no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end
  ) as ap_status, 
  count(*) as totalnum 
from 
  ###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by totalnum desc

Dataset Name

Description

Log Category

default-selected-AP-Details-OffWire

Default selected access point details off-wire

event

select 
  (
    case apstatus when 0 then 'unclassified' when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  rssi, 
  channel, 
  radioband, 
  from_dtime(
    min(dtime)
  ) as first_seen, 
  from_dtime(
    max(dtime)
  ) as last_seen, 
  detectionmethod, 
  itime, 
  onwire as on_wire 
from 
  $log 
where 
  $filter 
  and apstatus is not null 
  and bssid is not null 
  and onwire = 'no' 
  and logid_to_int(logid) in (
    43521, 43563, 43564, 43565, 43566, 43569, 
    43570, 43571
  ) 
group by 
  ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  rssi, 
  channel, 
  radioband, 
  detectionmethod, 
  itime, 
  onwire, 
  apstatus

Dataset Name

Description

Log Category

default-selected-AP-Details-OnWire

Default selected access point details on-wire

event

select 
  (
    case apstatus when 0 then 'unclassified' when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  rssi, 
  channel, 
  radioband, 
  from_dtime(
    min(dtime)
  ) as first_seen, 
  from_dtime(
    max(dtime)
  ) as last_seen, 
  detectionmethod, 
  itime, 
  onwire as on_wire 
from 
  $log 
where 
  $filter 
  and apstatus is not null 
  and bssid is not null 
  and onwire = 'yes' 
  and logid_to_int(logid) in (
    43521, 43563, 43564, 43565, 43566, 43569, 
    43570, 43571
  ) 
group by 
  ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  rssi, 
  channel, 
  radioband, 
  detectionmethod, 
  itime, 
  onwire, 
  apstatus

Dataset Name

Description

Log Category

event-Wireless-Client-Details

Event wireless client details

event

drop 
  table if exists rpt_tmptbl_1; create temporary table rpt_tmptbl_1 as 
select 
  ip, 
  lower(mac) as lmac, 
  sn, 
  ssid, 
  channel, 
  radioband, 
  min(dtime) as first, 
  max(dtime) as last 
from 
  $log - event 
where 
  $filter 
  and ip is not null 
  and mac is not null 
  and sn is not null 
  and ssid is not null 
group by 
  ip, 
  lmac, 
  sn, 
  ssid, 
  channel, 
  radioband 
order by 
  ip; 
select 
  user_src, 
  ip, 
  lmac, 
  sn, 
  ssid, 
  channel, 
  radioband, 
  from_dtime(first) as first_seen, 
  from_dtime(last) as last_seen, 
  cast(
    volume as decimal(18, 2)
  ) as bandwidth 
from 
  (
    select 
      * 
    from 
      rpt_tmptbl_1 
      inner join (
        select 
          user_src, 
          srcip, 
          sum(volume) as volume 
        from 
          ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as volume from $log-traffic where $filter-time and (logflag&1>0) and srcip is not null group by user_src, srcip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by volume desc)### t group by user_src, srcip order by user_src, srcip) t on rpt_tmptbl_1.ip = t.srcip) t order by volume desc

Dataset Name

Description

Log Category

event-Wireless-Accepted-Offwire

Event wireless accepted off-wire

event

select 
  'accepted' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'no' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_OFFWIRE}})### t where apstatus=2 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Accepted-Onwire

Event wireless accepted on-wire

event

select 
  'accepted' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'yes' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_ONWIRE}})### t where apstatus=2 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Rogue-Offwire

Event wireless rogue off-wire

event

select 
  'rogue' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'no' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_OFFWIRE}})### t where apstatus=1 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Rogue-Onwire

Event wireless rogue on-wire

event

select 
  'rogue' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'yes' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_ONWIRE}})### t where apstatus=1 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Suppressed-Offwire

Event wireless suppressed off-wire

event

select 
  'suppressed' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'no' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_OFFWIRE}})### t where apstatus=3 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Suppressed-Onwire

Event wireless suppressed on-wire

event

select 
  'suppressed' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'yes' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_ONWIRE}})### t where apstatus=3 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Unclassified-Offwire

Event wireless unclassified off-wire

event

select 
  'unclassified' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'no' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_OFFWIRE}})### t where apstatus=0 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Unclassified-Onwire

Event wireless unclassified on-wire

event

select 
  'unclassified' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'yes' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_ONWIRE}})### t where apstatus=0 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

default-Top-IPSEC-Vpn-Dial-Up-User-By-Bandwidth

Default top IPsec VPN dial up user by bandwidth usage

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as user_src, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_BANDWIDTH}})### t group by devid, vd, remip, tunnelid) tt group by user_src having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

default-Top-Sources-Of-SSL-VPN-Tunnels-By-Bandwidth

Default top sources of SSL VPN tunnels by bandwidth usage

event

select 
  remip as remote_ip, 
  sum(bandwidth) as bandwidth 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_TRAFFIC_USAGE}})### t where t_type like 'ssl%' group by devid, vd, remip, tunnelid) tt group by remote_ip having sum(traffic_in+traffic_out)>0 order by bandwidth desc

Dataset Name

Description

Log Category

webfilter-Web-Activity-Summary-By-Requests

Webfilter web activity summary by requests

webfilter

select 
  $flex_timescale(timestamp) as hodex, 
  sum(allowed_request) as allowed_request, 
  sum(blocked_request) as blocked_request 
from 
  ###(select $flex_timestamp as timestamp, sum(case when action!='blocked' then 1 else 0 end) as allowed_request, sum(case when action='blocked' then 1 else 0 end) as blocked_request from $log where $filter and (eventtype is null or logver>=52) group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

traffic-Browsing-Time-Summary

Traffic browsing time summary

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  cast(
    ebtr_value(
      ebtr_agg_flat(browsetime), 
      null, 
      $timespan
    )/ 60.0 as decimal(18, 2)
  ) as browsetime 
from 
  ###(select $flex_timestamp as timestamp, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

traffic-Browsing-Time-Summary-Enhanced

Traffic browsing time summary enhanced

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  cast(
    ebtr_value(
      ebtr_agg_flat(browsetime), 
      null, 
      $timespan
    )/ 60.0 as decimal(18, 2)
  ) as browsetime 
from 
  ###(select $flex_timestamp as timestamp, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

webfilter-Top-Web-Users-By-Blocked-Requests

Webfilter top web users by blocked requests

webfilter

select 
  user_src, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null and action='blocked' group by user_src /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by user_src order by requests desc

Dataset Name

Description

Log Category

webfilter-Top-Web-Users-By-Allowed-Requests

Webfilter top web users by allowed requests

webfilter

select 
  user_src, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null and action!='blocked' group by user_src /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by user_src order by requests desc

Dataset Name

Description

Log Category

traffic-Top-Web-Users-By-Browsing-Time

Traffic top web users by browsing time

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and $browse_time is not null group by user_src) t group by user_src /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

webfilter-Top-Blocked-Web-Sites-By-Requests

Webfilter top blocked web sites by requests

webfilter

select 
  domain, 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select hostname as domain, catdesc, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and hostname is not null and catdesc is not null and action='blocked' group by domain, catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by domain, catdesc order by requests desc

Dataset Name

Description

Log Category

webfilter-Top-Allowed-Web-Sites-By-Requests

Webfilter top allowed web sites by requests

webfilter

select 
  domain, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  sum(requests) as requests 
from 
  ###(select hostname as domain, catdesc, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and hostname is not null and catdesc is not null and action!='blocked' group by domain, catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by domain order by requests desc

Dataset Name

Description

Log Category

webfilter-Top-Video-Streaming-Websites-By-Bandwidth

Webfilter top video streaming websites by bandwidth usage

webfilter

select 
  domain, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select coalesce(nullifna(root_domain(hostname)), 'other') as domain, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc in ('Streaming Media and Download') group by domain having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by domain order by bandwidth desc

Dataset Name

Description

Log Category

webfilter-Top-Blocked-Web-Categories

Webfilter top blocked web categories

webfilter

select 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select catdesc, count(*) as requests from $log-webfilter where $filter and (eventtype is null or logver>=52) and catdesc is not null and action='blocked' group by catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by catdesc order by requests desc

Dataset Name

Description

Log Category

webfilter-Top-Allowed-Web-Categories

Webfilter top allowed web categories

webfilter

select 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select catdesc, count(*) as requests from $log-webfilter where $filter and (eventtype is null or logver>=52) and catdesc is not null and action!='blocked' group by catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by catdesc order by requests desc

Dataset Name

Description

Log Category

traffic-Top-50-Sites-By-Browsing-Time

Traffic top sites by browsing time

traffic

select 
  hostname, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-50-Sites-By-Browsing-Time-Enhanced

Traffic top sites by browsing time enhanced

traffic

select 
  hostname, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-10-Categories-By-Browsing-Time

Traffic top category by browsing time

traffic

select 
  catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and catdesc is not null and $browse_time is not null group by catdesc) t group by catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by catdesc order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-10-Categories-By-Browsing-Time-Enhanced

Traffic top category by browsing time enhanced

traffic

select 
  catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and catdesc is not null and $browse_time is not null group by catdesc) t group by catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by catdesc order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-Destination-Countries-By-Browsing-Time

Traffic top destination countries by browsing time

traffic

select 
  dstcountry, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-Destination-Countries-By-Browsing-Time-Enhanced

Traffic top destination countries by browsing time enhanced

traffic

select 
  dstcountry, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc

Dataset Name

Description

Log Category

webfilter-Top-Search-Phrases

Webfilter top search phrases

webfilter

select 
  keyword, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and keyword is not null 
group by 
  keyword 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-10-Users-Browsing-Time

Estimated browsing time

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by user_src) t group by user_src order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

Top-10-Users-Browsing-Time-Enhanced

Estimated browsing time enhanced

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by user_src) t group by user_src order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

Estimated-Browsing-Time

Estimated browsing time

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by user_src) t group by user_src order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

Estimated-Browsing-Time-Enhanced

Estimated browsing time enhanced

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by user_src) t group by user_src order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

wifi-Top-AP-By-Bandwidth

Top access point by bandwidth usage

traffic

select 
  coalesce(ap, srcintf) as ap_srcintf, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
group by 
  ap_srcintf 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-AP-By-Client

Top access point by client

traffic

select 
  ap_srcintf as srcintf, 
  count(distinct srcmac) as totalnum 
from 
  ###(select coalesce(ap, srcintf) as ap_srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by ap_srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t group by srcintf order by totalnum desc

Dataset Name

Description

Log Category

wifi-Top-SSID-By-Bandwidth

Top SSIDs by bandwidth usage

traffic

select 
  srcssid, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and srcssid is not null 
group by 
  srcssid 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-SSID-By-Client

Top SSIDs by client

traffic

select 
  srcssid, 
  count(distinct srcmac) as totalnum 
from 
  ###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t where srcssid is not null group by srcssid order by totalnum desc

Dataset Name

Description

Log Category

wifi-Top-App-By-Bandwidth

Top WiFi applications by bandwidth usage

traffic

select 
  appid, 
  app, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
  and nullifna(app) is not null 
group by 
  appid, 
  app 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-Client-By-Bandwidth

Top WiFi client by bandwidth usage

traffic

select 
  (
    coalesce(srcname, srcmac, 'unknown') || ' (' || coalesce(devtype, 'unknown') || ', ' || coalesce(osname, '') || (
      case when osversion is null then '' else ' ' || osversion end
    ) || ')'
  ) as client, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
group by 
  client 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-OS-By-Bandwidth

Top WiFi os by bandwidth usage

traffic

select 
  (
    coalesce(osname, 'unknown') || ' ' || coalesce(osversion, '')
  ) as os, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
group by 
  os 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-OS-By-WiFi-Client

Top WiFi os by WiFi client

traffic

select 
  (
    coalesce(osname, 'unknown') || ' ' || coalesce(osversion, '')
  ) as os, 
  count(distinct srcmac) as totalnum 
from 
  ###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t group by os order by totalnum desc

Dataset Name

Description

Log Category

wifi-Top-Device-By-Bandwidth

Top WiFi device by bandwidth usage

traffic

select 
  devtype, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
  and devtype is not null 
group by 
  devtype 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-Device-By-Client

Top WiFi device by client

traffic

select 
  devtype, 
  count(distinct srcmac) as totalnum 
from 
  ###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t where devtype is not null group by devtype order by totalnum desc

Dataset Name

Description

Log Category

wifi-Overall-Traffic

WiFi overall traffic

traffic

select 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  )

Dataset Name

Description

Log Category

wifi-Num-Distinct-Client

WiFi num distinct client

traffic

select 
  count(distinct srcmac) as totalnum 
from 
  ###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t

Dataset Name

Description

Log Category

Top30-Subnets-by-Bandwidth-and-Sessions

Top subnets by application bandwidth

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  subnet 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top30-Subnets-by-Application-Bandwidth

Top applications by bandwidth

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  app_group_name(app) as app_group, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  subnet, 
  app_group 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top30-Subnets-by-Application-Sessions

Top applications by sessions

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  app_group_name(app) as app_group, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  subnet, 
  app_group 
order by 
  sessions desc

Dataset Name

Description

Log Category

Top30-Subnets-by-Website-Bandwidth

Top websites and web category by bandwidth

traffic

select 
  subnet, 
  website, 
  sum(bandwidth) as bandwidth 
from 
  ###(select ip_subnet(`srcip`) as subnet, hostname as website, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by subnet, website order by bandwidth desc)### t group by subnet, website order by bandwidth desc

Dataset Name

Description

Log Category

Top30-Subnets-by-Website-Hits

Top websites and web category by sessions

webfilter

select 
  subnet, 
  website, 
  sum(hits) as hits 
from 
  ###(select ip_subnet(`srcip`) as subnet, hostname as website, count(*) as hits from $log where $filter and hostname is not null and (eventtype is null or logver>=52) group by subnet, website order by hits desc)### t group by subnet, website order by hits desc

Dataset Name

Description

Log Category

Top30-Subnets-with-Top10-User-by-Bandwidth

Top users by bandwidth

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and srcip is not null 
group by 
  subnet, 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top30-Subnets-with-Top10-User-by-Sessions

Top users by sessions

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  subnet, 
  user_src 
order by 
  sessions desc

Dataset Name

Description

Log Category

app-Top-20-Category-and-Applications-by-Bandwidth

Top category and applications by bandwidth usage

traffic

select 
  appcat, 
  app, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  appcat, 
  app 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

app-Top-20-Category-and-Applications-by-Session

Top category and applications by session

traffic

select 
  appcat, 
  app, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  appcat, 
  app 
order by 
  sessions desc

Dataset Name

Description

Log Category

app-Top-500-Allowed-Applications-by-Bandwidth

Top allowed applications by bandwidth usage

traffic

select 
  from_itime(itime) as timestamp, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  appcat, 
  app, 
  coalesce(
    root_domain(hostname), 
    ipstr(dstip)
  ) as destination, 
  sum(
    coalesce(`sentbyte`, 0)+ coalesce(`rcvdbyte`, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and action in ('accept', 'close', 'timeout') 
group by 
  timestamp, 
  user_src, 
  appcat, 
  app, 
  destination 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

app-Top-500-Blocked-Applications-by-Session

Top blocked applications by session

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  appcat, 
  app, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and action in (
    'deny', 'blocked', 'reset', 'dropped'
  ) 
group by 
  user_src, 
  appcat, 
  app 
order by 
  sessions desc

Dataset Name

Description

Log Category

web-Detailed-Website-Browsing-Log

Web detailed website browsing log

traffic

select 
  from_dtime(dtime) as timestamp, 
  catdesc, 
  hostname as website, 
  status, 
  sum(bandwidth) as bandwidth 
from 
  ###(select dtime, catdesc, hostname, cast(utmaction as text) as status, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by dtime, catdesc, hostname, utmaction order by dtime desc)### t group by dtime, catdesc, website, status order by dtime desc

Dataset Name

Description

Log Category

web-Hourly-Category-and-Website-Hits-Action

Web hourly category and website hits action

webfilter

select 
  hod, 
  website, 
  sum(hits) as hits 
from 
  ###(select $hour_of_day as hod, (hostname || ' (' || coalesce(`catdesc`, 'Unknown') || ')') as website , count(*) as hits from $log where $filter and hostname is not null and (eventtype is null or logver>=52) group by hod, website order by hod, hits desc)### t group by hod, website order by hod, hits desc

Dataset Name

Description

Log Category

web-Top-20-Category-and-Websites-by-Bandwidth

Web top category and websites by bandwidth usage

traffic

select 
  website, 
  catdesc, 
  sum(bandwidth) as bandwidth 
from 
  ###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by website, catdesc order by bandwidth desc)### t group by website, catdesc order by bandwidth desc

Dataset Name

Description

Log Category

web-Top-20-Category-and-Websites-by-Session

Web top category and websites by session

webfilter

select 
  website, 
  catdesc, 
  sum(sessions) as hits 
from 
  ###(select hostname as website, catdesc, count(*) as sessions from $log where $filter and hostname is not null and (eventtype is null or logver>=52) group by hostname, catdesc order by sessions desc)### t group by website, catdesc order by hits desc

Dataset Name

Description

Log Category

web-Top-500-Website-Sessions-by-Bandwidth

Web top website sessions by bandwidth usage

traffic

select 
  from_dtime(dtime) as timestamp, 
  user_src, 
  website, 
  catdesc, 
  cast(
    sum(dura)/ 60 as decimal(18, 2)
  ) as dura, 
  sum(bandwidth) as bandwidth 
from 
  ###(select dtime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname as website, catdesc, sum(coalesce(duration, 0)) as dura, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and hostname is not null and (logflag&1>0) and action in ('accept','close','timeout') group by dtime, user_src, website, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by dtime, user_src, website, catdesc order by bandwidth desc

Dataset Name

Description

Log Category

web-Top-500-User-Visted-Websites-by-Bandwidth

Web top user visted websites by bandwidth usage

traffic

select 
  website, 
  catdesc, 
  sum(bandwidth) as bandwidth 
from 
  ###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by hostname, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by website, catdesc order by bandwidth desc

Dataset Name

Description

Log Category

web-Top-500-User-Visted-Websites-by-Session

Web top user visted websites by session

webfilter

select 
  website, 
  catdesc, 
  sum(sessions) as sessions 
from 
  ###(select hostname as website, catdesc, count(*) as sessions from $log where $filter and hostname is not null and (eventtype is null or logver>=52) group by hostname, catdesc order by sessions desc)### t group by website, catdesc order by sessions desc

Dataset Name

Description

Log Category

fct-Installed-Feature-Summary

Installed Feature Summary

fct-event

select 
  clientfeature, 
  count(distinct hostname) as totalnum 
from 
  ###(select hostname, os, fctver, clientfeature from $log where $filter group by hostname, os, fctver, clientfeature)### t where clientfeature is not null group by clientfeature order by totalnum desc

Dataset Name

Description

Log Category

fct-Device-by-Operating-System

Device by OS

fct-event

select 
  os, 
  count(distinct hostname) as totalnum 
from 
  ###(select hostname, os, fctver, clientfeature from $log where $filter group by hostname, os, fctver, clientfeature)### t where os is not null group by os order by totalnum desc

Dataset Name

Description

Log Category

fct-Installed-FortiClient-Version

FortiClient Version

fct-event

select 
  fctver as fctver_short, 
  count(distinct hostname) as totalnum 
from 
  ###(select hostname, os, fctver, clientfeature from $log where $filter group by hostname, os, fctver, clientfeature)### t where fctver is not null group by fctver order by totalnum desc

Dataset Name

Description

Log Category

fct-Endpoint-Profile-Deployment

Endpoint Profile Deployment

fct-event

select 
  profile, 
  count(distinct hostname) as totalnum 
from 
  ###(select hostname, coalesce(nullifna(usingpolicy), 'No Profile') as profile from $log where $filter group by hostname, profile)### t group by profile order by totalnum desc

Dataset Name

Description

Log Category

fct-Client-Summary

Client Summary

fct-event

select 
  hostname, 
  deviceip, 
  os, 
  profile, 
  hostuser, 
  fctver, 
  from_itime(
    max(itime)
  ) as last_seen 
from 
  ###(select hostname, deviceip, os, nullifna(usingpolicy) as profile, nullifna(`user`) as hostuser, fctver, max(itime) as itime from $log where $filter and os is not null group by hostname, deviceip, os, profile, hostuser, fctver order by itime desc)### t group by hostname, deviceip, os, profile, hostuser, fctver order by last_seen desc

Dataset Name

Description

Log Category

fct-Total-Threats-Found

Total Threats Found

fct-traffic

select 
  utmevent_s as utmevent, 
  count(distinct threat) as totalnum 
from 
  ###(select coalesce(nullifna(lower(utmevent)), 'unknown') as utmevent_s, threat from $log where $filter and threat is not null and utmaction='blocked' group by utmevent_s, threat)### t group by utmevent order by totalnum desc

Dataset Name

Description

Log Category

fct-Top10-AV-Threats-Detected

Top AV Threats Detected

fct-traffic

select 
  threat, 
  sum(totalnum) as totalnum 
from 
  (
    ###(select threat, count(*) as totalnum from $log-fct-traffic where $filter and threat is not null and lower(utmevent)='antivirus' group by threat order by totalnum desc)### union all ###(select virus as threat, count(*) as totalnum from $log-fct-event where $filter and virus is not null group by threat order by totalnum desc)###) t group by threat order by totalnum desc

Dataset Name

Description

Log Category

fct-Top10-Infected-Devices-with-Botnet

Top Infected Devices with Botnet

fct-traffic

select 
  hostname, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and hostname is not null 
  and lower(utmevent) in ('webfilter', 'appfirewall') 
  and lower(threat) like '%botnet%' 
group by 
  hostname 
order by 
  totalnum desc

Dataset Name

Description

Log Category

fct-Top10-Infected-Devices-with-Virus-Malware

Top Infected Devices with Virus Malware

fct-traffic

select 
  hostname, 
  sum(totalnum) as totalnum 
from 
  (
    ###(select hostname, count(*) as totalnum from $log-fct-traffic where $filter and hostname is not null and lower(utmevent) in ('antivirus', 'antimalware') group by hostname order by totalnum desc)### union all ###(select hostname, count(*) as totalnum from $log-fct-event where $filter and hostname is not null and virus is not null group by hostname order by totalnum desc)###) t group by hostname order by totalnum desc

Dataset Name

Description

Log Category

fct-All-Antivirus-Antimalware-Detections

All Antivirus and Antimalware Detections

fct-traffic

select 
  threat, 
  hostname, 
  hostuser, 
  utmaction, 
  from_dtime(
    max(dtime)
  ) as last_seen 
from 
  (
    ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime from $log-fct-traffic where $filter and lower(utmevent) in ('antivirus', 'antimalware') group by threat, hostname, hostuser, utmaction order by threat)### union all ###(select virus as threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, action as utmaction, max(dtime) as dtime from $log-fct-event where $filter and (logflag is null or logflag&8=0) and virus is not null group by threat, hostname, hostuser, utmaction order by threat)###) t group by threat, hostname, hostuser, utmaction order by threat

Dataset Name

Description

Log Category

fct-Web-Filter-Violations

Web Filter Violations

fct-traffic

select 
  remotename, 
  hostname, 
  hostuser, 
  utmaction, 
  sum(total) as totalnum, 
  from_dtime(
    max(dtime)
  ) as last_seen 
from 
  ###(select remotename, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, count(*) as total, max(dtime) as dtime from $log where $filter and lower(utmevent)='webfilter' and utmaction='blocked' group by remotename, hostname, hostuser, utmaction order by total desc)### t group by remotename, hostname, hostuser, utmaction order by totalnum desc

Dataset Name

Description

Log Category

fct-Application-Firewall

Application Firewall

fct-traffic

select 
  threat, 
  hostname, 
  hostuser, 
  utmaction, 
  from_dtime(
    max(dtime)
  ) as last_seen 
from 
  ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime from $log where $filter and lower(utmevent)='appfirewall' and utmaction='blocked' group by threat, hostname, hostuser, utmaction order by dtime desc)### t1 left join app_mdata t2 on t1.threat=t2.name group by threat, risk, hostname, hostuser, utmaction order by risk desc

Dataset Name

Description

Log Category

fct-Errors-and-Alerts

Errors and Alerts

fct-event

select 
  msg, 
  hostname, 
  hostuser, 
  from_dtime(
    max(dtime)
  ) as last_seen 
from 
  ###(select msg, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, max(dtime) as dtime from $log where $filter and level in ('error', 'alert') group by msg, hostname, hostuser order by dtime desc)### t group by msg, hostname, hostuser order by last_seen desc

Dataset Name

Description

Log Category

fct-Threats-by-Top-Devices

Threats by Top Devices

fct-traffic

select 
  hostname, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and hostname is not null 
  and utmevent is not null 
  and utmaction = 'blocked' 
group by 
  hostname 
order by 
  totalnum desc

Dataset Name

Description

Log Category

fct-vuln-Device-Vulnerabilities

Vulnerabilities Detected by User/Device

fct-netscan

select 
  vulnseverity, 
  count(distinct vulnname) as totalnum 
from 
  ###(select vulnseverity, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null group by vulnseverity, vulnname)### t group by vulnseverity order by totalnum desc

Dataset Name

Description

Log Category

fct-vuln-Category-Type-Vulnerabilities

Vulnerabilities Detected by Category Type

fct-netscan

select 
  vulncat, 
  count(distinct vulnname) as totalnum 
from 
  ###(select vulncat, vulnname from $log where $filter and nullifna(vulncat) is not null and nullifna(vulnname) is not null group by vulncat, vulnname)### t group by vulncat order by totalnum desc

Dataset Name

Description

Log Category

fct-vuln-Vulnerabilities-by-OS

Forticlient Vulnerabilities by OS

fct-netscan

select 
  os, 
  count(distinct vulnname) as totalnum 
from 
  ###(select os, vulnname from $log where $filter and nullifna(os) is not null and nullifna(vulnname) is not null group by os, vulnname)### t group by os order by totalnum desc

Dataset Name

Description

Log Category

fct-vuln-Vulnerabilities-by-Risk-Level

Number Vulnerability by Device and Risk Level

fct-netscan

select 
  vulnseverity, 
  (
    case when vulnseverity = 'Critical' then 5 when vulnseverity = 'High' then 4 when vulnseverity = 'Medium' then 3 when vulnseverity = 'Low' then 2 when vulnseverity = 'Info' then 1 else 0 end
  ) as severity_number, 
  count(distinct vulnname) as vuln_num, 
  count(distinct devid) as dev_num 
from 
  ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null and nullifna(devid) is not null group by vulnseverity, vulnname, devid)### t group by vulnseverity order by dev_num desc, severity_number desc

Dataset Name

Description

Log Category

fct-vuln-Device-by-Risk-Level

Number Vulnerability by Device and Risk Level

fct-netscan

select 
  vulnseverity, 
  (
    case when vulnseverity = 'Critical' then 5 when vulnseverity = 'High' then 4 when vulnseverity = 'Medium' then 3 when vulnseverity = 'Low' then 2 when vulnseverity = 'Info' then 1 else 0 end
  ) as severity_number, 
  count(distinct vulnname) as vuln_num, 
  count(distinct devid) as dev_num 
from 
  ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null and nullifna(devid) is not null group by vulnseverity, vulnname, devid)### t group by vulnseverity order by dev_num desc, severity_number desc

Dataset Name

Description

Log Category

fct-vuln-Vulnerability-Trend

Vulnerability Trend

fct-netscan

select 
  $flex_timescale(timestamp) as hodex, 
  count(distinct vulnname) as total_num 
from 
  ###(select $flex_timestamp as timestamp, vulnname from $log where $filter and nullifna(vulnname) is not null group by timestamp, vulnname order by timestamp desc)### t group by hodex order by hodex

Dataset Name

Description

Log Category

fct-vuln-Details-by-Risk-Level-Device

Vulnerability Details for Each Risk Level by Device

fct-netscan

select 
  hostname, 
  os, 
  vulnseverity, 
  count(distinct vulnname) as vuln_num, 
  count(distinct products) as products, 
  count(distinct cve_id) as cve_count 
from 
  ###(select hostname, os, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and vulnseverity is not null and hostname is not null group by hostname, os, vulnname, vulnseverity, vulnid)### t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, os, vulnseverity order by vuln_num desc, hostname

Dataset Name

Description

Log Category

fct-vuln-Details-by-Device-User

Vulnerability Details by Device User

fct-netscan

select 
  hostname, 
  (
    '<div style=word-break:normal>' || vulnname || '</div>'
  ) as vulnname, 
  vulnseverity, 
  vulncat, 
  string_agg(distinct products, ',') as products, 
  string_agg(distinct cve_id, ',') as cve_list, 
  (
    '<a href=' || String_agg(DISTINCT vendor_link, ',') || '>Remediation Info</a>'
  ) as vendor_link 
from 
  ###(select hostname, vulnname, vulnseverity, vulncat, vulnid from $log where $filter and vulnname is not null and hostname is not null group by hostname, vulnname, vulnseverity, vulncat, vulnid)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, vulnname, vulnseverity, vulncat order by hostname

Dataset Name

Description

Log Category

fct-vuln-Remediation-by-Device

Remediate The Vulnerability Found on Device

fct-netscan

select 
  hostname, 
  (
    '<div style=word-break:normal>' || vulnname || '</div>'
  ) as vulnname, 
  vulnseverity, 
  string_agg(distinct vendor_link, ',') as vendor_link 
from 
  ###(select hostname, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and hostname is not null group by hostname, vulnname, vulnseverity, vulnid)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, vulnname, vulnseverity order by vulnseverity, hostname

Dataset Name

Description

Log Category

fct-vuln-Remediation-by-Vulnerability

Remediation by Vulnerability

fct-netscan

select 
  (
    '<b>' || vulnname || '</b><br/><br/>' || 'Description<br/><div style=word-break:normal>' || description || '</div><br/><br/>' || 'Affected Products<br/>' || products || '<br/><br/>' || 'Impact<br/>' || impact || '<br/><br/>' || 'Recommended Actions<br/>' || vendor_link || '<br/><br/><br/>'
  ) as remediation 
from 
  ###(select devid, vulnname, vulnseverity, (case vulnseverity when 'low' then 1 when 'info' then 2 when 'medium' then 3 when 'high' then 4 when 'critical' then 5 else 0 end) as severity_level, vulnid from $log where $filter and vulnname is not null group by devid, vulnname, vulnseverity, severity_level, vulnid order by severity_level)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by remediation order by remediation

Dataset Name

Description

Log Category

fct-vuln-Top-30-Targeted-High-Risk-Vulnerabilities

Top 30 Targeted High Risk Vulnerabilities

fct-netscan

select 
  t3.cve_id, 
  score, 
  string_agg(distinct products, ',') as products, 
  (
    '<a href=' || String_agg(vendor_link, ',') || '>Mitigation Infomation</a>'
  ) as vendor_link 
from 
  ###(select vulnid from $log where $filter group by vulnid)### t1 inner join fct_mdata t2 on t2.vid=t1.vulnid::text inner join fct_cve_score t3 on strpos(t2.cve_id, t3.cve_id) > 0 group by t3.cve_id, score order by score desc, t3.cve_id

Dataset Name

Description

Log Category

os-Detect-OS-Count

Detected operation system count

traffic

select 
  (
    coalesce(osname, 'Unknown')
  ) as os, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  os 
order by 
  totalnum desc

Dataset Name

Description

Log Category

drilldown-Top-App-By-Sessions-Table

Drilldown top applications by session count

traffic

select 
  appid, 
  app, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-App-By-Sessions-Bar

Drilldown top applications by session count

traffic

select 
  appid, 
  app, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-App-By-Bandwidth-Table

Drilldown top applications by bandwidth usage

traffic

select 
  appid, 
  app, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-App-By-Bandwidth-Bar

Drilldown top applications by bandwidth usage

traffic

select 
  appid, 
  app, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-Destination-By-Sessions-Table

Drilldown top destination by session count

traffic

select 
  dstip, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and dstip is not null group by dstip order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-Destination-By-Bandwidth-Table

Drilldown top destination by bandwidth usage

traffic

select 
  dstip, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and dstip is not null group by dstip having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-User-By-Sessions-Table

Drilldown top user by session count

traffic

select 
  user_src, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-User-By-Sessions-Bar

Drilldown top user by session count

traffic

select 
  user_src, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-User-By-Bandwidth-Table

Drilldown top user by bandwidth usage

traffic

select 
  user_src, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-User-By-Bandwidth-Bar

Drilldown top user by bandwidth usage

traffic

select 
  user_src, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-Web-User-By-Visit-Table

Drilldown top web user by visit

traffic

select 
  user_src, 
  sum(requests) as visits 
from 
  (
    ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and (eventtype is null or logver>=52) and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and user_src is not null group by user_src order by visits desc

Dataset Name

Description

Log Category

drilldown-Top-Web-User-By-Visit-Bar

Drilldown top web user by visit

traffic

select 
  user_src, 
  sum(requests) as visits 
from 
  (
    ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and (eventtype is null or logver>=52) and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and user_src is not null group by user_src order by visits desc

Dataset Name

Description

Log Category

drilldown-Top-Website-By-Request-Table

Drilldown top website by request

traffic

select 
  hostname, 
  sum(requests) as visits 
from 
  (
    ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and (eventtype is null or logver>=52) and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and hostname is not null group by hostname order by visits desc

Dataset Name

Description

Log Category

drilldown-Top-Website-By-Request-Bar

Drilldown top website by request

traffic

select 
  hostname, 
  sum(requests) as visits 
from 
  (
    ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and (eventtype is null or logver>=52) and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and hostname is not null group by hostname order by visits desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Sender-By-Volume

Drilldown top email sender by volume

traffic

select 
  sender, 
  sum(bandwidth) as volume 
from 
  (
    ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by volume desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Send-Recipient-By-Volume

Drilldown top email send recipient by volume

traffic

select 
  recipient, 
  sum(bandwidth) as volume 
from 
  (
    ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient having sum(bandwidth)>0 order by volume desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Sender-By-Count

Drilldown top email sender by count

traffic

select 
  sender, 
  sum(requests) as requests 
from 
  (
    ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender order by requests desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Send-Recipient-By-Count

Drilldown top email send recipient by count

traffic

select 
  recipient, 
  sum(requests) as requests 
from 
  (
    ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient order by requests desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Recipient-By-Volume

Drilldown top email receiver by volume

traffic

select 
  recipient, 
  sum(bandwidth) as volume 
from 
  (
    ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient having sum(bandwidth)>0 order by volume desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Receive-Sender-By-Volume

Drilldown top email receive sender by volume

traffic

select 
  sender, 
  sum(bandwidth) as volume 
from 
  (
    ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by volume desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Recipient-By-Count

Drilldown top email receiver by count

traffic

select 
  recipient, 
  sum(requests) as requests 
from 
  (
    ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient order by requests desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Receive-Sender-By-Count

Drilldown top email receive sender by count

traffic

select 
  sender, 
  sum(requests) as requests 
from 
  (
    ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender order by requests desc

Dataset Name

Description

Log Category

drilldown-Top-Attack-Destination

Drilldown top attack dest

attack

select 
  dstip, 
  sum(totalnum) as totalnum 
from 
  ###(select srcip, dstip, count(*) as totalnum from $log where $filter-exclude-var group by srcip, dstip order by totalnum desc)### t where $filter-drilldown and dstip is not null group by dstip order by totalnum desc

Dataset Name

Description

Log Category

drilldown-Top-Attack-Source

Drilldown top attack source

attack

select 
  srcip, 
  sum(totalnum) as totalnum 
from 
  ###(select srcip, dstip, count(*) as totalnum from $log where $filter-exclude-var group by srcip, dstip order by totalnum desc)### t where $filter-drilldown and srcip is not null group by srcip order by totalnum desc

Dataset Name

Description

Log Category

drilldown-Top-Attack-List

Drilldown top attack list

attack

select 
  from_itime(itime) as timestamp, 
  attack, 
  srcip, 
  dstip 
from 
  ###(select itime, attack, srcip, dstip from $log where $filter-exclude-var order by itime desc)### t where $filter-drilldown order by timestamp desc

Dataset Name

Description

Log Category

drilldown-Top-Virus

UTM top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  (
    case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end
  ) as malware_type, 
  sum(totalnum) as totalnum 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc

Dataset Name

Description

Log Category

drilldown-Virus-Detail

Drilldown virus detail

virus

select 
  from_itime(itime) as timestamp, 
  virus, 
  user_src, 
  dstip, 
  hostname, 
  recipient 
from 
  ###(select itime, virus, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, dstip,  cast(' ' as char) as hostname, cast(' ' as char) as recipient from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null order by itime desc)### t where $filter-drilldown order by timestamp desc

Dataset Name

Description

Log Category

user-drilldown-Top-Blocked-Web-Sites-By-Requests

User drilldown top blocked web sites by requests

webfilter

select 
  hostname, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, action, count(*) as requests from $log where $filter and hostname is not null group by user_src, hostname, action order by requests desc)### t where $filter-drilldown and action='blocked' group by hostname order by requests desc

Dataset Name

Description

Log Category

user-drilldown-Top-Allowed-Web-Sites-By-Requests

User drilldown top allowed web sites by requests

webfilter

select 
  hostname, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, action, count(*) as requests from $log where $filter and hostname is not null group by user_src, hostname, action order by requests desc)### t where $filter-drilldown and action!='blocked' group by hostname order by requests desc

Dataset Name

Description

Log Category

user-drilldown-Top-Blocked-Web-Categories

User drilldown top blocked web categories

webfilter

select 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as requests from $log where $filter and catdesc is not null group by user_src, catdesc, action order by requests desc)### t where $filter-drilldown and action='blocked' group by catdesc order by requests desc

Dataset Name

Description

Log Category

user-drilldown-Top-Allowed-Web-Categories

User drilldown top allowed web categories

webfilter

select 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as requests from $log where $filter and catdesc is not null group by user_src, catdesc, action order by requests desc)### t where $filter-drilldown and action!='blocked' group by catdesc order by requests desc

Dataset Name

Description

Log Category

user-drilldown-Top-Attacks

User drilldown top attacks by name

attack

select 
  attack, 
  sum(attack_count) as attack_count 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, (case when severity in ('critical', 'high') then 1 else 0 end) as high_severity, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack, high_severity order by attack_count desc)### t where $filter-drilldown group by attack order by attack_count desc

Dataset Name

Description

Log Category

user-drilldown-Top-Attacks-High-Severity

User drilldown top attacks high severity

attack

select 
  attack, 
  sum(attack_count) as attack_count 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, (case when severity in ('critical', 'high') then 1 else 0 end) as high_severity, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack, high_severity order by attack_count desc)### t where $filter-drilldown and high_severity=1 group by attack order by attack_count desc

Dataset Name

Description

Log Category

user-drilldown-Top-Virus-By-Name

User drilldown top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by user_src, virus, virusid_s order by totalnum desc)### t where $filter-drilldown group by virus order by totalnum desc

Dataset Name

Description

Log Category

user-drilldown-Top-Virus-Receivers-Over-Email

User drilldown top virus receivers over email

virus

select 
  receiver, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `to` as receiver, count(*) as totalnum from $log where $filter and subtype='infected' and (service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') or service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp')) and nullifna(virus) is not null group by user_src, receiver order by totalnum desc)### t where $filter-drilldown group by receiver order by totalnum desc

Dataset Name

Description

Log Category

user-drilldown-Count-Spam-Activity-by-Hour-of-Day

User drilldown count spam activity by hour of day

emailfilter

select 
  hourstamp, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, $hour_of_day as hourstamp, count(*) as totalnum from $log where $filter and `to` is not null and action in ('detected', 'blocked') group by user_src, hourstamp order by hourstamp)### t where $filter-drilldown group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

user-drilldown-Top-Spam-Sources

User drilldown top spam sources

emailfilter

select 
  mf_sender, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `from` as mf_sender, count(*) as totalnum from $log where $filter and `from` is not null and action in ('detected', 'blocked') group by user_src, mf_sender order by totalnum desc)### t where $filter-drilldown group by mf_sender order by totalnum desc

Dataset Name

Description

Log Category

event-Usage-CPU

Event usage CPU

event

select 
  hourstamp, 
  cast(
    sum(cpu_usage)/ sum(num) as decimal(6, 2)
  ) as cpu_avg_usage 
from 
  ###(select $hour_of_day as hourstamp, sum(cpu) as cpu_usage, count(*) as num from $log where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

event-Usage-Memory

Event usage memory

event

select 
  hourstamp, 
  cast(
    sum(mem_usage)/ sum(num) as decimal(6, 2)
  ) as mem_avg_usage 
from 
  ###(select $hour_of_day as hourstamp, sum(mem) as mem_usage, count(*) as num from $log where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

event-Usage-Sessions

Event usage sessions

event

select 
  hourstamp, 
  cast(
    sum(sess_usage)/ sum(num) as decimal(10, 2)
  ) as sess_avg_usage 
from 
  ###(select $hour_of_day as hourstamp, sum(totalsession) as sess_usage, count(*) as num from $log where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

event-Usage-CPU-Sessions

Event usage CPU sessions

event

select 
  hourstamp, 
  cast(
    sum(sess_usage)/ sum(num) as decimal(10, 2)
  ) as sess_avg_usage, 
  cast(
    sum(cpu_usage)/ sum(num) as decimal(6, 2)
  ) as cpu_avg_usage 
from 
  ###(select $hour_of_day as hourstamp, sum(cpu) as cpu_usage, sum(totalsession) as sess_usage, count(*) as num from $log where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

App-Risk-Top-Users-By-Bandwidth

Top users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  srcip, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and srcip is not null 
group by 
  user_src, 
  srcip 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

App-Risk-Top-User-Source-By-Sessions

Application risk top user source by session count

traffic

select 
  srcip, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and srcip is not null 
group by 
  srcip, 
  user_src 
order by 
  sessions desc

Dataset Name

Description

Log Category

App-Risk-Top-Users-By-Reputation-Scores-Bar

Application risk reputation top users by scores

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  user_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

App-Risk-Top-Devices-By-Reputation-Scores

Application risk reputation top devices by scores

traffic

select 
  devtype, 
  coalesce(
    nullifna(`srcname`), 
    nullifna(`srcmac`), 
    ipstr(`srcip`)
  ) as dev_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  devtype, 
  dev_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

App-Risk-Application-Usage-By-Category-With-Pie

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

App-Risk-App-Usage-by-Category

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-20-Categories-By-Bandwidth

Webfilter categories by bandwidth usage

webfilter

select 
  catdesc, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc is not null group by catdesc /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by catdesc order by bandwidth desc

Dataset Name

Description

Log Category

App-Risk-Key-Applications-Crossing-The-Network

Application risk application activity

traffic

select 
  app_group_name(app) as app_group, 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  count(*) as num_session 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app_group, 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

App-Risk-Applications-Running-Over-HTTP

Application risk applications running over HTTP

traffic

select 
  app_group_name(app) as app_group, 
  service, 
  count(*) as sessions, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
  and service in (
    '80/tcp', '443/tcp', 'HTTP', 'HTTPS', 
    'http', 'https'
  ) 
group by 
  app_group, 
  service 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

App-Risk-Top-Web-Sites-Visited-By-Network-Users-Pie-Cha

Application risk web browsing summary category

traffic

select 
  catdesc, 
  sum(num_sess) as num_sess, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, count(*) as num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc is not null group by catdesc order by num_sess desc)### t group by catdesc order by num_sess desc

Dataset Name

Description

Log Category

App-Risk-Top-Web-Sites-Visited-By-Network-Users

Application risk web browsing summary category

traffic

select 
  catdesc, 
  sum(num_sess) as num_sess, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, count(*) as num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc is not null group by catdesc order by num_sess desc)### t group by catdesc order by num_sess desc

Dataset Name

Description

Log Category

App-Risk-Web-Browsing-Hostname-Category

Application risk web browsing activity hostname category

webfilter

select 
  domain, 
  catdesc, 
  sum(visits) as visits 
from 
  ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, count(*) as visits from $log where $filter and (eventtype is null or logver>=52) and catdesc is not null group by domain, catdesc order by visits desc)### t group by domain, catdesc order by visits desc

Dataset Name

Description

Log Category

Top-Destination-Countries-By-Browsing-Time

Traffic top destination countries by browsing time

traffic

select 
  dstcountry, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc

Dataset Name

Description

Log Category

Top-Destination-Countries-By-Browsing-Time-Enhanced

Traffic top destination countries by browsing time enhanced

traffic

select 
  dstcountry, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc

Dataset Name

Description

Log Category

App-Risk-Traffic-Top-Hostnames-By-Browsing-Time

Traffic top domains by browsing time

traffic

select 
  hostname, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname) t group by hostname /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

App-Risk-Traffic-Top-Hostnames-By-Browsing-Time-Enhanced

Traffic top domains by browsing time enhanced

traffic

select 
  hostname, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname) t group by hostname /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

App-Risk-Top-Threat-Vectors-Crossing-The-Network

Application risk top threat vectors

attack

select 
  severity, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
group by 
  severity 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Critical-Threat-Vectors-Crossing-The-Network

Application risk top critical threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'critical' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-High-Threat-Vectors-Crossing-The-Network

Application risk top high threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'high' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Medium-Threat-Vectors-Crossing-The-Network

Application risk top medium threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'medium' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Low-Threat-Vectors-Crossing-The-Network

Application risk top low threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'low' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Info-Threat-Vectors-Crossing-The-Network

Application risk top info threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'info' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Virus-By-Name

UTM top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  (
    case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end
  ) as malware_type, 
  sum(totalnum) as totalnum 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Virus-Victim

UTM top virus user

virus

select 
  user_src, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by user_src /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by user_src order by totalnum desc

Dataset Name

Description

Log Category

App-Risk-Data-Loss-Prevention-Type-Events

Application risk DLP UTM event

dlp

select 
  utmsubtype, 
  sum(number) as number 
from 
  ###(select subtype::text as utmsubtype, count(*) as number from $log where $filter and subtype is not null group by subtype order by number desc)### t group by utmsubtype order by number desc

Dataset Name

Description

Log Category

App-Risk-Vulnerability-Discovered

Application risk vulnerability discovered

netscan

select 
  vuln, 
  vulnref as ref, 
  vulncat, 
  severity, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and vuln is not null 
group by 
  vuln, 
  vulnref, 
  vulncat, 
  severity 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Malware-Discovered

Application risk virus discovered

virus

select 
  dom, 
  sum(totalnum) as totalnum 
from 
  ###(select $DAY_OF_MONTH as dom, count(*) as totalnum from $log where $filter and nullifna(virus) is not null and (eventtype is null or logver>=52) group by dom order by totalnum desc)### t group by dom order by totalnum desc

Dataset Name

Description

Log Category

App-Risk-Breakdown-Of-Risk-Applications

Application risk breakdown of risk applications

traffic

select 
  unnest(
    string_to_array(behavior, ',')
  ) as d_behavior, 
  count(*) as number 
from 
  $log t1 
  inner join app_mdata t2 on t1.appid = t2.id 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  d_behavior 
order by 
  number desc

Dataset Name

Description

Log Category

App-Risk-Number-Of-Applications-By-Risk-Behavior

Application risk number of applications by risk behavior

traffic

select 
  risk as d_risk, 
  unnest(
    string_to_array(behavior, ',')
  ) as f_behavior, 
  count(*) as number 
from 
  $log t1 
  inner join app_mdata t2 on t1.appid = t2.id 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  risk, 
  f_behavior 
order by 
  risk desc, 
  number desc

Dataset Name

Description

Log Category

App-Risk-High-Risk-Application

Application risk high risk application

traffic

select 
  risk as d_risk, 
  behavior as d_behavior, 
  t2.id, 
  t2.name, 
  t2.app_cat, 
  t2.technology, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  count(*) as sessions 
from 
  $log t1 
  inner join app_mdata t2 on t1.appid = t2.id 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and behavior is not null 
group by 
  t2.id 
order by 
  risk desc, 
  sessions desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Severe-High-Risk-Application

Severe and high risk applications

traffic

select 
  appcat, 
  count(distinct app) as total_num 
from 
  ###(select appcat, app from $log where $filter and app is not null and appcat is not null and (logflag&1>0) and apprisk in ('critical', 'high') group by appcat, app)### t group by appcat order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Threats-Prevention

Threat Prevention

app-ctrl

select 
  threat_name, 
  count(distinct threats) as total_num 
from 
  (
    ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, app as threats from $log-app-ctrl where $filter and lower(appcat)='botnet' group by app)### union all ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, virus as threats from $log-virus where $filter and nullifna(virus) is not null group by virus)### union all ###(select cast('Malicious & Phishing Sites' as char(32)) as threat_name, hostname as threats from $log-webfilter where $filter and cat in (26, 61) group by hostname)### union all ###(select cast('Critical & High Intrusion Attacks' as char(32)) as threat_name, attack as total_num from $log-attack where $filter and severity in ('critical', 'high') group by attack)###) t group by threat_name order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Application-Vulnerability

Application vulnerabilities discovered

attack

select 
  attack, 
  attackid, 
  vuln_type, 
  cve, 
  severity_number, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as sources, 
  sum(totalnum) as totalnum 
from 
  ###(select attack, attackid, vuln_type, t2.cve, (case when t1.severity='critical' then 5 when t1.severity='high' then 4 when t1.severity='medium' then 3 when t1.severity='low' then 2 when t1.severity='info' then 1 else 0 end) as severity_number, dstip, srcip, count(*) as totalnum from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null and t1.severity is not null group by attack, attackid, vuln_type, t2.cve, t1.severity, dstip, srcip )### t group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Breakdown-Of-High-Risk-Application

Severe and high risk applications

traffic

select 
  appcat, 
  count(distinct app) as total_num 
from 
  ###(select appcat, app from $log where $filter and app is not null and appcat is not null and (logflag&1>0) and apprisk in ('critical', 'high') group by appcat, app)### t group by appcat order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Top-20-High-Risk-Application

Application risk high risk application

traffic

select 
  risk as d_risk, 
  count(distinct user_src) as users, 
  id, 
  name, 
  app_cat, 
  technology, 
  sum(bandwidth) as bandwidth, 
  sum(sessions) as sessions 
from 
  ###(select lower(app) as lowapp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by lowapp, user_src order by bandwidth desc)### t1 inner join app_mdata t2 on t1.lowapp=lower(t2.name) where risk>='4' group by id, name, app_cat, technology, risk order by d_risk desc, sessions desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-High-Risk-Application-Behavioral

Application Behavioral Characteristics

traffic

select 
  behavior, 
  round(
    sum(total_num)* 100 / sum(
      sum(total_num)
    ) over (), 
    2
  ) as percentage 
from 
  ###(select (case when lower(appcat)='botnet' then 'malicious' when lower(appcat)='remote.access' then 'tunneling' when lower(appcat) in ('storage.backup', 'video/audio') then 'bandwidth-consuming' when lower(appcat)='p2p' then 'peer-to-peer' when lower(appcat)='proxy' then 'proxy' end) as behavior, count(*) as total_num from $log where $filter and lower(appcat) in ('botnet', 'remote.access', 'storage.backup', 'video/audio', 'p2p', 'proxy') and (logflag&1>0) and apprisk in ('critical', 'high') group by appcat)### t group by behavior order by percentage desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Key-Application-Crossing-The-Network

Key Application Crossing The Network

traffic

select 
  risk as d_risk, 
  count(distinct user_src) as users, 
  id, 
  name, 
  app_cat, 
  technology, 
  sum(bandwidth) as bandwidth, 
  sum(sessions) as sessions 
from 
  ###(select app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by app, user_src order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name group by id, app, app_cat, technology, risk order by bandwidth desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Risk-Application-Usage-By-Category-With-Pie

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Category-Breakdown-By-Bandwidth

Category breakdown of all applications, sorted by bandwidth

traffic

select 
  appcat, 
  count(distinct app) as app_num, 
  count(distinct f_user) as user_num, 
  sum(bandwidth) as bandwidth, 
  sum(num_session) as num_session 
from 
  ###(select appcat, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log where $filter and (logflag&1>0) and nullifna(appcat) is not null group by appcat, app, f_user)### t group by appcat order by bandwidth desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Top-Web-Applications-by-Bandwidth

Top 25 Web Categories by Bandwidtih

traffic

select 
  d_risk, 
  id, 
  name, 
  technology, 
  count(distinct f_user) as user_num, 
  sum(bandwidth) as bandwidth, 
  sum(num_session) as num_session 
from 
  ###(select risk as d_risk, t2.id, t2.name, t2.technology, coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and (logflag&1>0) and nullifna(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by risk, t2.id, t2.name, t2.technology, f_user)### t group by d_risk, id, name, technology order by bandwidth desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Top-Web-Categories-Visited

Top 25 Web Categories Visited

traffic

select 
  catdesc, 
  count(distinct f_user) as user_num, 
  sum(sessions) as sessions, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Common-Virus-Botnet-Spyware

Common virus disvocered, the botnet communictions and the spyware/adware

traffic

select 
  virus_s as virus, 
  (
    case when lower(appcat)= 'botnet' then 'Botnet C&C' else (
      case when virus_s like 'Riskware%' then 'Spyware' when virus_s like 'Adware%' then 'Adware' else 'Virus' end
    ) end
  ) as malware_type, 
  appid, 
  app, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  (
    ###(select app as virus_s, appcat, appid, app, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and lower(appcat)='botnet' group by virus_s, appcat, appid, dstip, srcip, app order by total_num desc)### union all ###(select unnest(string_to_array(virus, ',')) as virus_s, appcat, appid, app, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and virus is not null group by virus_s, appcat, appid, dstip, srcip, app order by total_num desc)###) t group by virus, appid, app, malware_type order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Zero-Day-Detected-On-Network

Zero-day malware detected on the network

traffic

select 
  virus_s, 
  appid, 
  app, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  ###(select unnest(string_to_array(virus, ',')) as virus_s, appid, app, dstip, srcip, count(*) as total_num from $log where $filter and (logflag&1>0) and virus like '%PossibleThreat.SB%' group by virus_s, dstip, srcip, appid, app )### t where virus_s like '%PossibleThreat.SB%' group by virus_s, appid, app  order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Files-Analyzed-By-FortiCloud-Sandbox

Files analyzed by FortiCloud Sandbox

virus

select 
  $DAY_OF_MONTH as dom, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(filename) is not null 
  and logid_to_int(logid)= 9233 
group by 
  dom 
order by 
  dom

Dataset Name

Description

Log Category

Apprisk-Ctrl-Malicious-Files-Detected-By-FortiCloud-Sandbox

Files detected by FortiCloud Sandbox

virus

select 
  filename, 
  analyticscksum, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source 
from 
  ###(select filename, analyticscksum, dstip, srcip from $log where $filter and filename is not null and logid_to_int(logid)=9233 and analyticscksum is not null group by filename, analyticscksum, srcip, dstip)### t group by filename, analyticscksum order by victims desc, source desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-File-Transferred-By-Application

File transferred by applications on the network

app-ctrl

select 
  appid, 
  app, 
  filename, 
  cloudaction, 
  max(filesize) as filesize 
from 
  $log 
where 
  $filter 
  and filesize is not null 
  and clouduser is not null 
  and filename is not null 
group by 
  cloudaction, 
  appid, 
  app, 
  filename 
order by 
  filesize desc

Dataset Name

Description

Log Category

appctrl-Top-Blocked-SCCP-Callers

Appctrl top blocked SCCP callers

app-ctrl

select 
  srcname as caller, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and lower(appcat)= 'voip' 
  and app = 'sccp' 
  and action = 'block' 
  and srcname is not null 
group by 
  caller 
order by 
  totalnum desc

Dataset Name

Description

Log Category

appctrl-Top-Blocked-SIP-Callers

Appctrl top blocked SIP callers

app-ctrl

select 
  srcname as caller, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and srcname is not null 
  and lower(appcat)= 'voip' 
  and app = 'sip' 
  and action = 'block' 
group by 
  caller 
order by 
  totalnum desc

Dataset Name

Description

Log Category

security-Top20-High-Risk-Application-In-Use

High risk application in use

traffic

select 
  d_risk, 
  count(distinct f_user) as users, 
  name, 
  app_cat, 
  technology, 
  sum(bandwidth) as bandwidth, 
  sum(sessions) as sessions 
from 
  ###(select risk as d_risk, coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as f_user, t2.name, t2.app_cat, t2.technology, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth,  count(*) as sessions from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and risk>='4' and (logflag&1>0) group by f_user, t2.name, t2.app_cat, t2.technology, risk)### t group by d_risk, name, app_cat, technology order by d_risk desc, sessions desc

Dataset Name

Description

Log Category

security-High-Risk-Application-By-Category

High risk application by category

traffic

select 
  app_cat, 
  count(distinct app) as total_num 
from 
  ###(select app_cat, app from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and risk>='4' and (logflag&1>0) group by app_cat, app)### t group by app_cat order by total_num desc

Dataset Name

Description

Log Category

security-Top10-Application-Categories-By-Bandwidth

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Security-Category-Breakdown-By-Bandwidth

Category breakdown of all applications, sorted by bandwidth

traffic

select 
  appcat, 
  count(distinct app) as app_num, 
  count(distinct f_user) as user_num, 
  sum(bandwidth) as bandwidth, 
  sum(num_session) as num_session 
from 
  ###(select appcat, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log where $filter and (logflag&1>0) and nullifna(appcat) is not null group by appcat, app, f_user)### t group by appcat order by bandwidth desc

Dataset Name

Description

Log Category

security-Top25-Web-Applications-By-Bandwidth

Top Web Applications by Bandwidtih

traffic

select 
  d_risk, 
  name, 
  app_cat, 
  technology, 
  count(distinct f_user) as users, 
  sum(bandwidth) as bandwidth, 
  sum(num_session) as sessions 
from 
  ###(select risk as d_risk, t2.app_cat, t2.name, t2.technology, coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and (logflag&1>0) and nullifna(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by risk, t2.app_cat, t2.name, t2.technology, f_user)### t group by d_risk, name, app_cat, technology order by bandwidth desc

Dataset Name

Description

Log Category

Security-Top25-Web-Categories-Visited

Top 25 Web Categories Visited

traffic

select 
  catdesc, 
  count(distinct f_user) as user_num, 
  sum(sessions) as sessions, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc

Dataset Name

Description

Log Category

security-Top25-Malware-Virus-Botnet-Spyware

Malware: viruses, Bots, Spyware/Adware

traffic

select 
  virus_s as virus, 
  (
    case when lower(appcat)= 'botnet' then 'Botnet C&C' else (
      case when virus_s like 'Riskware%' then 'Spyware' when virus_s like 'Adware%' then 'Adware' else 'Virus' end
    ) end
  ) as malware_type, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  (
    ###(select app as virus_s, appcat, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and lower(appcat)='botnet' group by virus_s, appcat, dstip, srcip order by total_num desc)### union all ###(select unnest(string_to_array(virus, ',')) as virus_s, appcat, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and virus is not null group by virus_s, appcat, dstip, srcip order by total_num desc)###) t group by virus, malware_type order by total_num desc

Dataset Name

Description

Log Category

security-Top10-Malware-Virus-Spyware

Malware: viruses, Spyware/Adware

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  malware_type, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, srcip, dstip, (case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end)  as malware_type, count(*) as total_num from $log where $filter and nullifna(virus) is not null group by virus, virusid_s, srcip, dstip order by total_num desc)### t group by virus, malware_type order by total_num desc

Dataset Name

Description

Log Category

security-Top10-Malware-Botnet

Malware: Botnet

appctrl

select 
  app, 
  appid, 
  malware_type, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  ###(select app, appid, cast('Botnet C&C' as char(32)) as malware_type, srcip, dstip, count(*) as total_num from $log where $filter and lower(appcat)='botnet' and nullifna(app) is not null group by app, appid, malware_type, srcip, dstip order by total_num desc)### t group by app, appid, malware_type order by total_num desc

Dataset Name

Description

Log Category

security-Top10-Victims-of-Malware

Victims of Malware

virus

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  virus as malware, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and virus is not null 
group by 
  user_src, 
  malware 
order by 
  total_num desc

Dataset Name

Description

Log Category

security-Top10-Victims-of-Phishing-Site

Victims of Phishing Site

webfilter

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  (
    lower(service) || '://' || hostname || url
  ) as phishing_site, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and lower(service) in ('http', 'https') 
  and hostname is not null 
  and cat in (26, 61) 
group by 
  user_src, 
  phishing_site 
order by 
  total_num desc

Dataset Name

Description

Log Category

security-Top25-Malicious-Phishing-Sites

Malicious Phishing Site

webfilter

select 
  phishing_site, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total) as total_num 
from 
  ###(select (lower(service) || '://' || hostname || url) as phishing_site, dstip, srcip, count(*) as total from $log where $filter and lower(service) in ('http', 'https') and hostname is not null and cat in (26, 61) group by phishing_site, dstip, srcip order by total desc)### t group by phishing_site order by total_num desc

Dataset Name

Description

Log Category

security-Application-Vulnerability

Application vulnerabilities discovered

attack

select 
  attack, 
  attackid, 
  vuln_type, 
  cve, 
  severity_number, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as sources, 
  sum(totalnum) as totalnum 
from 
  ###(select attack, attackid, vuln_type, t2.cve, (case when t1.severity='critical' then 5 when t1.severity='high' then 4 when t1.severity='medium' then 3 when t1.severity='low' then 2 when t1.severity='info' then 1 else 0 end) as severity_number, dstip, srcip, count(*) as totalnum from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null and t1.severity is not null group by attack, attackid, vuln_type, t2.cve, t1.severity, dstip, srcip )### t group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc

Dataset Name

Description

Log Category

security-Files-Analyzed-By-FortiCloud-Sandbox

Files analyzed by FortiCloud Sandbox

virus

select 
  $day_of_week as dow, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(filename) is not null 
  and logid_to_int(logid)= 9233 
group by 
  dow 
order by 
  dow

Dataset Name

Description

Log Category

Security-Zero-Day-Detected-On-Network

Zero-day malware detected on the network

traffic

select 
  virus_s, 
  app, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  ###(select unnest(string_to_array(virus, ',')) as virus_s, app, dstip, srcip, count(*) as total_num from $log where $filter and (logflag&1>0) and virus like '%PossibleThreat.SB%' group by virus_s, dstip, srcip, app)### t group by virus_s, app order by total_num desc

Dataset Name

Description

Log Category

security-Data-Loss-Incidents-By-Severity

Data loss incidents summary by severity

dlp

select 
  initcap(severity : :text) as s_severity, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and severity is not null 
group by 
  s_severity 
order by 
  total_num desc

Dataset Name

Description

Log Category

security-Data-Loss-Files-By-Service

Data Lass Files By Service

dlp

select 
  filename, 
  (
    case direction when 'incoming' then 'Download' when 'outgoing' then 'Upload' end
  ) as action, 
  max(filesize) as filesize, 
  service 
from 
  $log 
where 
  $filter 
  and filesize is not null 
group by 
  filename, 
  direction, 
  service 
order by 
  filesize desc

Dataset Name

Description

Log Category

security-Endpoint-Security-Events-Summary

Endpoint Security Events summary

fct-traffic

select 
  (
    case utmevent when 'antivirus' then 'Malware incidents' when 'webfilter' then 'Malicious/phishing websites' when 'appfirewall' then 'Risk applications' when 'dlp' then 'Data loss incidents' when 'netscan' then 'Vulnerability detected' else 'Others' end
  ) as events, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and utmevent is not null 
group by 
  events 
order by 
  total_num desc

Dataset Name

Description

Log Category

security-Top-Endpoing-Running-High-Risk-Application

Endpoints Running High Risk Application

fct-traffic

select 
  coalesce(
    nullifna(`user`), 
    ipstr(`srcip`), 
    'Unknown'
  ) as f_user, 
  coalesce(
    nullifna(hostname), 
    'Unknown'
  ) as host_name, 
  threat as app, 
  t2.app_cat as appcat, 
  risk as d_risk 
from 
  $log t1 
  inner join app_mdata t2 on t1.threat = t2.name 
where 
  $filter 
  and utmevent = 'appfirewall' 
  and risk & gt;= '4' 
group by 
  f_user, 
  host_name, 
  t1.threat, 
  t2.app_cat, 
  t2.risk 
order by 
  risk desc

Dataset Name

Description

Log Category

security-Top-Endpoints-Infected-With-Malware

Endpoints Infected With Malware

fct-event

select 
  coalesce(
    nullifna(`user`), 
    ipstr(`deviceip`), 
    'Unknown'
  ) as f_user, 
  coalesce(
    nullifna(hostname), 
    'Unknown'
  ) as host_name, 
  virus, 
  file 
from 
  $log 
where 
  $filter 
  and clientfeature = 'av' 
  and virus is not null 
group by 
  f_user, 
  host_name, 
  virus, 
  file

Dataset Name

Description

Log Category

security-Top-Endpoints-With-Web-Violateions

Endpoints With Web Violations

fct-traffic

select 
  f_user, 
  host_name, 
  remotename, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as f_user, coalesce(nullifna(hostname), 'Unknown') as host_name, remotename, count(*) as total_num from $log where $filter and utmevent='webfilter' and remotename is not null and utmaction='blocked' group by f_user, host_name, remotename order by total_num desc)### t group by f_user, host_name, remotename order by total_num desc

Dataset Name

Description

Log Category

security-Top-Endpoints-With-Data-Loss-Incidents

Endpoints With Data Loss Incidents

fct-event

select 
  f_user, 
  host_name, 
  msg, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`deviceip`), 'Unknown') as f_user, coalesce(nullifna(hostname), 'Unknown') as host_name, msg, count(*) as total_num from $log where $filter and clientfeature='dlp' group by f_user, host_name, msg order by total_num desc)### t group by f_user, host_name, msg order by total_num desc

Dataset Name

Description

Log Category

content-Count-Total-SCCP-Call-Registrations-by-Hour-of-Day

Content count total SCCP call registrations by hour of day

content

select 
  $hour_of_day as hourstamp, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sccp' 
  and kind = 'register' 
group by 
  hourstamp 
order by 
  hourstamp

Dataset Name

Description

Log Category

content-Count-Total-SCCP-Calls-Duration-by-Hour-of-Day

Content count total SCCP calls duration by hour of day

content

select 
  $hour_of_day as hourstamp, 
  sum(duration) as sccp_usage 
from 
  $log 
where 
  $filter 
  and proto = 'sccp' 
  and kind = 'call-info' 
  and status = 'end' 
group by 
  hourstamp 
order by 
  hourstamp

Dataset Name

Description

Log Category

content-Count-Total-SCCP-Calls-per-Status

Content count total SCCP calls per status

content

select 
  status, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sccp' 
  and kind = 'call-info' 
group by 
  status 
order by 
  totalnum desc

Dataset Name

Description

Log Category

content-Count-Total-SIP-Call-Registrations-by-Hour-of-Day

Content count total SIP call registrations by hour of day

content

select 
  $hour_of_day as hourstamp, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sip' 
  and kind = 'register' 
group by 
  hourstamp 
order by 
  hourstamp

Dataset Name

Description

Log Category

content-Count-Total-SIP-Calls-per-Status

Content count total SIP calls per status

content

select 
  status, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sip' 
  and kind = 'call' 
group by 
  status 
order by 
  totalnum desc

Dataset Name

Description

Log Category

content-Dist-Total-SIP-Calls-by-Duration

Content dist total SIP calls by duration

content

select 
  (
    case when duration<60 then 'LESS_ONE_MIN' when duration<600 then 'LESS_TEN_MIN' when duration<3600 then 'LESS_ONE_HOUR' when duration & gt;= 3600 then 'MORE_ONE_HOUR' else 'unknown' end
  ) as f_duration, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sip' 
  and kind = 'call' 
  and status = 'end' 
group by 
  f_duration 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Botnet-Activity-By-Sources

Botnet activity by sources

traffic

select 
  app, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
  and nullifna(app) is not null 
group by 
  app, 
  user_src 
order by 
  events desc

Dataset Name

Description

Log Category

Botnet-Infected-Hosts

Botnet infected hosts

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  devtype, 
  coalesce(srcname, srcmac) as host_mac, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
group by 
  user_src, 
  devtype, 
  host_mac 
order by 
  events desc

Dataset Name

Description

Log Category

Detected-Botnet

Detected botnet

traffic

select 
  app, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
  and nullifna(app) is not null 
group by 
  app 
order by 
  events desc

Dataset Name

Description

Log Category

Botnet-Sources

Botnet sources

traffic

select 
  dstip, 
  root_domain(hostname) as domain, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
  and dstip is not null 
group by 
  dstip, 
  domain 
order by 
  events desc

Dataset Name

Description

Log Category

Botnet-Victims

Botnet victims

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
  and srcip is not null 
group by 
  user_src 
order by 
  events desc

Dataset Name

Description

Log Category

Botnet-Timeline

Botnet timeline

traffic

select 
  $flex_datetime(timestamp) as hodex, 
  sum(events) as events 
from 
  (
    ###(select $flex_timestamp as timestamp, count(*) as events from $log where $filter and (logflag&1>0) and appcat='Botnet' group by timestamp order by timestamp desc)### union all ###(select $flex_timestamp as timestamp, count(*) as events from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp order by timestamp)###) t group by hodex order by hodex

Dataset Name

Description

Log Category

Application-Session-History

Application session history

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(counter) as counter 
from 
  ###(select $flex_timestamp as timestamp, count(*) as counter from $log where $filter and (logflag&1>0) group by timestamp order by timestamp desc)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Application-Usage-List

Detailed application usage

traffic

select 
  appid, 
  app, 
  appcat, 
  (
    case when (
      utmaction in ('block', 'blocked') 
      or action = 'deny'
    ) then 'Blocked' else 'Allowed' end
  ) as custaction, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  count(*) as num_session 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
  and policyid != 0 
group by 
  appid, 
  app, 
  appcat, 
  custaction 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

PCI-DSS-Compliance-Summary

PCI DSS Compliance Summary

event

select 
  status, 
  num_reason as requirements, 
  cast(
    num_reason * 100.0 /(
      sum(num_reason) over()
    ) as decimal(18, 2)
  ) as percent 
from 
  (
    select 
      (
        case when fail_count>0 then 'Non-Compliant' else 'Compliant' end
      ) as status, 
      count(distinct reason) as num_reason 
    from 
      (
        select 
          ftnt_pci_id, 
          (
            sum(fail_count) over (partition by ftnt_pci_id)
          ) as fail_count, 
          reason 
        from 
          ###(select ftnt_pci_id, (case when result='fail' then 1 else 0 end) as fail_count, reason from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, result, reason)### t) t group by status) t order by status

Dataset Name

Description

Log Category

PCI-DSS-Non-Compliant-Requirements-By-Severity

PCI DSS Non-Compliant Requirements by Severity

event

with query as (
  select 
    * 
  from 
    (
      select 
        ftnt_pci_id, 
        severity, 
        (
          sum(fail_count) over (partition by ftnt_pci_id)
        ) as fail_count, 
        reason 
      from 
        ###(select ftnt_pci_id, t2.severity, (case when result='fail' then 1 else 0 end) as fail_count, reason from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, t2.severity, result, reason)### t) t where fail_count>0) select t.severity, count(distinct t.reason) as requirements from (select distinct on (1) reason, severity from query order by reason, (case lower(severity) when 'high' then 4 when 'critical' then 3 when 'medium' then 2 when 'low' then 1 else 0 end) desc) t group by t.severity order by requirements desc

Dataset Name

Description

Log Category

PCI-DSS-Compliant-Requirements-By-Severity

PCI DSS Compliant Requirements by Severity

event

with query as (
  select 
    * 
  from 
    (
      select 
        ftnt_pci_id, 
        severity, 
        (
          sum(fail_count) over (partition by ftnt_pci_id)
        ) as fail_count, 
        reason 
      from 
        ###(select ftnt_pci_id, t2.severity, (case when result='fail' then 1 else 0 end) as fail_count, reason from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, t2.severity, result, reason)### t) t where fail_count=0) select t.severity, count(distinct t.reason) as requirements from (select distinct on (1) reason, severity from query order by reason, (case lower(severity) when 'high' then 4 when 'critical' then 3 when 'medium' then 2 when 'low' then 1 else 0 end) desc) t group by t.severity order by requirements desc

Dataset Name

Description

Log Category

PCI-DSS-Fortinet-Security-Best-Practice-Summary

PCI DSS Fortinet Security Best Practice Summary

event

select 
  status, 
  num_reason as practices, 
  cast(
    num_reason * 100.0 /(
      sum(num_reason) over()
    ) as decimal(18, 2)
  ) as percent 
from 
  (
    select 
      (
        case when result = 'fail' then 'Failed' else 'Passed' end
      ) as status, 
      count(distinct reason) as num_reason 
    from 
      ###(select result, reason from $log where $filter and subtype='compliance-check' and result in ('fail','pass') group by result, reason)### t group by status) t order by status desc

Dataset Name

Description

Log Category

PCI-DSS-Failed-Fortinet-Security-Best-Practices-By-Severity

PCI DSS Failed Fortinet Security Best Practices by Severity

event

select 
  status, 
  num_reason as practices, 
  cast(
    num_reason * 100.0 /(
      sum(num_reason) over()
    ) as decimal(18, 2)
  ) as percent 
from 
  (
    select 
      initcap(status) as status, 
      count(distinct reason) as num_reason 
    from 
      ###(select status, reason from $log where $filter and subtype='compliance-check' and result='fail' group by status, reason)### t group by status) t order by status

Dataset Name

Description

Log Category

PCI-DSS-Passed-Fortinet-Security-Best-Practices-By-Severity

PCI DSS Passed Fortinet Security Best Practices by Severity

event

select 
  status, 
  num_reason as practices, 
  cast(
    num_reason * 100.0 /(
      sum(num_reason) over()
    ) as decimal(18, 2)
  ) as percent 
from 
  (
    select 
      initcap(status) as status, 
      count(distinct reason) as num_reason 
    from 
      ###(select status, reason from $log where $filter and subtype='compliance-check' and result='pass' group by status, reason)### t group by status) t order by status

Dataset Name

Description

Log Category

PCI-DSS-Requirements-Compliance-Details

PCI DSS Requirements Compliance Details

event

select 
  ftnt_pci_id, 
  left(
    string_agg(distinct ftnt_id, ','), 
    120
  ) as practice, 
  (
    case when sum(fail_count)& gt; 0 then 'Non-Compliant' else 'Compliant' end
  ) as compliance, 
  pci_requirement 
from 
  ###(select ftnt_pci_id, ftnt_id, (case when result='fail' then 1 else 0 end) as fail_count, pci_requirement from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, ftnt_id, result, pci_requirement)### t group by ftnt_pci_id, pci_requirement order by ftnt_pci_id

Dataset Name

Description

Log Category

PCI-DSS-Fortinet-Security-Best-Practice-Details

PCI DSS Fortinet Security Best Practice Details

event

select 
  reason as ftnt_id, 
  msg, 
  initcap(status) as status, 
  module 
from 
  $log 
where 
  $filter 
  and subtype = 'compliance-check' 
group by 
  reason, 
  status, 
  module, 
  msg 
order by 
  ftnt_id

Dataset Name

Description

Log Category

DLP-Email-Activity-Details

Email DLP Violations Summary

dlp

select 
  from_itime(itime) as timestamp, 
  `from` as sender, 
  `to` as receiver, 
  regexp_replace(filename, '.*/', '') as filename, 
  filesize, 
  profile, 
  action, 
  direction 
from 
  $log 
where 
  $filter 
  and (
    service in (
      'smtp', 'SMTP', '25/tcp', '587/tcp', 
      'smtps', 'SMTPS', '465/tcp'
    ) 
    or service in (
      'pop3', 'POP3', '110/tcp', 'imap', 
      'IMAP', '143/tcp', 'imaps', 'IMAPS', 
      '993/tcp', 'pop3s', 'POP3S', '995/tcp'
    )
  ) 
order by 
  timestamp desc

Dataset Name

Description

Log Category

Email-DLP-Chart

Email DLP Activity Summary

dlp

select 
  profile, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and (
    service in (
      'smtp', 'SMTP', '25/tcp', '587/tcp', 
      'smtps', 'SMTPS', '465/tcp'
    ) 
    or service in (
      'pop3', 'POP3', '110/tcp', 'imap', 
      'IMAP', '143/tcp', 'imaps', 'IMAPS', 
      '993/tcp', 'pop3s', 'POP3S', '995/tcp'
    )
  ) 
group by 
  profile 
order by 
  total_num desc

Dataset Name

Description

Log Category

DLP-Web-Activity-Details

Web DLP Violations Summary

dlp

select 
  from_itime(itime) as timestamp, 
  srcip, 
  dstip, 
  hostname, 
  profile, 
  filename, 
  filesize, 
  action, 
  direction 
from 
  $log 
where 
  $filter 
  and lower(service) in ('http', 'https') 
order by 
  timestamp desc

Dataset Name

Description

Log Category

Web-DLP-Chart

Web DLP Activity Summary

dlp

select 
  profile, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and lower(service) in ('http', 'https') 
group by 
  profile 
order by 
  total_num desc

Dataset Name

Description

Log Category

DLP-FTP-Activity-Details

Web DLP Violations Summary

dlp

select 
  from_itime(itime) as timestamp, 
  srcip, 
  dstip, 
  filename, 
  profile, 
  filesize, 
  action, 
  direction 
from 
  $log 
where 
  $filter 
  and lower(service) in ('ftp', 'ftps') 
order by 
  timestamp desc

Dataset Name

Description

Log Category

FTP-DLP-Chart

FTP DLP Activity Summary

dlp

select 
  profile, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and lower(service) in ('ftp', 'ftps') 
group by 
  profile 
order by 
  total_num desc

Dataset Name

Description

Log Category

top-users-by-browsetime

Top Users by website browsetime

traffic

select 
  user_src, 
  domain, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, domain, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and $browse_time is not null group by user_src, domain) t group by user_src, domain order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src, domain order by browsetime desc

Dataset Name

Description

Log Category

wifi-usage-by-hour-authenticated

Wifi Usage by Hour - Authenticated

event

select 
  hod, 
  count(distinct stamac) as totalnum 
from 
  ###(select $HOUR_OF_DAY as hod, stamac from $log where $filter and subtype='wireless' and action='client-authentication' group by hod, stamac)### t group by hod order by hod

Dataset Name

Description

Log Category

wifi-usage-authenticated-timeline

Wifi Usage Timeline - Authenticated

event

select 
  $flex_timescale(timestamp) as hodex, 
  count(distinct stamac) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, stamac from $log where $filter and subtype='wireless' and action='client-authentication' group by timestamp, stamac order by timestamp desc)### t group by hodex order by hodex

Dataset Name

Description

Log Category

app-top-user-by-bandwidth

Top 10 Applications Bandwidth by User Drilldown

traffic

select 
  app, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(`sentbyte`, 0)+ coalesce(`rcvdbyte`, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app, 
  user_src 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

app-top-user-by-session

Top 10 Application Sessions by User Drilldown

traffic

select 
  app, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app, 
  user_src 
order by 
  sessions desc

Dataset Name

Description

Log Category

traffic-Interface-Bandwidth-Usage

Interface Bandwidth Usage

traffic

with qry as (
  select 
    dom as dom_s, 
    devid as devid_s, 
    vd as vd_s, 
    srcintf, 
    dstintf, 
    total_sent, 
    total_rcvd 
  from 
    ###(select $DAY_OF_MONTH as dom, devid, vd, srcintf, dstintf, sum(coalesce(sentbyte, 0)) as total_sent, sum(coalesce(rcvdbyte, 0)) as total_rcvd, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as total from $log where $filter and (logflag&1>0) and nullifna(srcintf) is not null and nullifna(dstintf) is not null group by dom, devid, vd, srcintf, dstintf having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by total desc)### t) select dom, unnest(array['download', 'upload']) as type, unnest(array[sum(download), sum(upload)]) as bandwidth from (select coalesce(t1.dom_s, t2.dom_s) as dom, coalesce(t1.devid_s, t2.devid_s) as devid, coalesce(t1.vd_s, t2.vd_s) as vd, coalesce(t1.srcintf, t2.dstintf) as intf, sum(coalesce(t1.total_sent, 0)+coalesce(t2.total_rcvd, 0)) as download, sum(coalesce(t2.total_sent, 0)+coalesce(t1.total_rcvd, 0)) as upload from qry t1 full join qry t2 on t1.dom_s=t2.dom_s and t1.srcintf=t2.dstintf group by dom, devid, vd, intf) t where $filter-drilldown group by dom order by dom

Dataset Name

Description

Log Category

ctap-SB-Files-Needing-Inspection-vs-Others

Files Needing Inspection vs Others

virus

select 
  (
    case when suffix in (
      'bat', 'cmd', 'exe', 'jar', 'msi', 'vbs', 
      '7z', 'zip', 'gzip', 'lzw', 'tar', 
      'rar', 'cab', 'doc', 'docx', 'xls', 
      'xlsx', 'ppt', 'pptx', 'pdf', 'swf', 
      'lnk', 'js'
    ) then 'Higher Risk File Types' else 'Excluded Files' end
  ) as files, 
  sum(total_num) as total_num 
from 
  ###({{FGT_DATASET_BASE_VIRUS_FSA_DETECTED_FILE_TYPES}})### t group by files order by total_num desc

Dataset Name

Description

Log Category

ctap-SB-Breakdown-of-File-Types

Breakdown of File Types

virus

select 
  (
    case when suffix in (
      'exe', 'msi', 'upx', 'vbs', 'bat', 'cmd', 
      'dll', 'ps1', 'jar'
    ) then 'Executable Files' when suffix in ('pdf') then 'Adobe PDF' when suffix in ('swf') then 'Adobe Flash' when suffix in (
      'doc', 'docx', 'rtf', 'dotx', 'docm', 
      'dotm', 'dot'
    ) then 'Microsoft Word' when suffix in (
      'xls', 'xlsx', 'xltx', 'xlsm', 'xlsb', 
      'xlam', 'xlt'
    ) then 'Microsoft Excel' when suffix in (
      'ppsx', 'ppt', 'pptx', 'potx', 'sldx', 
      'pptm', 'ppsm', 'potm', 'ppam', 'sldm', 
      'pps', 'pot'
    ) then 'Microsoft PowerPoint' when suffix in ('msg') then 'Microsoft Outlook' when suffix in ('htm', 'js', 'url', 'lnk') then 'Web Files' when suffix in (
      'cab', 'tgz', 'z', '7z', 'tar', 'lzh', 
      'kgb', 'rar', 'zip', 'gz', 'xz', 'bz2'
    ) then 'Archive Files' when suffix in ('apk') then 'Android Files' else 'Others' end
  ) as filetype, 
  sum(total_num) as total_num 
from 
  ###({{FGT_DATASET_BASE_VIRUS_FSA_DETECTED_FILE_TYPES}})### t group by filetype order by total_num desc

Dataset Name

Description

Log Category

ctap-SB-Top-Sandbox-Malicious-Exes

virus

select 
  (
    case fsaverdict when 'malicious' then 5 when 'high risk' then 4 when 'medium risk' then 3 when 'low risk' then 2 else 1 end
  ) as risk, 
  filename, 
  service, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and dtype = 'fortisandbox' 
  and file_name_ext(filename)= 'exe' 
  and fsaverdict not in ('clean', 'submission failed') 
group by 
  filename, 
  risk, 
  service 
order by 
  risk desc, 
  total_num desc, 
  filename

Dataset Name

Description

Log Category

ctap-SB-Sources-of-Sandbox-Discovered-Malware

Sources of Sandbox Discovered Malware

virus

select 
  srcip, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and dtype = 'fortisandbox' 
  and nullifna(filename) is not null 
  and fsaverdict not in ('clean', 'submission failed') 
group by 
  srcip 
order by 
  total_num desc

Dataset Name

Description

Log Category

ctap-apprisk-ctrl-High-Risk-Application

Application risk high risk application

traffic

select 
  risk as d_risk, 
  count(distinct user_src) as users, 
  id, 
  name, 
  app_cat, 
  technology, 
  sum(bandwidth) as bandwidth, 
  sum(sessions) as sessions 
from 
  ###(select lower(app) as lowapp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by lowapp, user_src order by bandwidth desc)### t1 inner join app_mdata t2 on t1.lowapp=lower(t2.name) where risk>='4' group by id, name, app_cat, technology, risk order by d_risk desc, sessions desc

Dataset Name

Description

Log Category

ctap-apprisk-ctrl-Application-Vulnerability

Application vulnerabilities discovered

attack

select 
  attack, 
  attackid, 
  vuln_type, 
  cve, 
  severity_number, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as sources, 
  sum(totalnum) as totalnum 
from 
  ###(select attack, attackid, vuln_type, t2.cve, (case when t1.severity='critical' then 5 when t1.severity='high' then 4 when t1.severity='medium' then 3 when t1.severity='low' then 2 when t1.severity='info' then 1 else 0 end) as severity_number, dstip, srcip, count(*) as totalnum from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null and t1.severity is not null group by attack, attackid, vuln_type, t2.cve, t1.severity, dstip, srcip )### t group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc

Dataset Name

Description

Log Category

ctap-apprisk-ctrl-Common-Virus-Botnet-Spyware

Common Virus Botnet Spyware

app-ctrl

select 
  malware as virus, 
  (
    case when lower(appcat)= 'botnet' then 'Botnet C&C' else (
      case when malware like 'Riskware%' then 'Spyware' when malware like 'Adware%' then 'Adware' else 'Virus' end
    ) end
  ) as malware_type, 
  appid, 
  app, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  (
    ###(select app as malware, appcat, appid, app, dstip, srcip, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by malware, appcat, appid, app, dstip, srcip, app order by total_num desc)### union all ###(select virus as malware, 'null' as appcat, 0 as appid, service as app, dstip, srcip, count(*) as total_num from $log-virus where $filter and virus is not null group by malware, appcat, app, appid, dstip, srcip order by total_num desc)###) t group by malware, malware_type, app, appid order by total_num desc

Dataset Name

Description

Log Category

ctap-App-Risk-Reputation-Top-Devices-By-Scores

Reputation Top Devices By-Scores

traffic

select 
  coalesce(
    nullifna(`srcname`), 
    ipstr(`srcip`), 
    nullifna(`srcmac`)
  ) as dev_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  dev_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

ctap-HTTP-SSL-Traffic-Ratio

HTTP SSL Traffic Ratio

traffic

select 
  (
    case when service in ('80/tcp', 'HTTP', 'http') then 'HTTP' else 'HTTPS' end
  ) as service, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
  and service in (
    '80/tcp', '443/tcp', 'HTTP', 'HTTPS', 
    'http', 'https'
  ) 
group by 
  service 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-Source-Countries

Top Source Countries

traffic

select 
  srccountry, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(srccountry) is not null 
  and srccountry & lt;& gt; 'Reserved' 
group by 
  srccountry 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc, 
  srccountry

Dataset Name

Description

Log Category

ctap-SaaS-Apps

CTAP SaaS Apps

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where behavior like '%Cloud%' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-IaaS-Apps

CTAP IaaS Apps

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Cloud.IT' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-RAS-Apps

CTAP RAS Apps

traffic

select 
  name as app_group, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on t1.app_group=lower(t2.name) where app_cat='Remote.Access' group by name order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Proxy-Apps

CTAP Proxy Apps

traffic

select 
  name as app_group, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on t1.app_group=lower(t2.name) where app_cat='Proxy' group by name order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-SocialMedia-App-By-Bandwidth

Top SocialMedia Applications by Bandwidth Usage

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Social.Media' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-Streaming-App-By-Bandwidth

Top Streaming applications by bandwidth usage

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Video/Audio' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-Game-App-By-Bandwidth

Top Game applications by bandwidth usage

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Game' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-P2P-App-By-Bandwidth

Top P2P applications by bandwidth usage

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='P2P' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-apprisk-ctrl-Top-Web-Categories-Visited

Top 25 Web Categories Visited

traffic

select 
  catdesc, 
  count(distinct f_user) as user_num, 
  sum(sessions) as sessions, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc

Dataset Name

Description

Log Category

ctap-App-Risk-Applications-Running-Over-HTTP

Application risk applications running over HTTP

traffic

select 
  app_group_name(app) as app_group, 
  service, 
  count(*) as sessions, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
  and service in (
    '80/tcp', '443/tcp', 'HTTP', 'HTTPS', 
    'http', 'https'
  ) 
group by 
  app_group, 
  service 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

ctap-App-Risk-Web-Browsing-Activity-Hostname-Category

Application risk web browsing activity hostname category

webfilter

select 
  domain, 
  catdesc, 
  sum(visits) as visits 
from 
  ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, count(*) as visits from $log where $filter and (eventtype is null or logver>=52) and catdesc is not null group by domain, catdesc order by visits desc)### t group by domain, catdesc order by visits desc

Dataset Name

Description

Log Category

ctap-Top-Sites-By-Browsing-Time

Traffic top sites by browsing time

traffic

select 
  hostname, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

ctap-Average-Bandwidth-Hour

Average Bandwidth Hour

traffic

select 
  hourstamp, 
  sum(bandwidth)/ count(distinct daystamp) as bandwidth 
from 
  ###(select to_char(from_dtime(dtime), 'HH24:00') as hourstamp, to_char(from_dtime(dtime), 'DD Mon') as daystamp, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter group by hourstamp, daystamp having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

ctap-Top-Bandwidth-Hosts

Top Bandwidth Hosts

traffic

select 
  hostname, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log - traffic 
where 
  $filter 
  and hostname is not null 
  and (
    logflag&1>0
  ) 
group by 
  hostname 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )>0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

saas-Application-Discovered

All Applications Discovered on the Network

traffic

select 
  (
    case is_saas when 1 then 'SaaS Apps' else 'Other Apps' end
  ) as app_type, 
  count(distinct app_s) as total_num 
from 
  ###(select app_s, (case when saas_s>=10 then 1 else 0 end) as is_saas from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t group by app_s, is_saas)### t group by is_saas order by is_saas

Dataset Name

Description

Log Category

saas-SaaS-Application-by-Category

Number of SaaS Applications by Category

traffic

select 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Unsanctioned' end
  ) as saas_cat_str, 
  count(distinct app_s) as num_saas_app 
from 
  ###(select app_s, saas_s%10 as saas_cat, sum(sentbyte+rcvdbyte) as bandwidth, count(*) as total_app from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat order by bandwidth desc)### t where saas_cat in (0, 1) group by saas_cat order by saas_cat

Dataset Name

Description

Log Category

saas-SaaS-Application-by-Bandwidth

Number of SaaS Applications by Bandwidth

traffic

select 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Tolerated' end
  ) as saas_cat_str, 
  sum(bandwidth) as bandwidth 
from 
  ###(select app_s, saas_s%10 as saas_cat, sum(sentbyte+rcvdbyte) as bandwidth, count(*) as total_app from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat order by bandwidth desc)### t where saas_cat in (0, 2) group by saas_cat order by saas_cat

Dataset Name

Description

Log Category

saas-SaaS-Application-by-Session

Number of SaaS Applications by Session

traffic

select 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Tolerated' end
  ) as saas_cat_str, 
  sum(total_app) as total_app 
from 
  ###(select app_s, saas_s%10 as saas_cat, sum(sentbyte+rcvdbyte) as bandwidth, count(*) as total_app from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat order by bandwidth desc)### t where saas_cat in (0, 2) group by saas_cat order by saas_cat

Dataset Name

Description

Log Category

saas-SaaS-App-Users-vs-Others

Number of Users of SaaS Apps vs Others

traffic

select 
  (
    case is_saas when 0 then 'Other Apps' else 'SaaS Apps' end
  ) as app_type, 
  count(distinct saasuser) as total_user 
from 
  ###(select saasuser, saas_s/10 as is_saas from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t group by saasuser, is_saas)### t group by app_type

Dataset Name

Description

Log Category

saas-SaaS-App-Users

Number of Users of SaaS Apps

traffic

select 
  (
    case saas_cat when 0 then 'Sanctioned' when 1 then 'Unsanctioned' else 'Others' end
  ) as app_type, 
  count(distinct saasuser) as total_user 
from 
  ###(select saasuser, saas_s%10 as saas_cat from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t where saas_s>=10 group by saasuser, saas_cat)### t group by saas_cat order by saas_cat

Dataset Name

Description

Log Category

saas-Top-SaaS-User-by-Bandwidth-Session

Top SaaS Users by Bandwidth and Session

traffic

select 
  saasuser, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions, 
  sum(session_block) as session_block, 
  (
    sum(sessions)- sum(session_block)
  ) as session_pass, 
  count(distinct app_s) as total_app 
from 
  ###(select saasuser, app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by saasuser, app_s order by bandwidth desc)### t group by saasuser order by bandwidth desc

Dataset Name

Description

Log Category

saas-Top-Category-by-SaaS-Application-Usage

Top Categories by SaaS Application Usage

traffic

select 
  app_cat, 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Unsactioned' end
  ) as saas_cat_str, 
  count(distinct app_s) as total_app 
from 
  ###(select app_s, saas_s%10 as saas_cat from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat)### t1 inner join app_mdata t2 on t1.app_s=t2.name where saas_cat in (0, 1) group by app_cat, saas_cat order by total_app desc

Dataset Name

Description

Log Category

saas-Top-SaaS-Category-by-Number-of-User

Top SaaS Categories by Number of Users

traffic

select 
  app_cat, 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Unsactioned' end
  ) as saas_cat_str, 
  count(distinct saasuser) as total_user 
from 
  ###(select app_s, saas_s%10 as saas_cat, saasuser from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat, saasuser)### t1 inner join app_mdata t2 on t1.app_s=t2.name where saas_cat in (0, 1) group by app_cat, saas_cat order by total_user desc

Dataset Name

Description

Log Category

saas-Top-User-by-Number-of-SaaS-Application

Top Users by Number of SaaS Applications

traffic

select 
  saasuser, 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Unsactioned' end
  ) as saas_cat_str, 
  count(distinct app_s) as total_app 
from 
  ###(select app_s, saas_s%10 as saas_cat, saasuser from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat, saasuser)### t where saas_cat in (0, 1) group by saasuser, saas_cat order by total_app desc

Dataset Name

Description

Log Category

saas-Top-SaaS-Application-by-Bandwidth-Session

Top SaaS Applications by Sessions and Bandwidth

traffic

select 
  t2.id as app_id, 
  app_s, 
  app_cat, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions, 
  sum(session_block) as session_block, 
  (
    sum(sessions)- sum(session_block)
  ) as session_pass 
from 
  ###(select app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_s)### t1 inner join app_mdata t2 on t1.app_s=t2.name group by app_id, app_s, app_cat order by bandwidth desc

Dataset Name

Description

Log Category

saas-Top-Tolerated-SaaS-Application-by-Bandwidth

Top Tolerated SaaS Applications by Bandwidth

traffic

select 
  app_s, 
  sum(sentbyte + rcvdbyte) as bandwidth 
from 
  (
    select 
      unnest(apps) as app_s, 
      unnest(saasinfo) as saas_s, 
      coalesce(sentbyte, 0) as sentbyte, 
      coalesce(rcvdbyte, 0) as rcvdbyte 
    from 
      $log 
    where 
      $filter 
      and apps is not null
  ) t 
where 
  saas_s = 12 
group by 
  app_s 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

saas-drilldown-Top-Tolerated-SaaS-Application

Top Tolerated SaaS Applications

traffic

select 
  app_s, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions, 
  sum(session_block) as session_block, 
  (
    sum(sessions)- sum(session_block)
  ) as session_pass 
from 
  ###(select saasuser, app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s=12 group by saasuser, app_s order by bandwidth desc)### t where $filter-drilldown group by app_s order by bandwidth desc

Dataset Name

Description

Log Category

saas-Top-User-by-Tolerated-SaaS-Application-Drilldown

Top Users by Tolerated SaaS Applications

traffic

select 
  saasuser, 
  count(distinct app_s) as total_app 
from 
  ###(select saasuser, app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s=12 group by saasuser, app_s order by bandwidth desc)### t group by saasuser order by total_app desc

Dataset Name

Description

Log Category

saas-drilldown-Top-File-Sharing-SaaS-Application-Detail

Top File Sharing SaaS Applications Detail

traffic

select 
  saasuser, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions, 
  sum(session_block) as session_block, 
  (
    sum(sessions)- sum(session_block)
  ) as session_pass 
from 
  ###(select app_group_name(app_s) as app_group, saasuser, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_group, saasuser order by bandwidth desc)### t where $filter-drilldown group by saasuser order by sessions desc

Dataset Name

Description

Log Category

saas-Top-File-Sharing-SaaS-Application

Top File Sharing Applications

traffic

select 
  t2.id as appid, 
  (
    case t2.risk when '5' then 'Critical' when '4' then 'High' when '3' then 'Medium' when '2' then 'Info' else 'Low' end
  ) as risk, 
  app_group, 
  bandwidth, 
  traffic_in, 
  traffic_out, 
  sessions, 
  session_block, 
  session_pass, 
  total_user 
from 
  (
    select 
      app_group, 
      count(distinct saasuser) as total_user, 
      sum(bandwidth) as bandwidth, 
      sum(traffic_in) as traffic_in, 
      sum(traffic_out) as traffic_out, 
      sum(sessions) as sessions, 
      sum(session_block) as session_block, 
      (
        sum(sessions)- sum(session_block)
      ) as session_pass 
    from 
      ###(select app_group_name(app_s) as app_group, saasuser, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_group, saasuser order by bandwidth desc)### t group by app_group) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where t2.app_cat='Storage.Backup' order by total_user desc, bandwidth desc

Dataset Name

Description

Log Category

saas-Top-File-Sharing-SaaS-Application-Drilldown

Top File Sharing Applications

traffic

select 
  t2.id as appid, 
  (
    case t2.risk when '5' then 'Critical' when '4' then 'High' when '3' then 'Medium' when '2' then 'Info' else 'Low' end
  ) as risk, 
  app_group, 
  bandwidth, 
  traffic_in, 
  traffic_out, 
  sessions, 
  session_block, 
  session_pass, 
  total_user 
from 
  (
    select 
      app_group, 
      count(distinct saasuser) as total_user, 
      sum(bandwidth) as bandwidth, 
      sum(traffic_in) as traffic_in, 
      sum(traffic_out) as traffic_out, 
      sum(sessions) as sessions, 
      sum(session_block) as session_block, 
      (
        sum(sessions)- sum(session_block)
      ) as session_pass 
    from 
      ###(select app_group_name(app_s) as app_group, saasuser, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_group, saasuser order by bandwidth desc)### t group by app_group) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where t2.app_cat='Storage.Backup' order by total_user desc, bandwidth desc

Dataset Name

Description

Log Category

aware-Device-By-Location

Device by Location

traffic

select 
  'All' : :text as country, 
  count(distinct devid) as device_count 
from 
  ###(select devid from $log where $filter group by devid)### t

Dataset Name

Description

Log Category

aware-Network-Devices

Network Devices

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select hostname, os, srcip, max(itime) as max_itime from $log where $pre_period $filter and hostname is not null group by hostname, os, srcip order by max_itime desc)###; create temporary table rpt_tmptbl_2 as ###(select hostname, os, srcip, max(itime) as max_itime from $log where $filter and hostname is not null group by hostname, os, srcip order by max_itime desc)###; select 'Unseen Devices' as category, count(distinct hostname) as total_num from rpt_tmptbl_1 where not exists (select 1 from rpt_tmptbl_2 where rpt_tmptbl_1.hostname=rpt_tmptbl_2.hostname) union all select 'New Devices', count(distinct hostname) as total_num from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_1.hostname=rpt_tmptbl_2.hostname) union all select 'Seen Devices', count(distinct t1.hostname) as total_num from rpt_tmptbl_1 t1 inner join rpt_tmptbl_2 t2 on t1.hostname=t2.hostname

Dataset Name

Description

Log Category

aware-New-Devices

New Devices

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select hostname, os, max(srcip) as srcip, max(itime) as max_itime from $log where $pre_period $filter and hostname is not null group by hostname, os order by max_itime desc)###; create temporary table rpt_tmptbl_2 as ###(select hostname, os, max(srcip) as srcip, max(itime) as max_itime from $log where $filter and hostname is not null group by hostname, os order by max_itime desc)###; select from_itime(max(max_itime)) as timestamp, hostname, max(fctos_to_devtype(os)) as devtype, string_agg(distinct os, '/') as os_agg, max(srcip) as srcip from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.hostname=rpt_tmptbl_1.hostname) group by hostname order by timestamp desc

Dataset Name

Description

Log Category

aware-Top-Endpoint-Operating-Systems

Top Endpoint Operating Systems

fct-traffic

select 
  os1 as os, 
  count(distinct hostname) as total_num 
from 
  ###(select split_part(os, ',', 1) as os1, hostname from $log where $filter and nullifna(os) is not null group by os1, hostname)### t group by os order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Endpoint-Applications-Windows

Top Endpoint Applications Windows

fct-traffic

select 
  srcname1 as srcname, 
  count(distinct hostname) as total_num 
from 
  ###(select split_part(srcname, '.', 1) as srcname1, hostname from $log where $filter and nullifna(srcname) is not null and lower(os) like '%windows%' group by srcname, hostname)### t group by srcname order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Endpoint-Applications-Mac

Top Endpoint Applications Mac

fct-traffic

select 
  srcname1 as srcname, 
  count(distinct hostname) as total_num 
from 
  ###(select split_part(srcname, '.', 1) as srcname1, hostname from $log where $filter and nullifna(srcname) is not null and lower(os) like '%mac os%' group by srcname, hostname)### t group by srcname order by total_num desc

Dataset Name

Description

Log Category

aware-Top-SaaS-Application-by-Number-of-Users

Top SaaS Applications by Number of Users

traffic

select 
  app_group, 
  count(distinct saasuser) as total_user 
from 
  ###(select app_group_name(app_s) as app_group, saasuser from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser from $log where $filter and (logflag&1>0) and apps is not null) t group by app_group, saasuser)### t group by app_group order by total_user desc

Dataset Name

Description

Log Category

aware-Summary-Of-Changes

Summary of Changes

event

select 
  regexp_replace(msg, '[^ ]*$', '') as msg_trim, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and logid_to_int(logid)= 44547 
group by 
  msg_trim 
order by 
  total_num desc

Dataset Name

Description

Log Category

aware-Change-Details

Change Details

event

select 
  $calendar_time as timestamp, 
  `user`, 
  ui, 
  msg 
from 
  $log 
where 
  $filter 
  and logid_to_int(logid)= 44547 
order by 
  timestamp desc

Dataset Name

Description

Log Category

aware-Vulnerabilities-By-Severity

Vulnerabilities by Security

fct-netscan

select 
  vulnseverity, 
  count(distinct vulnname) as vuln_num 
from 
  ###(select vulnseverity, vulnname from $log where $filter and nullifna(vulnname) is not null and nullifna(vulnseverity) is not null group by vulnseverity, vulnname)### t group by vulnseverity order by vuln_num desc

Dataset Name

Description

Log Category

aware-Vulnerabilities-Trend

Vulnerabilities Trend

fct-netscan

select 
  $flex_timescale(timestamp) as timescale, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium, 
  sum(low) as low 
from 
  ###(select $flex_timestamp as timestamp, sum(case when lower(vulnseverity) = 'critical' then 1 else 0 end) as critical, sum(case when lower(vulnseverity) = 'high' then 1 else 0 end) as high, sum(case when lower(vulnseverity) = 'medium' then 1 else 0 end) as medium, sum(case when lower(vulnseverity) = 'notice' then 1 else 0 end) as Low from $log where $filter group by timestamp order by timestamp desc)### t group by timescale order by timescale

Dataset Name

Description

Log Category

aware-Top-Critical-Vulnerabilities

Top Critical Vulnerabilities

fct-netscan

select 
  vulnname, 
  vulnseverity, 
  vulncat, 
  count(distinct hostname) as total_num 
from 
  ###(select hostname, vulnname, vulnseverity, vulncat, count(*) as total_num from $log where $filter and nullifna(vulnname) is not null and vulnseverity='Critical' group by hostname, vulnname, vulnseverity, vulncat order by total_num desc)### t group by vulnname, vulnseverity, vulncat order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Vulnerabilities-Last-Period

Top Vulnerabilities Last Period

fct-netscan

select 
  vulnname, 
  vulnseverity, 
  sev_num, 
  vulncat, 
  count(distinct hostname) as total_num 
from 
  ###(select hostname, vulnname, vulnseverity, (CASE vulnseverity WHEN 'Critical' THEN 5 WHEN 'High' THEN 4 WHEN 'Medium' THEN 3 WHEN 'Info' THEN 2 WHEN 'Low' THEN 1 ELSE 0 END) as sev_num, vulncat, count(*) as total_num from $log where $pre_period $filter and nullifna(vulnname) is not null group by hostname, vulnname, vulnseverity, vulncat order by sev_num desc, total_num desc)### t group by vulnname, vulnseverity, sev_num, vulncat order by sev_num desc, total_num desc

Dataset Name

Description

Log Category

aware-Top-Device-Attack-Targets

Top Device Attack Targets

fct-netscan

select 
  hostname, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(hostname) is not null 
  and nullifna(vulnname) is not null 
group by 
  hostname 
order by 
  total_num desc

Dataset Name

Description

Log Category

aware-Top-Attack-Targets

Top Attack Targets

fct-netscan

select 
  hostname, 
  srcip, 
  os, 
  vuln_num, 
  (
    CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END
  ) as vulnseverity, 
  sevid as severity_num, 
  left(cve_agg, 512) as cve_agg 
from 
  (
    select 
      hostname, 
      max(srcip) as srcip, 
      string_agg(distinct os1, '/') as os, 
      count(distinct vulnname) as vuln_num, 
      max(
        (
          CASE vulnseverity WHEN 'Critical' THEN 5 WHEN 'High' THEN 4 WHEN 'Medium' THEN 3 WHEN 'Info' THEN 2 WHEN 'Low' THEN 1 ELSE 0 END
        )
      ) as sevid, 
      string_agg(distinct cve_id, ',') as cve_agg 
    from 
      ###(select hostname, max(deviceip) as srcip, split_part(os, ',', 1) as os1, vulnname, vulnseverity, vulnid from $log where $filter and nullifna(vulnname) is not null and nullifna(vulnseverity) is not null group by hostname, os1, vulnname, vulnseverity, vulnid)### t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname) t order by severity_num desc, vuln_num desc

Dataset Name

Description

Log Category

aware-Threats-By-Severity

Threats by Severity

attack

select 
  initcap(sev) as severity, 
  sum(total_num) as total_num 
from 
  (
    ###(select crlevel::text as sev, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null  and crlevel is not null group by sev order by total_num desc)### union all ###(select severity::text as sev, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by sev order by total_num desc)### union all ###(select apprisk::text as sev, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' and apprisk is not null group by sev order by total_num desc)###) t group by severity order by total_num desc

Dataset Name

Description

Log Category

aware-Threats-Type-By-Severity

Threats Type by Severity

virus

select 
  threat_type, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium, 
  sum(low) as low 
from 
  (
    ###(select (case when eventtype='botnet' then 'Botnets' else 'Malware' end) as threat_type, sum(case when crlevel = 'critical' then 1 else 0 end) as critical, sum(case when crlevel = 'high' then 1 else 0 end) as high, sum(case when crlevel = 'medium' then 1 else 0 end) as medium, sum(case when crlevel = 'low' then 1 else 0 end) as low from $log-virus where $filter and nullifna(virus) is not null group by threat_type)### union all ###(select 'Intrusions' as threat_type, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity = 'low' then 1 else 0 end) as low from $log-attack where $filter and nullifna(attack) is not null group by threat_type)### union all ###(select 'Botnets' as threat_type, sum(case when apprisk = 'critical' then 1 else 0 end) as critical, sum(case when apprisk = 'high' then 1 else 0 end) as high, sum(case when apprisk = 'medium' then 1 else 0 end) as medium, sum(case when apprisk = 'low' then 1 else 0 end) as low from $log-app-ctrl where $filter and lower(appcat)='botnet' group by threat_type)###) t group by threat_type

Dataset Name

Description

Log Category

aware-Threats-By-Day

Threats by Day

virus

select 
  daystamp, 
  sum(total_num) as total_num 
from 
  (
    ###(select $day_of_week as daystamp, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by daystamp)###) t group by daystamp order by daystamp

Dataset Name

Description

Log Category

aware-Threats-By-Day-Radar

Threats by Day

virus

select 
  daystamp, 
  sum(total_num) as total_num 
from 
  (
    ###(select $day_of_week as daystamp, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by daystamp)###) t group by daystamp order by daystamp

Dataset Name

Description

Log Category

aware-Count-Of-Malware-Events

Count of Malware Events

virus

select 
  virus, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(virus) is not null 
group by 
  virus 
order by 
  total_num desc

Dataset Name

Description

Log Category

aware-Top-Malware-By-Count

Top Malware by Count

app-ctrl

select 
  virus, 
  malware_type, 
  risk_level, 
  count(distinct dstip) as victim, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  (
    ###(select app as virus, 'Botnet C&C' as malware_type, apprisk::text as risk_level, dstip, srcip, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' and apprisk is not null group by app, malware_type, apprisk, dstip, srcip order by total_num desc)### union all ###(select virus, (case when eventtype='botnet' then 'Botnet C&C' else 'Virus' end) as malware_type, crlevel::text as risk_level, dstip, srcip, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null and crlevel is not null group by virus, malware_type, crlevel, dstip, srcip order by total_num desc)###) t group by virus, malware_type, risk_level order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Failed-Login-Attempts

Top Failed Login Attempts

event

select 
  `user` as f_user, 
  ui, 
  dstip, 
  count(status) as total_failed 
from 
  $log 
where 
  $filter 
  and nullifna(`user`) is not null 
  and logid_to_int(logid) = 32002 
group by 
  ui, 
  f_user, 
  dstip 
order by 
  total_failed desc

Dataset Name

Description

Log Category

aware-Top-Failed-Authentication-Attempts

VPN failed logins

event

select 
  f_user, 
  tunneltype, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype='ipsec' or left(tunneltype, 3)='ssl') and action in ('ssl-login-fail', 'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user, tunneltype)### t group by f_user, tunneltype order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Denied-Connections

Top Denied Connections

traffic

select 
  coalesce(
    nullifna(`user`), 
    ipstr(`srcip`)
  ) as user_src, 
  service || '(' || ipstr(srcip) || ')' as interface, 
  dstip, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and action = 'deny' 
group by 
  user_src, 
  interface, 
  dstip 
order by 
  total_num desc

Dataset Name

Description

Log Category

aware-Failed-Compliance-Checked-By-Device

Failed Compliance Checked by Device

event

select 
  devid, 
  'Failed' as results, 
  count(distinct reason) as total_num 
from 
  ###(select devid, reason from $log where $filter and subtype='compliance-check' and result='fail' group by devid, reason)### t group by devid, results order by total_num desc

Dataset Name

Description

Log Category

aware-Ioc-Blacklist-Summary

IOC Blacklist Summary

app-ctrl

select 
  coalesce(
    nullifna(epname), 
    nullifna(
      ipstr(`srcip`)
    ), 
    'Unknown'
  ) as epname, 
  sevid, 
  (
    CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END
  ) as severity, 
  total_bl, 
  threats 
from 
  (
    select 
      t1.epname, 
      t1.srcip, 
      t2.total_bl, 
      t2.total_cs, 
      (t2.max_verdict + 1) as sevid, 
      t2.max_cs, 
      t2.threats 
    from 
      $ADOMTBL_PLHD_PBD_EP t1 
      inner join (
        select 
          epid, 
          sum(bl_count) as total_bl, 
          sum(cs_count) as total_cs, 
          max(verdict) as max_verdict, 
          max(cs_score) as max_cs, 
          string_agg(distinct t2.name, ',') as threats 
        from 
          (
            select 
              epid, 
              bl_count, 
              cs_count, 
              verdict, 
              cs_score, 
              unnest(threatid) as thid 
            from 
              $ADOMTBL_PLHD_PBD_STSUM
          ) t1 
          inner join td_threat_name_mdata t2 on t1.thid = t2.id 
        group by 
          epid
      ) t2 on t1.epid = t2.epid
  ) t 
where 
  total_bl>0 
order by 
  total_bl desc

Dataset Name

Description

Log Category

aware-Ioc-Potential-Breach-By-Day

IOC Potential Breach by Day

app-ctrl

select 
  number, 
  to_char(
    from_itime(day_st), 
    'Day'
  ) as itime 
from 
  (
    select 
      count(epid) as number, 
      day_st 
    from 
      $ADOMTBL_PLHD_PBD_STSUM 
    where 
      cs_count>0 
    group by 
      day_st 
    limit 
      7
  ) t 
order by 
  itime

Dataset Name

Description

Log Category

aware-Ioc-Potential-Breach-By-Day-Bar

IOC Potential Breach by Day

app-ctrl

select 
  number, 
  to_char(
    from_itime(day_st), 
    'Day'
  ) as itime 
from 
  (
    select 
      count(epid) as number, 
      day_st 
    from 
      $ADOMTBL_PLHD_PBD_STSUM 
    where 
      cs_count>0 
    group by 
      day_st 
    limit 
      7
  ) t 
order by 
  itime

Dataset Name

Description

Log Category

aware-Ioc-Suspicion-Summary

IOC Suspicion Summary

app-ctrl

select 
  coalesce(
    nullifna(epname), 
    nullifna(
      ipstr(`srcip`)
    ), 
    'Unknown'
  ) as epname, 
  total_cs, 
  max_cs, 
  max_verdict, 
  threats 
from 
  (
    select 
      t1.epname, 
      t1.srcip, 
      t2.total_bl, 
      t2.total_cs, 
      t2.max_verdict, 
      t2.max_cs, 
      t2.threats 
    from 
      $ADOMTBL_PLHD_PBD_EP t1 
      inner join (
        select 
          epid, 
          sum(bl_count) as total_bl, 
          sum(cs_count) as total_cs, 
          max(verdict) as max_verdict, 
          max(cs_score) as max_cs, 
          string_agg(distinct t2.name, ',') as threats 
        from 
          (
            select 
              epid, 
              bl_count, 
              cs_count, 
              verdict, 
              cs_score, 
              unnest(threatid) as thid 
            from 
              $ADOMTBL_PLHD_PBD_STSUM
          ) t1 
          inner join td_threat_name_mdata t2 on t1.thid = t2.id 
        group by 
          epid
      ) t2 on t1.epid = t2.epid
  ) t 
where 
  total_bl = 0 
  and total_cs>0 
order by 
  max_verdict desc, 
  max_cs desc, 
  total_cs desc

Dataset Name

Description

Log Category

newthing-New-Users

New users

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as f_user, min(dtime) as start_time from $log where $pre_period $filter group by f_user order by start_time desc)###; create temporary table rpt_tmptbl_2 as ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as f_user, min(dtime) as start_time from $log where $filter group by f_user order by start_time desc)###; select f_user, from_dtime(min(start_time)) as start_time from rpt_tmptbl_2 where f_user is not null and not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.f_user=rpt_tmptbl_1.f_user) group by f_user order by start_time desc

Dataset Name

Description

Log Category

newthing-New-Devices

New devices

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select hostname, os, srcip, fctver from $log where $pre_period $filter and hostname is not null group by hostname, os, srcip, fctver order by hostname)###; create temporary table rpt_tmptbl_2 as ###(select hostname, os, srcip, fctver from $log where $filter and hostname is not null group by hostname, os, srcip, fctver order by hostname)###; select hostname, max(fctos_to_devtype(os)) as devtype, string_agg(distinct os, '/') as os_agg, string_agg(distinct ipstr(srcip), '/') as srcip_agg, string_agg(distinct fctver, '/') as fctver_agg from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.hostname=rpt_tmptbl_1.hostname) group by hostname order by hostname

Dataset Name

Description

Log Category

newthing-New-Software-Installed

New software installed

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select srcproduct, hostname from $log where $pre_period $filter and nullifna(srcproduct) is not null group by srcproduct, hostname order by srcproduct)###; create temporary table rpt_tmptbl_2 as ###(select srcproduct, hostname from $log where $filter and nullifna(srcproduct) is not null group by srcproduct, hostname order by srcproduct)###; select srcproduct, string_agg(distinct hostname, ',') as host_agg from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.srcproduct=rpt_tmptbl_1.srcproduct) group by srcproduct order by srcproduct

Dataset Name

Description

Log Category

newthing-New-Security-Threats

New security threats

virus

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as 
select 
  * 
from 
  (
    ###(select app as threat_name, 1 as cat_id, srcip from $log-app-ctrl where $pre_period $filter and nullifna(app) is not null and lower(appcat)='botnet' group by threat_name, cat_id, srcip)### union all ###(select virus as threat_name, 2 as cat_id, srcip from $log-virus where $pre_period $filter and nullifna(virus) is not null group by threat_name, cat_id, srcip)### union all ###(select attack as threat_name, 3 as cat_id, srcip from $log-attack where $pre_period $filter and nullifna(attack) is not null group by threat_name, cat_id, srcip)###) t; create temporary table rpt_tmptbl_2 as select * from (###(select $DAY_OF_MONTH as daystamp, app as threat_name, 1 as cat_id, srcip from $log-app-ctrl where $filter and nullifna(app) is not null and lower(appcat)='botnet' group by daystamp, threat_name, cat_id, srcip order by daystamp)### union all ###(select $DAY_OF_MONTH as daystamp, virus as threat_name, 2 as cat_id, srcip from $log-virus where $filter and nullifna(virus) is not null group by daystamp, threat_name, cat_id, srcip order by daystamp)### union all ###(select $DAY_OF_MONTH as daystamp, attack as threat_name, 3 as cat_id, srcip from $log-attack where $filter and nullifna(attack) is not null group by daystamp, threat_name, cat_id, srcip order by daystamp)###) t; select threat_name, (case cat_id when 1 then 'Botnet' when 2 then 'Malware' when 3 then 'Attack' end) as threat_cat, count(distinct srcip) as host_num, string_agg(distinct cve, ',') as cve_agg from rpt_tmptbl_2 left join ips_mdata t2 on rpt_tmptbl_2.threat_name=t2.name where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.threat_name=rpt_tmptbl_1.threat_name) group by threat_name, threat_cat order by host_num desc

Dataset Name

Description

Log Category

newthing-dns-Botnet-Domain-IP

New Queried Botnet C&C Domains and IPs

dns

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $pre_period $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)###; create temporary table rpt_tmptbl_2 as ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)###; select domain, srcip, sevid, (CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END) as severity from rpt_tmptbl_2 where (domain is not null and not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.domain=rpt_tmptbl_1.domain)) or (srcip is not null and not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.srcip=rpt_tmptbl_1.srcip)) group by domain, srcip, sevid order by sevid desc, domain

Dataset Name

Description

Log Category

newthing-New-Security-Threats-Timeline

New security threats timeline

virus

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as 
select 
  * 
from 
  (
    ###(select app as threat_name, 1 as cat_id, srcip from $log-app-ctrl where $pre_period $filter and nullifna(app) is not null and lower(appcat)='botnet' group by threat_name, cat_id, srcip)### union all ###(select virus as threat_name, 2 as cat_id, srcip from $log-virus where $pre_period $filter and nullifna(virus) is not null group by threat_name, cat_id, srcip)### union all ###(select attack as threat_name, 3 as cat_id, srcip from $log-attack where $pre_period $filter and nullifna(attack) is not null group by threat_name, cat_id, srcip)###) t; create temporary table rpt_tmptbl_2 as select * from (###(select $flex_timestamp as timestamp, app as threat_name, 1 as cat_id, srcip from $log-app-ctrl where $filter and nullifna(app) is not null and lower(appcat)='botnet' group by timestamp, threat_name, cat_id, srcip order by timestamp)### union all ###(select $flex_timestamp as timestamp, virus as threat_name, 2 as cat_id, srcip from $log-virus where $filter and nullifna(virus) is not null group by timestamp, threat_name, cat_id, srcip order by timestamp)### union all ###(select $flex_timestamp as timestamp, attack as threat_name, 3 as cat_id, srcip from $log-attack where $filter and nullifna(attack) is not null group by timestamp, threat_name, cat_id, srcip order by timestamp)###) t; select $flex_datetime(timestamp) as timescale, count(distinct srcip) as host_num, (case cat_id when 1 then 'Botnet' when 2 then 'Malware' when 3 then 'Attack' end) as threat_cat from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.threat_name=rpt_tmptbl_1.threat_name) group by timescale, cat_id order by timescale, cat_id

Dataset Name

Description

Log Category

newthing-New-Vulnerability

New vulnerabilities

fct-netscan

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $pre_period $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)###; create temporary table rpt_tmptbl_2 as ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)###; select vulnname, (case when vulnseverity='Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) as sev, vulnseverity, vulncat, count(distinct hostname) as host_num, cve_id from rpt_tmptbl_2 t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int where not exists (select 1 from rpt_tmptbl_1 where t1.vulnid=rpt_tmptbl_1.vulnid) group by vulnname, sev, vulnseverity, vulncat, cve_id order by sev desc, host_num desc

Dataset Name

Description

Log Category

newthing-New-Vulnerability-Graph

New vulnerabilities (Graph)

fct-netscan

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $pre_period $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)###; create temporary table rpt_tmptbl_2 as ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)###; select vulnseverity, count (distinct vulnid) as vuln_num from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.vulnid=rpt_tmptbl_1.vulnid) group by vulnseverity order by (case when vulnseverity='Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) desc

Dataset Name

Description

Log Category

newthing-System-Alerts

System Alerts

local-event

select 
  from_itime(itime) as timestamp, 
  msg 
from 
  $log 
where 
  $filter 
  and msg is not null 
  and pri = 'critical' 
order by 
  timestamp desc

Dataset Name

Description

Log Category

newthing-Configuration-Changes

Configuration Changes

event

select 
  `user` as f_user, 
  devid, 
  from_dtime(dtime) as time_s, 
  ui, 
  msg 
from 
  $log 
where 
  $filter 
  and cfgtid>0 
order by 
  time_s desc

Dataset Name

Description

Log Category

newthing-FortiGate-Upgrades

FortiGate Upgrades

event

select 
  devid, 
  from_dtime(dtime) as time_s, 
  info[1] as intf, 
  info[2] as prev_ver, 
  info[3] as new_ver 
from 
  (
    select 
      devid, 
      dtime, 
      regexp_matches(
        msg, 'from ([^ ]+) \\(([^ ]+) -> ([^)]+)\\)'
      ) as info 
    from 
      $log 
    where 
      $filter 
      and action = 'restore-image'
  ) t 
order by 
  time_s desc

Dataset Name

Description

Log Category

newthing-User-Upgrades

User Upgrades

fct-event

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select distinct on (1, 2) fgtserial, hostname, deviceip, os, dtime from $log where $pre_period $filter and hostname is not null order by fgtserial, hostname, dtime desc)###; create temporary table rpt_tmptbl_2 as ###(select distinct on (1, 2) fgtserial, hostname, deviceip, os, dtime from $log where $filter and hostname is not null order by fgtserial, hostname, dtime desc)###; select distinct on (1, 2) t2.fgtserial as devid, t2.hostname, t2.deviceip, t1.os as prev_os, t2.os as cur_os, from_dtime(t1.dtime) as time_s from rpt_tmptbl_2 t2 inner join rpt_tmptbl_1 t1 on t2.fgtserial=t1.fgtserial and t2.hostname=t1.hostname and t2.os!=t1.os order by devid, t2.hostname, t1.dtime desc

Dataset Name

Description

Log Category

GTP-List-of-APN-Used

List of APNs Used

gtp

select 
  apn, 
  from_dtime(
    min(first_seen)
  ) as first_seen, 
  from_dtime(
    max(last_seen)
  ) as last_seen 
from 
  ###(select apn, min(dtime) as first_seen, max(dtime) as last_seen from $log where $filter and nullifna(apn) is not null group by apn order by last_seen desc)### t group by apn order by last_seen desc, first_seen

Dataset Name

Description

Log Category

GTP-Top-APN-by-Bytes

Top APNs by Bytes

gtp

select 
  apn, 
  sum(
    coalesce(`u-bytes`, 0)
  ) as total_bytes 
from 
  $log 
where 
  $filter 
  and nullifna(apn) is not null 
  and status = 'traffic-count' 
group by 
  apn 
having 
  sum(
    coalesce(`u-bytes`, 0)
  )& gt; 0 
order by 
  total_bytes desc

Dataset Name

Description

Log Category

GTP-Top-APN-by-Duration

Top APNs by Duration

gtp

select 
  apn, 
  sum(
    coalesce(duration, 0)
  ) as total_dura 
from 
  $log 
where 
  $filter 
  and nullifna(apn) is not null 
  and status = 'traffic-count' 
group by 
  apn 
having 
  sum(
    coalesce(duration, 0)
  )>0 
order by 
  total_dura desc

Dataset Name

Description

Log Category

GTP-Top-APN-by-Packets

Top APNs by Number of Packets

gtp

select 
  apn, 
  sum(
    coalesce(`u-pkts`, 0)
  ) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(apn) is not null 
  and status = 'traffic-count' 
group by 
  apn 
having 
  sum(
    coalesce(`u-pkts`, 0)
  )& gt; 0 
order by 
  total_num desc

Dataset Name

Description

Log Category

Top10-dns-Botnet-Domain-IP

Top Queried Botnet C&C Domains and IPs

dns

select 
  domain, 
  malware_type, 
  action, 
  count(distinct srcip) as victims, 
  count(distinct sources_s) as sources, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)### t group by domain, malware_type, action order by total_num desc

Dataset Name

Description

Log Category

dns-Botnet-Usage

Top Queried Botnet C&C Domains and IPs

dns

select 
  domain, 
  malware_type, 
  action, 
  count(distinct srcip) as victims, 
  count(distinct sources_s) as sources, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)### t group by domain, malware_type, action order by total_num desc

Dataset Name

Description

Log Category

Dns-Detected-Botnet

Top Queried Botnet C&C Domains and IPs

dns

select 
  domain, 
  malware_type, 
  action, 
  count(distinct srcip) as victims, 
  count(distinct sources_s) as sources, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)### t group by domain, malware_type, action order by total_num desc

Dataset Name

Description

Log Category

dns-Botnet-Domain-IP

Queried Botnet C&C Domains and IPs

dns

select 
  domain, 
  srcip, 
  sevid, 
  (
    CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END
  ) as severity 
from 
  ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)### t group by domain, srcip, sevid order by sevid desc, domain

Dataset Name

Description

Log Category

dns-High-Risk-Source

High Risk Sources

dns

select 
  srcip, 
  sum(total_num) as total_num, 
  sum(
    case when sevid = 5 then total_num else 0 end
  ) as num_cri, 
  sum(
    case when sevid = 4 then total_num else 0 end
  ) as num_hig, 
  sum(
    case when sevid = 3 then total_num else 0 end
  ) as num_med 
from 
  ###(select srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, count(*) as total_num from $log where $filter and srcip is not null group by srcip, sevid order by total_num desc)### t where sevid>=3 group by srcip having sum(total_num)>0 order by total_num desc

Dataset Name

Description

Log Category

dns-DNS-Request-Over-Time

DNS Request Over Time

dns

select 
  $flex_timescale(timestamp) as timescale, 
  sum(
    case when sevid = 5 then total_num else 0 end
  ) as num_cri, 
  sum(
    case when sevid = 4 then total_num else 0 end
  ) as num_hig, 
  sum(
    case when sevid = 3 then total_num else 0 end
  ) as num_med, 
  sum(
    case when sevid = 2 then total_num else 0 end
  ) as num_inf, 
  sum(
    case when sevid = 1 then total_num else 0 end
  ) as num_low 
from 
  ###(select $flex_timestamp as timestamp, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, count(*) as total_num from $log where $filter group by timestamp, sevid order by total_num desc)### t group by timescale order by timescale

Dataset Name

Description

Log Category

dns-Top-Queried-Domain

Top Queried Domain

dns

select 
  qname, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and qname is not null 
group by 
  qname 
order by 
  total_num desc

Dataset Name

Description

Log Category

dns-Top-Domain-Lookup-Failure-Bar

Top Domain Lookup Failures

dns

select 
  qname, 
  srcip, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and qname is not null 
  and (
    action = 'block' 
    or logid_to_int(logid)= 54001
  ) 
group by 
  qname, 
  srcip 
order by 
  total_num desc

Dataset Name

Description

Log Category

dns-Top-Domain-Lookup-Failure-Table

Top Domain Lookup Failures

dns

select 
  qname, 
  srcip, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and qname is not null 
  and (
    action = 'block' 
    or logid_to_int(logid)= 54001
  ) 
group by 
  qname, 
  srcip 
order by 
  total_num desc

Dataset Name

Description

Log Category

dns-Query-Timeout

Query Timeout

dns

select 
  srcip, 
  qname, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and srcip is not null 
  and logid_to_int(logid)= 54001 
group by 
  qname, 
  srcip 
order by 
  total_num desc

Dataset Name

Description

Log Category

dns-Blocked-Query

Blocked Queries

dns

select 
  srcip, 
  msg, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and srcip is not null 
  and action = 'block' 
group by 
  srcip, 
  msg 
order by 
  total_num desc

Dataset Name

Description

Log Category

perf-stat-cpu-usage-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-mem-usage-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-disk-usage-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-sessions-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-lograte-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-connections-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-bandwidth-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-usage-summary-average

Fortigate resource summary view

event

select 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak 
from 
  ###(select devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak from $log where $filter and action='perf-stats' group by devid)### t group by devid order by devid

Dataset Name

Description

Log Category

perf-stat-usage-summary-peak

Fortigate resource summary view

event

select 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak 
from 
  ###(select devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak from $log where $filter and action='perf-stats' group by devid)### t group by devid order by devid

Dataset Name

Description

Log Category

perf-stat-usage-details-drilldown-master

Fortigate resource summary view

event

select 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak 
from 
  ###(select devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak from $log where $filter and action='perf-stats' group by devid)### t group by devid order by devid

Dataset Name

Description

Log Category

360-degree-security-Application-Visiblity-and-Control-Summary

Application Visibolity and Control Summary

app-ctrl

select 
  appcat, 
  count(distinct app) as total_num 
from 
  ###(select appcat, app from $log where $filter and app is not null and appcat is not null group by appcat, app)### t group by appcat order by total_num desc

Dataset Name

Description

Log Category

360-degree-security-Threats-Detection-and-Prevention-Summary

Threat Prevention

app-ctrl

select 
  threat_name, 
  count(distinct threats) as total_num 
from 
  (
    ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, app as threats from $log-app-ctrl where $filter and lower(appcat)='botnet' group by app)### union all ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, virus as threats from $log-virus where $filter and nullifna(virus) is not null group by virus)### union all ###(select cast('Malicious & Phishing Sites' as char(32)) as threat_name, hostname as threats from $log-webfilter where $filter and cat in (26, 61) group by hostname)### union all ###(select cast('Critical & High Intrusion Attacks' as char(32)) as threat_name, attack as total_num from $log-attack where $filter and severity in ('critical', 'high') group by attack)###) t group by threat_name order by total_num desc

Dataset Name

Description

Log Category

360-degree-security-Data-Exfiltration-Detection-and-Prevention-Summary

Data Exfiltration Summary

dlp

select 
  data_loss, 
  count(*) as total_num 
from 
  (
    select 
      (
        case when severity = 'critical' then 'Critical Data Exfiltration' else (
          case when coalesce(
            nullifna(`user`), 
            ipstr(`srcip`)
          ) is not null then 'User Associated Data Loss' else NULL end
        ) end
      ) as data_loss 
    from 
      $log 
    where 
      $filter
  ) t 
where 
  data_loss is not null 
group by 
  data_loss 
order by 
  total_num desc

Dataset Name

Description

Log Category

360-degree-security-Endpoint-Protection-Summary

Endpoint Protection

fct-traffic

select 
  blocked_event, 
  count(*) as total_num 
from 
  (
    select 
      (
        case utmevent when 'antivirus' then 'Malware Deteced and Blocked' when 'appfirewall' then 'Risk Application Blocked' when 'webfilter' then (
          case when coalesce(
            nullifna(`user`), 
            ipstr(`srcip`)
          ) is not null then 'Web Sites Violation Blocked' else 'Non User Initiated Web Visits' end
        ) else NULL end
      ) as blocked_event 
    from 
      $log 
    where 
      $filter 
      and utmaction in ('blocked', 'quarantined')
  ) t 
where 
  blocked_event is not null 
group by 
  blocked_event 
order by 
  total_num desc

Dataset Reference List

Dataset Reference List

The following tables list the datasets included with FortiAnalyzer. The tables contain the name, SQL query syntax, and log category for each dataset.

Dataset Name

Description

Log Category

Traffic-Bandwidth-Summary-Day-Of-Month

Traffic bandwidth timeline

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_BANDWIDTH_SESSION}})### t group by hodex having sum(traffic_out+traffic_in)>0 order by hodex

Dataset Name

Description

Log Category

Session-Summary-Day-Of-Month

Number of session timeline

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_BANDWIDTH_SESSION}})### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Users-By-Bandwidth

Bandwidth application top users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-App-By-Bandwidth

Top applications by bandwidth usage

traffic

select 
  app_group_name(app) as app_group, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app_group 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-User-Source-By-Sessions

Top user source by session count

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  user_src 
order by 
  sessions desc

Dataset Name

Description

Log Category

Top-App-By-Sessions

Top applications by session count

traffic

select 
  app_group_name(app) as app_group, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app_group 
order by 
  sessions desc

Dataset Name

Description

Log Category

Top-Destination-Addresses-By-Sessions

Top destinations by session count

traffic

select 
  coalesce(
    nullifna(
      root_domain(hostname)
    ), 
    ipstr(dstip)
  ) as domain, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  domain 
order by 
  sessions desc

Dataset Name

Description

Log Category

Top-Destination-Addresses-By-Bandwidth

Top destinations by bandwidth usage

traffic

select 
  coalesce(
    nullifna(
      root_domain(hostname)
    ), 
    ipstr(dstip)
  ) as domain, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and coalesce(
    nullifna(
      root_domain(hostname)
    ), 
    ipstr(`dstip`)
  ) is not null 
group by 
  domain 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

DHCP-Summary-By-Port

Event top dhcp summary

event

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; 
drop 
  table if exists rpt_tmptbl_3; create temporary table rpt_tmptbl_1 as ###(select concat(interface, '.', devid) as intf, mac from $log where $last3day_period $filter  and logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by interface, devid, mac)###; create temporary table rpt_tmptbl_2 as ###(select concat(interface, '.', devid) as intf, mac from $log where $filter and logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by interface, devid, mac)###; create temporary table rpt_tmptbl_3 as select distinct on (1) intf, cast(used*100.0/total as decimal(18,2)) as percent_of_allocated_ip from ###(select distinct on (1) concat(interface, '.', devid) as intf, used, total, itime from $log where $filter and logid_to_int(logid)=26003 and total>0 /*SkipSTART*/order by intf, itime desc/*SkipEND*/)### t order by intf, itime desc; select t1.intf as interface, percent_of_allocated_ip, new_cli_count from rpt_tmptbl_3 t1 inner join (select intf, count(mac) as new_cli_count from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.mac=rpt_tmptbl_1.mac) group by intf) t2 on t1.intf=t2.intf order by interface, percent_of_allocated_ip desc

Dataset Name

Description

Log Category

Top-Wifi-Client-By-Bandwidth

Traffic top WiFi client by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  srcssid, 
  devtype, 
  coalesce(
    nullifna(`srcname`), 
    `srcmac`
  ) as hostname_mac, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
group by 
  user_src, 
  srcssid, 
  devtype, 
  hostname_mac 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Traffic-History-By-Active-User

Traffic history by active user

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  count(
    distinct(user_src)
  ) as total_user 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_BANDWIDTH_SESSION}})### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Allowed-Websites-By-Requests

UTM top allowed web sites by request

traffic

select 
  hostname, 
  catdesc, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
  and hostname is not null 
  and (
    utmaction not in ('block', 'blocked') 
    or action != 'deny'
  ) 
group by 
  hostname, 
  catdesc 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-50-Websites-By-Bandwidth

Webfilter top allowed web sites by bandwidth usage

webfilter

select 
  domain, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and utmaction!='blocked' and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by domain, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by domain, catdesc order by bandwidth desc

Dataset Name

Description

Log Category

Top-Blocked-Websites

UTM top blocked web sites by request

traffic

select 
  hostname, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
  and hostname is not null 
  and (
    utmaction in ('block', 'blocked') 
    or action = 'deny'
  ) 
group by 
  hostname 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-Web-Users-By-Request

UTM top web users by request

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  devtype, 
  srcname, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
group by 
  user_src, 
  devtype, 
  srcname 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-Allowed-WebSites-By-Bandwidth

UTM top allowed websites by bandwidth usage

traffic

select 
  appid, 
  hostname, 
  catdesc, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
  and hostname is not null 
group by 
  appid, 
  hostname, 
  catdesc 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Blocked-Web-Users

UTM top blocked web users

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  devtype, 
  srcname, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
  and (
    utmaction in ('block', 'blocked') 
    or action = 'deny'
  ) 
group by 
  user_src, 
  devtype, 
  srcname 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-20-Web-Users-By-Bandwidth

Webfilter top web users by bandwidth usage

webfilter

select 
  user_src, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by user_src having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by user_src order by bandwidth desc

Dataset Name

Description

Log Category

Top-Web-Users-By-Bandwidth

UTM top web users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  devtype, 
  srcname, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and utmevent in (
    'webfilter', 'banned-word', 'web-content', 
    'command-block', 'script-filter'
  ) 
group by 
  user_src, 
  devtype, 
  srcname 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Video-Streaming-Websites-By-Bandwidth

UTM top video streaming websites by bandwidth usage

traffic

select 
  appid, 
  hostname, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and catdesc in ('Streaming Media and Download') 
group by 
  appid, 
  hostname 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Email-Senders-By-Count

Default top email senders by count

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and service in (
    'smtp', 'SMTP', '25/tcp', '587/tcp', 
    'smtps', 'SMTPS', '465/tcp'
  ) 
group by 
  user_src 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-Email-Receivers-By-Count

Default email top receivers by count

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and service in (
    'pop3', 'POP3', '110/tcp', 'imap', 
    'IMAP', '143/tcp', 'imaps', 'IMAPS', 
    '993/tcp', 'pop3s', 'POP3S', '995/tcp'
  ) 
group by 
  user_src 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-Email-Senders-By-Bandwidth

Default email top senders by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and service in (
    'smtp', 'SMTP', '25/tcp', '587/tcp', 
    'smtps', 'SMTPS', '465/tcp'
  ) 
group by 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Email-Receivers-By-Bandwidth

Default email top receivers by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and service in (
    'pop3', 'POP3', '110/tcp', 'imap', 
    'IMAP', '143/tcp', 'imaps', 'IMAPS', 
    '993/tcp', 'pop3s', 'POP3S', '995/tcp'
  ) 
group by 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-Malware-By-Name

UTM top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  (
    case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end
  ) as malware_type, 
  sum(totalnum) as totalnum 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc

Dataset Name

Description

Log Category

Top-Virus-By-Name

UTM top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  (
    case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end
  ) as malware_type, 
  sum(totalnum) as totalnum 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc

Dataset Name

Description

Log Category

Top-Virus-Victim

UTM top virus user

virus

select 
  user_src, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by user_src /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by user_src order by totalnum desc

Dataset Name

Description

Log Category

Top-Attack-Source

UTM top attack source

attack

select 
  coalesce(
    nullifna(`user`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
group by 
  user_src 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Top-Attack-Victim

UTM top attack dest

attack

select 
  dstip, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and dstip is not null 
group by 
  dstip 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Top-Static-IPSEC-Tunnels-By-Bandwidth

Top static IPsec tunnels by bandwidth usage

event

select 
  vpn_name, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      vpn_name, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_IPSEC_TUNNEL_BANDWIDTH}})### t where (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_in+traffic_out)>0 order by bandwidth desc

Dataset Name

Description

Log Category

Top-SSL-VPN-Tunnel-Users-By-Bandwidth

Top SSL VPN tunnel users by bandwidth usage

event

select 
  user_src, 
  remip as remote_ip, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      user_src, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_SSL_VPN_TUNNEL_USERS}})### t where tunneltype='ssl-tunnel' group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src, remote_ip order by bandwidth desc

Dataset Name

Description

Log Category

Top-Dial-Up-IPSEC-Tunnels-By-Bandwidth

Top dial up IPsec tunnels by bandwidth usage

event

select 
  vpn_name, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      tunnelid, 
      remip, 
      vpn_name, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_TUNNELS}})### t where not (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_out+traffic_in)>0 order by bandwidth desc

Dataset Name

Description

Log Category

Top-Dial-Up-IPSEC-Users-By-Bandwidth

Top dial up IPsec users by bandwidth usage

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as user_src, 
  remip, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_BANDWIDTH}})### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src, remip order by bandwidth desc

Dataset Name

Description

Log Category

Top-Dial-Up-IPSEC-Users-By-Duration

Top dial up IPsec users by duration

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as user_src, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(duration) as duration, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end
      ) as duration, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_BANDWIDTH}})### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src order by duration desc

Dataset Name

Description

Log Category

Top-SSL-VPN-Web-Mode-Users-By-Bandwidth

Top SSL VPN web mode users by bandwidth usage

event

select 
  user_src, 
  remip as remote_ip, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      user_src, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_SSL_VPN_TUNNEL_USERS}})### t group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src, remote_ip order by bandwidth desc

Dataset Name

Description

Log Category

Top-SSL-VPN-Web-Mode-Users-By-Duration

Top SSL VPN web mode users by duration

event

select 
  user_src, 
  remip as remote_ip, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  (
    max(e_time)- min(s_time)
  ) as duration 
from 
  (
    select 
      devid, 
      vd, 
      user_src, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time 
    from 
      ###({{FGT_DATASET_BASE_EVENT_SSL_VPN_TUNNEL_USERS}})### t where tunneltype='ssl-web' group by devid, vd, user_src, remip, tunnelid) tt group by user_src, remote_ip order by duration desc

Dataset Name

Description

Log Category

Top-SSL-VPN-Users-By-Duration

Top SSL VPN users by duration

event

select 
  user_src, 
  tunneltype, 
  sum(duration) as duration, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      user_src, 
      tunneltype, 
      tunnelid, 
      (
        case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end
      ) as duration, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth 
    from 
      ###({{FGT_DATASET_BASE_EVENT_SSL_VPN_TUNNEL_USERS}})### t group by devid, vd, remip, user_src, tunnelid, tunneltype) tt where bandwidth>0 group by user_src, tunneltype order by duration desc

Dataset Name

Description

Log Category

vpn-Top-Dial-Up-VPN-Users-By-Duration

Top dial up VPN users by duration

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as user_src, 
  t_type as tunneltype, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(duration) as duration, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      t_type, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end
      ) as duration, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_USERS}})### t where (t_type like 'ssl%' or (t_type like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0'))) group by devid, vd, remip, t_type, tunnelid) tt where bandwidth>0 group by user_src, tunneltype order by duration desc

Dataset Name

Description

Log Category

vpn-User-Login-history

VPN user login history

event

select 
  $flex_timescale(timestamp) as hodex, 
  sum(total_num) as total_num 
from 
  (
    select 
      timestamp, 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      sum(tunnelup) as total_num, 
      max(traffic_in) as traffic_in, 
      max(traffic_out) as traffic_out 
    from 
      ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as traffic_in from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null group by timestamp, action, devid, vd, remip, tunnelid /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timestamp, devid, vd, remip, tunnelid having max(tunnelup) > 0 and max(traffic_in)+max(traffic_out)>0) t group by hodex order by total_num desc

Dataset Name

Description

Log Category

vpn-Failed-Login-Atempts

VPN failed logins

event

select 
  f_user, 
  tunneltype, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype='ipsec' or left(tunneltype, 3)='ssl') and action in ('ssl-login-fail', 'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user, tunneltype)### t group by f_user, tunneltype order by total_num desc

Dataset Name

Description

Log Category

vpn-Authenticated-Logins

VPN authenticated logins

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as f_user, 
  t_type as tunneltype, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(total_num) as total_num, 
  sum(duration) as duration 
from 
  (
    select 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      t_type, 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end
      ) as duration, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      sum(tunnelup) as total_num 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_USERS}})### t group by t_type, devid, vd, remip, tunnelid having max(tunnelup) > 0) tt where bandwidth>0 group by f_user, tunneltype order by total_num desc

Dataset Name

Description

Log Category

vpn-Traffic-Usage-Trend-VPN-Summary

VPN traffic usage trend

event

select 
  hodex, 
  sum(ssl_traffic_bandwidth) as ssl_bandwidth, 
  sum(ipsec_traffic_bandwidth) as ipsec_bandwidth 
from 
  (
    select 
      $flex_timescale(timestamp) as hodex, 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      (
        case when t_type like 'ssl%' then (
          case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
        ) else 0 end
      ) as ssl_traffic_bandwidth, 
      (
        case when t_type like 'ipsec%' then (
          case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
        ) else 0 end
      ) as ipsec_traffic_bandwidth, 
      min(s_time) as s_time, 
      max(e_time) as e_time 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_TRAFFIC_USAGE}})### t group by hodex, devid, t_type, vd, remip, tunnelid) tt group by hodex order by hodex

Dataset Name

Description

Log Category

Top-S2S-IPSEC-Tunnels-By-Bandwidth-and-Availability

Top S2S IPsec tunnels by bandwidth usage and avail

event

select 
  vpntunnel, 
  tunneltype, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in, 
  sum(bandwidth) as bandwidth, 
  sum(uptime) as uptime 
from 
  (
    select 
      vpntunnel, 
      tunneltype, 
      tunnelid, 
      devid, 
      vd, 
      sum(sent_end - sent_beg) as traffic_out, 
      sum(rcvd_end - rcvd_beg) as traffic_in, 
      sum(
        sent_end - sent_beg + rcvd_end - rcvd_beg
      ) as bandwidth, 
      sum(duration_end - duration_beg) as uptime 
    from 
      ###(select tunnelid, tunneltype, vpntunnel, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype like 'ipsec%' and (tunnelip is null or tunnelip='0.0.0.0') and nullifna(`user`) is null and tunnelid is not null and tunnelid!=0 group by tunnelid, tunneltype, vpntunnel, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by vpntunnel, tunneltype, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by vpntunnel, tunneltype order by bandwidth desc

Dataset Name

Description

Log Category

Top-Dialup-IPSEC-By-Bandwidth-and-Availability

Top dialup IPsec users by bandwidth usage and avail

event

select 
  user_src, 
  remip, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in, 
  sum(bandwidth) as bandwidth, 
  sum(uptime) as uptime 
from 
  (
    select 
      user_src, 
      remip, 
      tunnelid, 
      devid, 
      vd, 
      sum(sent_end - sent_beg) as traffic_out, 
      sum(rcvd_end - rcvd_beg) as traffic_in, 
      sum(
        sent_end - sent_beg + rcvd_end - rcvd_beg
      ) as bandwidth, 
      sum(duration_end - duration_beg) as uptime 
    from 
      ###(select tunnelid, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and tunnelid is not null and tunnelid!=0 group by tunnelid, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by user_src, remip, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by user_src, remip order by bandwidth desc

Dataset Name

Description

Log Category

Top-SSL-Tunnel-Mode-By-Bandwidth-and-Availability

Top SSL tunnel users by bandwidth usage and avail

event

select 
  user_src, 
  remote_ip, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in, 
  sum(bandwidth) as bandwidth, 
  sum(uptime) as uptime 
from 
  (
    select 
      user_src, 
      remip as remote_ip, 
      tunnelid, 
      devid, 
      vd, 
      sum(sent_end - sent_beg) as traffic_out, 
      sum(rcvd_end - rcvd_beg) as traffic_in, 
      sum(
        sent_end - sent_beg + rcvd_end - rcvd_beg
      ) as bandwidth, 
      sum(duration_end - duration_beg) as uptime 
    from 
      ###(select tunnelid, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype in ('ssl-tunnel', 'ssl') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by tunnelid, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by user_src, remote_ip, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by user_src, remote_ip order by bandwidth desc

Dataset Name

Description

Log Category

Top-SSL-Web-Mode-By-Bandwidth-and-Availability

Top SSL web users by bandwidth usage and avail

event

select 
  user_src, 
  remote_ip, 
  sum(traffic_out) as traffic_out, 
  sum(traffic_in) as traffic_in, 
  sum(bandwidth) as bandwidth, 
  sum(uptime) as uptime 
from 
  (
    select 
      user_src, 
      remip as remote_ip, 
      tunnelid, 
      devid, 
      vd, 
      sum(sent_end - sent_beg) as traffic_out, 
      sum(rcvd_end - rcvd_beg) as traffic_in, 
      sum(
        sent_end - sent_beg + rcvd_end - rcvd_beg
      ) as bandwidth, 
      sum(duration_end - duration_beg) as uptime 
    from 
      ###(select tunnelid, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype='ssl-web' and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by tunnelid, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by user_src, remote_ip, tunnelid, devid, vd having sum(sent_end-sent_beg+rcvd_end-rcvd_beg)>0 order by bandwidth desc) t where bandwidth>0 group by user_src, remote_ip order by bandwidth desc

Dataset Name

Description

Log Category

Admin-Login-Summary

Event admin login summary

event

select 
  f_user, 
  ui, 
  sum(login) as total_num, 
  sum(login_duration) as total_duration, 
  sum(config_change) as total_change 
from 
  (
    select 
      `user` as f_user, 
      ui, 
      (
        case when logid_to_int(logid)= 32001 then 1 else 0 end
      ) as login, 
      (
        case when logid_to_int(logid)= 32003 then duration else 0 end
      ) as login_duration, 
      (
        case when logid_to_int(logid)= 32003 
        and state is not null then 1 else 0 end
      ) as config_change 
    from 
      $log 
    where 
      $filter 
      and nullifna(`user`) is not null 
      and logid_to_int(logid) in (32001, 32003)
  ) t 
group by 
  f_user, 
  ui 
having 
  sum(login)+ sum(config_change)& gt; 0 
order by 
  total_num desc

Dataset Name

Description

Log Category

Admin-Login-Summary-By-Date

Event admin login summary by date

event

select 
  $flex_timescale(timestamp) as dom, 
  sum(total_num) as total_num, 
  sum(total_change) as total_change 
from 
  ###(select timestamp, sum(login) as total_num, sum(config_change) as total_change from (select $flex_timestamp as timestamp, (case when logid_to_int(logid)=32001 then 1 else 0 end) as login, (case when logid_to_int(logid)=32003 and state is not null then 1 else 0 end) as config_change from $log where $filter and logid_to_int(logid) in (32001, 32003)) t group by timestamp having sum(login)+sum(config_change)>0 /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom

Dataset Name

Description

Log Category

Admin-Failed-Login-Summary

Event admin failed login summary

event

select 
  `user` as f_user, 
  ui, 
  count(status) as total_failed 
from 
  $log 
where 
  $filter 
  and nullifna(`user`) is not null 
  and logid_to_int(logid) = 32002 
group by 
  ui, 
  f_user 
order by 
  total_failed desc

Dataset Name

Description

Log Category

System-Summary-By-Severity

Event system summary by severity

event

select 
  severity_tmp as severity, 
  sum(count) as total_num 
from 
  ###({{FGT_DATASET_BASE_EVENT_SYSTEM_EVENTS}})### t group by severity order by total_num desc

Dataset Name

Description

Log Category

System-Summary-By-Date

Event system summary by date

event

select 
  $flex_timescale(timestamp) as dom, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium 
from 
  ###(select $flex_timestamp as timestamp, sum(case when level in ('critical', 'alert', 'emergency') then 1 else 0 end) as critical, sum(case when level = 'error' then 1 else 0 end) as high, sum(case when level = 'warning' then 1 else 0 end) as medium from $log where $filter and subtype='system' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom

Dataset Name

Description

Log Category

Important-System-Summary-By-Date

Event system summary by date

event

select 
  $flex_timescale(timestamp) as dom, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium 
from 
  ###(select $flex_timestamp as timestamp, sum(case when level in ('critical', 'alert', 'emergency') then 1 else 0 end) as critical, sum(case when level = 'error' then 1 else 0 end) as high, sum(case when level = 'warning' then 1 else 0 end) as medium from $log where $filter and subtype='system' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom

Dataset Name

Description

Log Category

System-Critical-Severity-Events

Event system critical severity events

event

select 
  msg_desc as msg, 
  severity_tmp as severity, 
  sum(count) as counts 
from 
  ###({{FGT_DATASET_BASE_EVENT_SYSTEM_EVENTS}})### t where severity_tmp='Critical' group by msg, severity_tmp order by counts desc

Dataset Name

Description

Log Category

System-High-Severity-Events

Event system high severity events

event

select 
  msg_desc as msg, 
  severity_tmp as severity, 
  sum(count) as counts 
from 
  ###({{FGT_DATASET_BASE_EVENT_SYSTEM_EVENTS}})### t where severity_tmp='High' group by msg, severity_tmp order by counts desc

Dataset Name

Description

Log Category

System-Medium-Severity-Events

Event system medium severity events

event

select 
  msg_desc as msg, 
  severity_tmp as severity, 
  sum(count) as counts 
from 
  ###({{FGT_DATASET_BASE_EVENT_SYSTEM_EVENTS}})### t where severity_tmp='Medium' group by msg, severity_tmp order by counts desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Traffic-Summary

UTM drilldown traffic summary

traffic

select 
  srcip, 
  srcname 
from 
  ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, srcname, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) group by user_src, srcip, srcname order by bandwidth desc)### t where $filter-drilldown group by srcip, srcname

Dataset Name

Description

Log Category

utm-drilldown-Top-User-Destination

UTM drilldown top user destination

traffic

select 
  appid, 
  app, 
  dstip, 
  sum(sessions) as sessions, 
  sum(bandwidth) as bandwidth 
from 
  ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, appid, app, dstip, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and dstip is not null and nullifna(app) is not null group by user_src, appid, app, dstip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t where $filter-drilldown group by appid, app, dstip order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Email-Senders-Summary

UTM drilldown email senders summary

traffic

select 
  sum(requests) as requests, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_EMAIL_SENDERS}})### t where $filter-drilldown

Dataset Name

Description

Log Category

utm-drilldown-Email-Receivers-Summary

UTM drilldown email receivers summary

traffic

select 
  sum(requests) as requests, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_EMAIL_RECIPIENTS}})### t where $filter-drilldown

Dataset Name

Description

Log Category

utm-drilldown-Top-Email-Recipients-By-Bandwidth

UTM drilldown top email recipients

traffic

select 
  recipient, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_EMAIL_RECIPIENTS}})### t where $filter-drilldown group by recipient having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Email-Senders-By-Bandwidth

UTM drilldown top email senders

traffic

select 
  sender, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_EMAIL_SENDERS}})### t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Allowed-Websites-By-Bandwidth

UTM drilldown top allowed web sites by bandwidth

traffic

select 
  appid, 
  hostname, 
  sum(bandwidth) as bandwidth 
from 
  ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, appid, hostname, (case when utmaction in ('block', 'blocked') then 1 else 0 end) as blocked, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and hostname is not null group by user_src, appid, hostname, blocked order by bandwidth desc)### t where $filter-drilldown and blocked=0 group by appid, hostname order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Blocked-Websites-By-Request

UTM drilldown top blocked web sites by request

webfilter

select 
  appid, 
  hostname, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, 0 as appid, hostname, (case when action='blocked' then 1 else 0 end) as blocked, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and hostname is not null group by user_src, appid, hostname, blocked order by requests desc)### t where $filter-drilldown and blocked=1 group by appid, hostname order by requests desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Virus-By-Name

UTM drilldown top virus

virus

select 
  virus, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by user_src, virus order by totalnum desc)### t where $filter-drilldown group by virus order by totalnum desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Attacks

UTM drilldown top attacks by name

attack

select 
  attack, 
  sum(attack_count) as attack_count 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack order by attack_count desc)### t where $filter-drilldown group by attack order by attack_count desc

Dataset Name

Description

Log Category

utm-drilldown-Top-Vulnerability

UTM drilldown top vulnerability by name

netscan

select 
  vuln, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, vuln, count(*) as totalnum from $log where $filter and action='vuln-detection' and vuln is not null group by user_src, vuln order by totalnum desc)### t where $filter-drilldown group by vuln order by totalnum desc

Dataset Name

Description

Log Category

utm-drilldown-Top-App-By-Bandwidth

UTM drilldown top applications by bandwidth usage

traffic

select 
  appid, 
  app, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_APPS}})### t where $filter-drilldown group by appid, app having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

utm-drilldown-Top-App-By-Sessions

UTM drilldown top applications by session count

traffic

select 
  appid, 
  app, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_TOP_APPS}})### t where $filter-drilldown group by appid, app order by sessions desc

Dataset Name

Description

Log Category

Top5-Users-By-Bandwidth

UTM drilldown top users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as dldn_user, 
  count(*) as session, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  dldn_user 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Top-App-By-Bandwidth-Sessions

Top applications by bandwidth usage

traffic

select 
  app_group_name(app) as app_group, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app_group 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Category-By-Bandwidth

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Top-Users-By-Bandwidth-Sessions

Bandwidth application top users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Traffic-By-Active-User-Number

Bandwidth application traffic by active user number

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  count(
    distinct(user_src)
  ) as total_user 
from 
  ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src from $log where $filter and (logflag&1>0) group by timestamp, user_src order by timestamp desc)### t group by hodex order by hodex

Dataset Name

Description

Log Category

bandwidth-app-Top-Dest-By-Bandwidth-Sessions

Bandwidth application top dest by bandwidth usage sessions

traffic

select 
  coalesce(
    nullifna(
      root_domain(hostname)
    ), 
    ipstr(`dstip`)
  ) as domain, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  domain 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Top-Policies-By-Bandwidth-Sessions

Top policies by bandwidth and sessions

traffic

select 
  coalesce(
    cast(poluuid as text), 
    cast(policyid as text)
  ) as polid, 
  sum(
    coalesce(rcvdbyte, 0) + coalesce(sentbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  polid 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

bandwidth-app-Traffic-Statistics

Bandwidth application traffic statistics

traffic

drop 
  table if exists rpt_tmptbl_1; create temporary table rpt_tmptbl_1(
    total_sessions varchar(255), 
    total_bandwidth varchar(255), 
    ave_session varchar(255), 
    ave_bandwidth varchar(255), 
    active_date varchar(255), 
    total_users varchar(255), 
    total_app varchar(255), 
    total_dest varchar(255)
  ); insert into rpt_tmptbl_1 (
    total_sessions, total_bandwidth, 
    ave_session, ave_bandwidth
  ) 
select 
  format_numeric_no_decimal(
    sum(sessions)
  ) as total_sessions, 
  bandwidth_unit(
    sum(bandwidth)
  ) as total_bandwidth, 
  format_numeric_no_decimal(
    cast(
      sum(sessions)/ $days_num as decimal(18, 0)
    )
  ) as ave_session, 
  bandwidth_unit(
    cast(
      sum(bandwidth)/ $days_num as decimal(18, 0)
    )
  ) as ave_bandwidth 
from 
  ###(select count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0))### t; update rpt_tmptbl_1 set active_date=t1.dom from (select dom, sum(sessions) as sessions from ###(select $DAY_OF_MONTH as dom, count(*) as sessions from $log where $filter and (logflag&1>0) group by dom order by sessions desc)### t group by dom order by sessions desc limit 1) as t1; update rpt_tmptbl_1 set total_users=t2.totalnum from (select format_numeric_no_decimal(count(distinct(user_src))) as totalnum from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, count(*) as count from $log where $filter and (logflag&1>0) group by user_src order by count desc)### t) as t2; update rpt_tmptbl_1 set total_app=t3.totalnum from (select format_numeric_no_decimal(count(distinct(app_grp))) as totalnum from ###(select app_group_name(app) as app_grp, count(*) as count from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_grp order by count desc)### t) as t3; update rpt_tmptbl_1 set total_dest=t4.totalnum from (select format_numeric_no_decimal(count(distinct(dstip))) as totalnum from ###(select dstip, count(*) as count from $log where $filter and (logflag&1>0) and dstip is not null group by dstip order by count desc)### t ) as t4; select 'Total Sessions' as summary, total_sessions as stats from rpt_tmptbl_1 union all select 'Total Bytes Transferred' as summary, total_bandwidth as stats from rpt_tmptbl_1 union all select 'Most Active Date By Sessions' as summary, active_date as stats from rpt_tmptbl_1 union all select 'Total Users' as summary, total_users as stats from rpt_tmptbl_1 union all select 'Total Applications' as summary, total_app as stats from rpt_tmptbl_1 union all select 'Total Destinations' as summary, total_dest as stats from rpt_tmptbl_1 union all select 'Average Sessions Per Day' as summary, ave_session as stats from rpt_tmptbl_1 union all select 'Average Bytes Per Day' as summary, ave_bandwidth as stats from rpt_tmptbl_1

Dataset Name

Description

Log Category

Score-Summary-For-All-Users-Devices

Reputation score summary for all users devices

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(scores) as scores 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_CLIENT_REPUTATION_INCIDENTS}})### t group by hodex order by hodex

Dataset Name

Description

Log Category

Number-Of-Incidents-For-All-Users-Devices

Reputation number of incidents for all users devices

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(scores) as scores, 
  sum(totalnum) as totalnum 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_CLIENT_REPUTATION_INCIDENTS}})### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Users-By-Reputation-Scores

Reputation top users by scores

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  user_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

Top-Devices-By-Reputation-Scores

Reputation top devices by scores

traffic

select 
  devtype, 
  coalesce(
    nullifna(`srcname`), 
    nullifna(`srcmac`), 
    ipstr(`srcip`)
  ) as dev_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  devtype, 
  dev_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

Top-Users-With-Increased-Scores

Reputation top users with increased scores

traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and (logflag&1>0) and crscore is not null group by f_user having sum(crscore%65536)>0 order by sum_rp_score desc)###; create temporary table rpt_tmptbl_2 as ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from $log where $filter and (logflag&1>0) and crscore is not null group by f_user having sum(crscore%65536)>0 order by sum_rp_score desc)###; select t1.f_user, sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from rpt_tmptbl_1 as t1 inner join rpt_tmptbl_2 as t2 on t1.f_user=t2.f_user where t2.sum_rp_score > t1.sum_rp_score group by t1.f_user order by delta desc

Dataset Name

Description

Log Category

Top-Devices-With-Increased-Scores

Reputation top devices with increased scores

traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device, devtype, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and (logflag&1>0) and crscore is not null group by f_device, devtype having sum(crscore%65536)>0 order by sum_rp_score desc)###; create temporary table rpt_tmptbl_2 as ###(select coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device, devtype, sum(crscore%65536) as sum_rp_score from $log where $filter and (logflag&1>0) and crscore is not null group by f_device, devtype having sum(crscore%65536)>0 order by sum_rp_score desc)###; select t1.f_device, t1.devtype , sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from rpt_tmptbl_1 as t1 inner join rpt_tmptbl_2 as t2 on t1.f_device=t2.f_device and t1.devtype=t2.devtype where t2.sum_rp_score > t1.sum_rp_score group by t1.f_device, t1.devtype order by delta desc

Dataset Name

Description

Log Category

Attacks-By-Severity

Threat attacks by severity

attack

select 
  (
    case when severity = 'critical' then 'Critical' when severity = 'high' then 'High' when severity = 'medium' then 'Medium' when severity = 'low' then 'Low' when severity = 'info' then 'Info' end
  ) as severity, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
group by 
  severity 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Top-Attacks-Detected

Threat top attacks detected

attack

select 
  attack, 
  attackid, 
  cve, 
  severity, 
  sum(attack_count) as attack_count 
from 
  ###(select attack, attackid, t1.severity, cve, (case when t1.severity = 'critical' then 1 when t1.severity = 'high' then 2 when t1.severity = 'medium'  then 3 when t1.severity = 'low' then 4 else 5 end) as severity_level, count(*) as attack_count from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null group by attack, attackid, t1.severity, severity_level, cve /*SkipSTART*/order by severity_level, attack_count desc/*SkipEND*/)### t group by attack, attackid, severity, severity_level, cve order by severity_level, attack_count desc

Dataset Name

Description

Log Category

Top-Attacks-Blocked

Threat top attacks blocked

attack

select 
  attack, 
  count(*) as attack_count 
from 
  $log 
where 
  $filter 
  and nullifna(attack) is not null 
  and action not in ('detected', 'pass_session') 
group by 
  attack 
order by 
  attack_count desc

Dataset Name

Description

Log Category

Top-Virus-Source

Threat top virus source

virus

select 
  srcip, 
  hostname, 
  sum(totalnum) as totalnum 
from 
  ###(select srcip , ipstr(`dstip`) as hostname, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by srcip, hostname /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by srcip, hostname order by totalnum desc

Dataset Name

Description

Log Category

Intrusion-in-Last-7-Days

Threat intrusion timeline

attack

select 
  $flex_timescale(timestamp) as hodex, 
  sum(totalnum) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Virus-Time-Line

Threat virus timeline

virus

select 
  $flex_datetime(timestamp) as hodex, 
  sum(totalnum) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Spyware-Victims

Threat top spyware victims

virus

select 
  user_src, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter group by user_src, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where  virus like 'Riskware%' group by user_src order by totalnum desc

Dataset Name

Description

Log Category

Top-Spyware-by-Name

Threat top spyware by name

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Riskware%' group by virus order by totalnum desc

Dataset Name

Description

Log Category

Top-Spyware-Source

Threat top spyware source

traffic

select 
  srcip, 
  hostname, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and virus like 'Riskware%' 
group by 
  srcip, 
  hostname 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Spyware-Time-Line

Threat spyware timeline

virus

select 
  $flex_timescale(timestamp) as hodex, 
  sum(totalnum) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter and virus like 'Riskware%' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Top-Adware-Victims

Threat top adware victims

virus

select 
  user_src, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter group by user_src, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Adware%' group by user_src order by totalnum desc

Dataset Name

Description

Log Category

Top-Adware-by-Name

Threat top adware by name

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Adware%' group by virus order by totalnum desc

Dataset Name

Description

Log Category

Top-Adware-Source

Threat top adware source

traffic

select 
  srcip, 
  hostname, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and virus like 'Adware%' 
group by 
  srcip, 
  hostname 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Adware-Time-Line

Threat adware timeline

virus

select 
  $flex_timescale(timestamp) as hodex, 
  sum(totalnum) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter and virus like 'Adware%' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Intrusions-Timeline-By-Severity

Threat intrusions timeline by severity

attack

select 
  $flex_timescale(timestamp) as timescale, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium, 
  sum(low) as low, 
  sum(info) as info 
from 
  ###(select $flex_timestamp as timestamp, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity = 'notice' then 1 else 0 end) as low, sum(case when severity = 'info' or severity = 'debug' then 1 else 0 end) as info from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timescale order by timescale

Dataset Name

Description

Log Category

Important-Intrusions-Timeline-By-Severity

Threat intrusions timeline by severity

attack

select 
  $flex_timescale(timestamp) as timescale, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium, 
  sum(low) as low, 
  sum(info) as info 
from 
  ###(select $flex_timestamp as timestamp, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity = 'notice' then 1 else 0 end) as low, sum(case when severity = 'info' or severity = 'debug' then 1 else 0 end) as info from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timescale order by timescale

Dataset Name

Description

Log Category

Top-Intrusions-By-Types

Threat top intrusions by types

attack

select 
  vuln_type, 
  count(*) as totalnum 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and vuln_type is not null 
group by 
  vuln_type 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Critical-Severity-Intrusions

Threat critical severity intrusions

attack

select 
  attack, 
  attackid, 
  cve, 
  vuln_type, 
  count(*) as totalnum 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and t1.severity = 'critical' 
  and nullifna(attack) is not null 
group by 
  attack, 
  attackid, 
  cve, 
  vuln_type 
order by 
  totalnum desc

Dataset Name

Description

Log Category

High-Severity-Intrusions

Threat high severity intrusions

attack

select 
  attack, 
  attackid, 
  vuln_type, 
  cve, 
  count(*) as totalnum 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and t1.severity = 'high' 
  and nullifna(attack) is not null 
group by 
  attack, 
  attackid, 
  vuln_type, 
  cve 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Medium-Severity-Intrusions

Threat medium severity intrusions

attack

select 
  attack, 
  vuln_type, 
  cve, 
  count(*) as totalnum 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and t1.severity = 'medium' 
  and nullifna(attack) is not null 
group by 
  attack, 
  vuln_type, 
  cve 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Top-Intrusion-Victims

Threat top intrusion victims

attack

select 
  victim, 
  sum(cri_num) as critical, 
  sum(high_num) as high, 
  sum(med_num) as medium, 
  sum(cri_num + high_num + med_num) as totalnum 
from 
  ###(select dstip as victim, sum((case when severity='critical' then 1 else 0 end)) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case when severity='medium' then 1 else 0 end) as med_num from $log where $filter and severity in ('critical', 'high', 'medium') group by victim)### t group by victim order by totalnum desc

Dataset Name

Description

Log Category

Top-Intrusion-Sources

Threat top intrusion sources

attack

select 
  source, 
  sum(cri_num) as critical, 
  sum(high_num) as high, 
  sum(med_num) as medium, 
  sum(cri_num + high_num + med_num) as totalnum 
from 
  ###(select srcip as source, sum(case when severity='critical' then 1 else 0 end) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case when severity='medium' then 1 else 0 end) as med_num from $log where $filter and severity in ('critical', 'high', 'medium') group by source)### t group by source order by totalnum desc

Dataset Name

Description

Log Category

Top-Blocked-Intrusions

Threat top blocked intrusions

attack

select 
  attack, 
  attackid, 
  (
    case when t1.severity = 'critical' then 'Critical' when t1.severity = 'high' then 'High' when t1.severity = 'medium' then 'Medium' when t1.severity = 'low' then 'Low' when t1.severity = 'info' then 'Info' end
  ) as severity_name, 
  count(*) as totalnum, 
  vuln_type, 
  (
    case when t1.severity = 'critical' then 0 when t1.severity = 'high' then 1 when t1.severity = 'medium' then 2 when t1.severity = 'low' then 3 when t1.severity = 'info' then 4 else 5 end
  ) as severity_number 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and nullifna(attack) is not null 
  and action not in ('detected', 'pass_session') 
group by 
  attack, 
  attackid, 
  t1.severity, 
  vuln_type 
order by 
  severity_number, 
  totalnum desc

Dataset Name

Description

Log Category

Top-Monitored-Intrusions

Threat top monitored intrusions

attack

select 
  attack, 
  attackid, 
  (
    case when t1.severity = 'critical' then 'Critical' when t1.severity = 'high' then 'High' when t1.severity = 'medium' then 'Medium' when t1.severity = 'low' then 'Low' when t1.severity = 'info' then 'Info' end
  ) as severity_name, 
  count(*) as totalnum, 
  vuln_type, 
  (
    case when t1.severity = 'critical' then 0 when t1.severity = 'high' then 1 when t1.severity = 'medium' then 2 when t1.severity = 'low' then 3 when t1.severity = 'info' then 4 else 5 end
  ) as severity_number 
from 
  $log t1 
  left join (
    select 
      name, 
      cve, 
      vuln_type 
    from 
      ips_mdata
  ) t2 on t1.attack = t2.name 
where 
  $filter 
  and nullifna(attack) is not null 
  and action in ('detected', 'pass_session') 
group by 
  attack, 
  attackid, 
  t1.severity, 
  vuln_type 
order by 
  severity_number, 
  totalnum desc

Dataset Name

Description

Log Category

Attacks-Over-HTTP-HTTPs

Threat attacks over HTTP HTTPs

attack

select 
  attack, 
  attackid, 
  (
    case when severity = 'critical' then 'Critical' when severity = 'high' then 'High' when severity = 'medium' then 'Medium' when severity = 'low' then 'Low' when severity = 'info' then 'Info' end
  ) as severity, 
  count(*) as totalnum, 
  (
    case when severity = 'critical' then 0 when severity = 'high' then 1 when severity = 'medium' then 2 when severity = 'low' then 3 when severity = 'info' then 4 else 5 end
  ) as severity_number 
from 
  $log 
where 
  $filter 
  and severity in ('critical', 'high', 'medium') 
  and upper(service) in ('HTTP', 'HTTPS') 
group by 
  attack, 
  attackid, 
  severity, 
  severity_number 
order by 
  severity_number, 
  totalnum desc

Dataset Name

Description

Log Category

default-AP-Detection-Summary-by-Status-OffWire

Default access point detection summary by status off-wire

event

select 
  (
    case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  count(*) as totalnum 
from 
  (
    select 
      apstatus, 
      bssid, 
      ssid 
    from 
      ###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and onwire='no' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc

Dataset Name

Description

Log Category

default-AP-Detection-Summary-by-Status-OffWire_table

Default access point detection summary by status off-wire

event

select 
  (
    case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  count(*) as totalnum 
from 
  (
    select 
      apstatus, 
      bssid, 
      ssid 
    from 
      ###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and onwire='no' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc

Dataset Name

Description

Log Category

default-AP-Detection-Summary-by-Status-OnWire

Default access point detection summary by status on-wire

event

select 
  (
    case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  count(*) as totalnum 
from 
  (
    select 
      apstatus, 
      bssid, 
      ssid 
    from 
      ###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and onwire='yes' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc

Dataset Name

Description

Log Category

default-AP-Detection-Summary-by-Status-OnWire_table

Default access point detection summary by status on-wire

event

select 
  (
    case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  count(*) as totalnum 
from 
  (
    select 
      apstatus, 
      bssid, 
      ssid 
    from 
      ###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and onwire='yes' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc

Dataset Name

Description

Log Category

default-Managed-AP-Summary

Default managed access point summary

event

select 
  (
    case when (
      action like '%join%' 
      and logid_to_int(logid) in (43522, 43551)
    ) then 'Authorized' else 'Unauthorized' end
  ) as ap_status, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and logid_to_int(logid) in (43522, 43551) 
group by 
  ap_status 
order by 
  totalnum desc

Dataset Name

Description

Log Category

default-Managed-AP-Summary_table

Default managed access point summary

event

select 
  (
    case when (
      action like '%join%' 
      and logid_to_int(logid) in (43522, 43551)
    ) then 'Authorized' else 'Unauthorized' end
  ) as ap_status, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and logid_to_int(logid) in (43522, 43551) 
group by 
  ap_status 
order by 
  totalnum desc

Dataset Name

Description

Log Category

default-Unclassified-AP-Summary

Default unclassified access point summary

event

select 
  (
    case onwire when 'no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end
  ) as ap_status, 
  count(*) as totalnum 
from 
  ###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by totalnum desc

Dataset Name

Description

Log Category

default-Unclassified-AP-Summary_table

Default unclassified access point summary

event

select 
  (
    case onwire when 'no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end
  ) as ap_status, 
  count(*) as totalnum 
from 
  ###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by totalnum desc

Dataset Name

Description

Log Category

default-selected-AP-Details-OffWire

Default selected access point details off-wire

event

select 
  (
    case apstatus when 0 then 'unclassified' when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  rssi, 
  channel, 
  radioband, 
  from_dtime(
    min(dtime)
  ) as first_seen, 
  from_dtime(
    max(dtime)
  ) as last_seen, 
  detectionmethod, 
  itime, 
  onwire as on_wire 
from 
  $log 
where 
  $filter 
  and apstatus is not null 
  and bssid is not null 
  and onwire = 'no' 
  and logid_to_int(logid) in (
    43521, 43563, 43564, 43565, 43566, 43569, 
    43570, 43571
  ) 
group by 
  ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  rssi, 
  channel, 
  radioband, 
  detectionmethod, 
  itime, 
  onwire, 
  apstatus

Dataset Name

Description

Log Category

default-selected-AP-Details-OnWire

Default selected access point details on-wire

event

select 
  (
    case apstatus when 0 then 'unclassified' when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end
  ) as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  rssi, 
  channel, 
  radioband, 
  from_dtime(
    min(dtime)
  ) as first_seen, 
  from_dtime(
    max(dtime)
  ) as last_seen, 
  detectionmethod, 
  itime, 
  onwire as on_wire 
from 
  $log 
where 
  $filter 
  and apstatus is not null 
  and bssid is not null 
  and onwire = 'yes' 
  and logid_to_int(logid) in (
    43521, 43563, 43564, 43565, 43566, 43569, 
    43570, 43571
  ) 
group by 
  ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  rssi, 
  channel, 
  radioband, 
  detectionmethod, 
  itime, 
  onwire, 
  apstatus

Dataset Name

Description

Log Category

event-Wireless-Client-Details

Event wireless client details

event

drop 
  table if exists rpt_tmptbl_1; create temporary table rpt_tmptbl_1 as 
select 
  ip, 
  lower(mac) as lmac, 
  sn, 
  ssid, 
  channel, 
  radioband, 
  min(dtime) as first, 
  max(dtime) as last 
from 
  $log - event 
where 
  $filter 
  and ip is not null 
  and mac is not null 
  and sn is not null 
  and ssid is not null 
group by 
  ip, 
  lmac, 
  sn, 
  ssid, 
  channel, 
  radioband 
order by 
  ip; 
select 
  user_src, 
  ip, 
  lmac, 
  sn, 
  ssid, 
  channel, 
  radioband, 
  from_dtime(first) as first_seen, 
  from_dtime(last) as last_seen, 
  cast(
    volume as decimal(18, 2)
  ) as bandwidth 
from 
  (
    select 
      * 
    from 
      rpt_tmptbl_1 
      inner join (
        select 
          user_src, 
          srcip, 
          sum(volume) as volume 
        from 
          ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as volume from $log-traffic where $filter-time and (logflag&1>0) and srcip is not null group by user_src, srcip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by volume desc)### t group by user_src, srcip order by user_src, srcip) t on rpt_tmptbl_1.ip = t.srcip) t order by volume desc

Dataset Name

Description

Log Category

event-Wireless-Accepted-Offwire

Event wireless accepted off-wire

event

select 
  'accepted' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'no' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_OFFWIRE}})### t where apstatus=2 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Accepted-Onwire

Event wireless accepted on-wire

event

select 
  'accepted' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'yes' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_ONWIRE}})### t where apstatus=2 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Rogue-Offwire

Event wireless rogue off-wire

event

select 
  'rogue' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'no' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_OFFWIRE}})### t where apstatus=1 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Rogue-Onwire

Event wireless rogue on-wire

event

select 
  'rogue' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'yes' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_ONWIRE}})### t where apstatus=1 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Suppressed-Offwire

Event wireless suppressed off-wire

event

select 
  'suppressed' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'no' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_OFFWIRE}})### t where apstatus=3 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Suppressed-Onwire

Event wireless suppressed on-wire

event

select 
  'suppressed' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'yes' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_ONWIRE}})### t where apstatus=3 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Unclassified-Offwire

Event wireless unclassified off-wire

event

select 
  'unclassified' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'no' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_OFFWIRE}})### t where apstatus=0 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

event-Wireless-Unclassified-Onwire

Event wireless unclassified on-wire

event

select 
  'unclassified' as ap_full_status, 
  devid, 
  vd, 
  ssid, 
  bssid, 
  manuf, 
  channel, 
  radioband, 
  from_dtime(
    max(last_seen)
  ) as last_seen, 
  detectionmethod, 
  snclosest, 
  'yes' as on_wire 
from 
  ###({{FGT_DATASET_BASE_EVENT_WIRELESS_ROGUE_ONWIRE}})### t where apstatus=0 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc

Dataset Name

Description

Log Category

default-Top-IPSEC-Vpn-Dial-Up-User-By-Bandwidth

Default top IPsec VPN dial up user by bandwidth usage

event

select 
  coalesce(
    xauthuser_agg, 
    user_agg, 
    ipstr(`remip`)
  ) as user_src, 
  from_dtime(
    min(s_time)
  ) as start_time, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  (
    select 
      devid, 
      vd, 
      string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, 
      string_agg(distinct user_agg, ' ') as user_agg, 
      remip, 
      tunnelid, 
      min(s_time) as s_time, 
      max(e_time) as e_time, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_DIAL_UP_IPSEC_BANDWIDTH}})### t group by devid, vd, remip, tunnelid) tt group by user_src having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

default-Top-Sources-Of-SSL-VPN-Tunnels-By-Bandwidth

Default top sources of SSL VPN tunnels by bandwidth usage

event

select 
  remip as remote_ip, 
  sum(bandwidth) as bandwidth 
from 
  (
    select 
      devid, 
      vd, 
      remip, 
      tunnelid, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end
      ) as traffic_in, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end
      ) as traffic_out, 
      (
        case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end
      ) as bandwidth 
    from 
      ###({{FGT_DATASET_BASE_EVENT_VPN_TRAFFIC_USAGE}})### t where t_type like 'ssl%' group by devid, vd, remip, tunnelid) tt group by remote_ip having sum(traffic_in+traffic_out)>0 order by bandwidth desc

Dataset Name

Description

Log Category

webfilter-Web-Activity-Summary-By-Requests

Webfilter web activity summary by requests

webfilter

select 
  $flex_timescale(timestamp) as hodex, 
  sum(allowed_request) as allowed_request, 
  sum(blocked_request) as blocked_request 
from 
  ###(select $flex_timestamp as timestamp, sum(case when action!='blocked' then 1 else 0 end) as allowed_request, sum(case when action='blocked' then 1 else 0 end) as blocked_request from $log where $filter and (eventtype is null or logver>=52) group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

traffic-Browsing-Time-Summary

Traffic browsing time summary

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  cast(
    ebtr_value(
      ebtr_agg_flat(browsetime), 
      null, 
      $timespan
    )/ 60.0 as decimal(18, 2)
  ) as browsetime 
from 
  ###(select $flex_timestamp as timestamp, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

traffic-Browsing-Time-Summary-Enhanced

Traffic browsing time summary enhanced

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  cast(
    ebtr_value(
      ebtr_agg_flat(browsetime), 
      null, 
      $timespan
    )/ 60.0 as decimal(18, 2)
  ) as browsetime 
from 
  ###(select $flex_timestamp as timestamp, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex

Dataset Name

Description

Log Category

webfilter-Top-Web-Users-By-Blocked-Requests

Webfilter top web users by blocked requests

webfilter

select 
  user_src, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null and action='blocked' group by user_src /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by user_src order by requests desc

Dataset Name

Description

Log Category

webfilter-Top-Web-Users-By-Allowed-Requests

Webfilter top web users by allowed requests

webfilter

select 
  user_src, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null and action!='blocked' group by user_src /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by user_src order by requests desc

Dataset Name

Description

Log Category

traffic-Top-Web-Users-By-Browsing-Time

Traffic top web users by browsing time

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and $browse_time is not null group by user_src) t group by user_src /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

webfilter-Top-Blocked-Web-Sites-By-Requests

Webfilter top blocked web sites by requests

webfilter

select 
  domain, 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select hostname as domain, catdesc, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and hostname is not null and catdesc is not null and action='blocked' group by domain, catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by domain, catdesc order by requests desc

Dataset Name

Description

Log Category

webfilter-Top-Allowed-Web-Sites-By-Requests

Webfilter top allowed web sites by requests

webfilter

select 
  domain, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  sum(requests) as requests 
from 
  ###(select hostname as domain, catdesc, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and hostname is not null and catdesc is not null and action!='blocked' group by domain, catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by domain order by requests desc

Dataset Name

Description

Log Category

webfilter-Top-Video-Streaming-Websites-By-Bandwidth

Webfilter top video streaming websites by bandwidth usage

webfilter

select 
  domain, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select coalesce(nullifna(root_domain(hostname)), 'other') as domain, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc in ('Streaming Media and Download') group by domain having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by domain order by bandwidth desc

Dataset Name

Description

Log Category

webfilter-Top-Blocked-Web-Categories

Webfilter top blocked web categories

webfilter

select 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select catdesc, count(*) as requests from $log-webfilter where $filter and (eventtype is null or logver>=52) and catdesc is not null and action='blocked' group by catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by catdesc order by requests desc

Dataset Name

Description

Log Category

webfilter-Top-Allowed-Web-Categories

Webfilter top allowed web categories

webfilter

select 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select catdesc, count(*) as requests from $log-webfilter where $filter and (eventtype is null or logver>=52) and catdesc is not null and action!='blocked' group by catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by catdesc order by requests desc

Dataset Name

Description

Log Category

traffic-Top-50-Sites-By-Browsing-Time

Traffic top sites by browsing time

traffic

select 
  hostname, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-50-Sites-By-Browsing-Time-Enhanced

Traffic top sites by browsing time enhanced

traffic

select 
  hostname, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-10-Categories-By-Browsing-Time

Traffic top category by browsing time

traffic

select 
  catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and catdesc is not null and $browse_time is not null group by catdesc) t group by catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by catdesc order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-10-Categories-By-Browsing-Time-Enhanced

Traffic top category by browsing time enhanced

traffic

select 
  catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and catdesc is not null and $browse_time is not null group by catdesc) t group by catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by catdesc order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-Destination-Countries-By-Browsing-Time

Traffic top destination countries by browsing time

traffic

select 
  dstcountry, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc

Dataset Name

Description

Log Category

traffic-Top-Destination-Countries-By-Browsing-Time-Enhanced

Traffic top destination countries by browsing time enhanced

traffic

select 
  dstcountry, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc

Dataset Name

Description

Log Category

webfilter-Top-Search-Phrases

Webfilter top search phrases

webfilter

select 
  keyword, 
  count(*) as requests 
from 
  $log 
where 
  $filter 
  and keyword is not null 
group by 
  keyword 
order by 
  requests desc

Dataset Name

Description

Log Category

Top-10-Users-Browsing-Time

Estimated browsing time

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by user_src) t group by user_src order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

Top-10-Users-Browsing-Time-Enhanced

Estimated browsing time enhanced

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by user_src) t group by user_src order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

Estimated-Browsing-Time

Estimated browsing time

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by user_src) t group by user_src order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

Estimated-Browsing-Time-Enhanced

Estimated browsing time enhanced

traffic

select 
  user_src, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by user_src) t group by user_src order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src order by browsetime desc

Dataset Name

Description

Log Category

wifi-Top-AP-By-Bandwidth

Top access point by bandwidth usage

traffic

select 
  coalesce(ap, srcintf) as ap_srcintf, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
group by 
  ap_srcintf 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-AP-By-Client

Top access point by client

traffic

select 
  ap_srcintf as srcintf, 
  count(distinct srcmac) as totalnum 
from 
  ###(select coalesce(ap, srcintf) as ap_srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by ap_srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t group by srcintf order by totalnum desc

Dataset Name

Description

Log Category

wifi-Top-SSID-By-Bandwidth

Top SSIDs by bandwidth usage

traffic

select 
  srcssid, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and srcssid is not null 
group by 
  srcssid 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-SSID-By-Client

Top SSIDs by client

traffic

select 
  srcssid, 
  count(distinct srcmac) as totalnum 
from 
  ###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t where srcssid is not null group by srcssid order by totalnum desc

Dataset Name

Description

Log Category

wifi-Top-App-By-Bandwidth

Top WiFi applications by bandwidth usage

traffic

select 
  appid, 
  app, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
  and nullifna(app) is not null 
group by 
  appid, 
  app 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-Client-By-Bandwidth

Top WiFi client by bandwidth usage

traffic

select 
  (
    coalesce(srcname, srcmac, 'unknown') || ' (' || coalesce(devtype, 'unknown') || ', ' || coalesce(osname, '') || (
      case when osversion is null then '' else ' ' || osversion end
    ) || ')'
  ) as client, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
group by 
  client 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-OS-By-Bandwidth

Top WiFi os by bandwidth usage

traffic

select 
  (
    coalesce(osname, 'unknown') || ' ' || coalesce(osversion, '')
  ) as os, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
group by 
  os 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-OS-By-WiFi-Client

Top WiFi os by WiFi client

traffic

select 
  (
    coalesce(osname, 'unknown') || ' ' || coalesce(osversion, '')
  ) as os, 
  count(distinct srcmac) as totalnum 
from 
  ###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t group by os order by totalnum desc

Dataset Name

Description

Log Category

wifi-Top-Device-By-Bandwidth

Top WiFi device by bandwidth usage

traffic

select 
  devtype, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  ) 
  and devtype is not null 
group by 
  devtype 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

wifi-Top-Device-By-Client

Top WiFi device by client

traffic

select 
  devtype, 
  count(distinct srcmac) as totalnum 
from 
  ###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t where devtype is not null group by devtype order by totalnum desc

Dataset Name

Description

Log Category

wifi-Overall-Traffic

WiFi overall traffic

traffic

select 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and (
    srcssid is not null 
    or dstssid is not null
  )

Dataset Name

Description

Log Category

wifi-Num-Distinct-Client

WiFi num distinct client

traffic

select 
  count(distinct srcmac) as totalnum 
from 
  ###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal from $log where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)### t

Dataset Name

Description

Log Category

Top30-Subnets-by-Bandwidth-and-Sessions

Top subnets by application bandwidth

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  subnet 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top30-Subnets-by-Application-Bandwidth

Top applications by bandwidth

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  app_group_name(app) as app_group, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  subnet, 
  app_group 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top30-Subnets-by-Application-Sessions

Top applications by sessions

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  app_group_name(app) as app_group, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  subnet, 
  app_group 
order by 
  sessions desc

Dataset Name

Description

Log Category

Top30-Subnets-by-Website-Bandwidth

Top websites and web category by bandwidth

traffic

select 
  subnet, 
  website, 
  sum(bandwidth) as bandwidth 
from 
  ###(select ip_subnet(`srcip`) as subnet, hostname as website, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by subnet, website order by bandwidth desc)### t group by subnet, website order by bandwidth desc

Dataset Name

Description

Log Category

Top30-Subnets-by-Website-Hits

Top websites and web category by sessions

webfilter

select 
  subnet, 
  website, 
  sum(hits) as hits 
from 
  ###(select ip_subnet(`srcip`) as subnet, hostname as website, count(*) as hits from $log where $filter and hostname is not null and (eventtype is null or logver>=52) group by subnet, website order by hits desc)### t group by subnet, website order by hits desc

Dataset Name

Description

Log Category

Top30-Subnets-with-Top10-User-by-Bandwidth

Top users by bandwidth

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and srcip is not null 
group by 
  subnet, 
  user_src 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top30-Subnets-with-Top10-User-by-Sessions

Top users by sessions

traffic

select 
  ip_subnet(`srcip`) as subnet, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  subnet, 
  user_src 
order by 
  sessions desc

Dataset Name

Description

Log Category

app-Top-20-Category-and-Applications-by-Bandwidth

Top category and applications by bandwidth usage

traffic

select 
  appcat, 
  app, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  appcat, 
  app 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

app-Top-20-Category-and-Applications-by-Session

Top category and applications by session

traffic

select 
  appcat, 
  app, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  appcat, 
  app 
order by 
  sessions desc

Dataset Name

Description

Log Category

app-Top-500-Allowed-Applications-by-Bandwidth

Top allowed applications by bandwidth usage

traffic

select 
  from_itime(itime) as timestamp, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  appcat, 
  app, 
  coalesce(
    root_domain(hostname), 
    ipstr(dstip)
  ) as destination, 
  sum(
    coalesce(`sentbyte`, 0)+ coalesce(`rcvdbyte`, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and action in ('accept', 'close', 'timeout') 
group by 
  timestamp, 
  user_src, 
  appcat, 
  app, 
  destination 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

app-Top-500-Blocked-Applications-by-Session

Top blocked applications by session

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  appcat, 
  app, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and action in (
    'deny', 'blocked', 'reset', 'dropped'
  ) 
group by 
  user_src, 
  appcat, 
  app 
order by 
  sessions desc

Dataset Name

Description

Log Category

web-Detailed-Website-Browsing-Log

Web detailed website browsing log

traffic

select 
  from_dtime(dtime) as timestamp, 
  catdesc, 
  hostname as website, 
  status, 
  sum(bandwidth) as bandwidth 
from 
  ###(select dtime, catdesc, hostname, cast(utmaction as text) as status, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by dtime, catdesc, hostname, utmaction order by dtime desc)### t group by dtime, catdesc, website, status order by dtime desc

Dataset Name

Description

Log Category

web-Hourly-Category-and-Website-Hits-Action

Web hourly category and website hits action

webfilter

select 
  hod, 
  website, 
  sum(hits) as hits 
from 
  ###(select $hour_of_day as hod, (hostname || ' (' || coalesce(`catdesc`, 'Unknown') || ')') as website , count(*) as hits from $log where $filter and hostname is not null and (eventtype is null or logver>=52) group by hod, website order by hod, hits desc)### t group by hod, website order by hod, hits desc

Dataset Name

Description

Log Category

web-Top-20-Category-and-Websites-by-Bandwidth

Web top category and websites by bandwidth usage

traffic

select 
  website, 
  catdesc, 
  sum(bandwidth) as bandwidth 
from 
  ###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by website, catdesc order by bandwidth desc)### t group by website, catdesc order by bandwidth desc

Dataset Name

Description

Log Category

web-Top-20-Category-and-Websites-by-Session

Web top category and websites by session

webfilter

select 
  website, 
  catdesc, 
  sum(sessions) as hits 
from 
  ###(select hostname as website, catdesc, count(*) as sessions from $log where $filter and hostname is not null and (eventtype is null or logver>=52) group by hostname, catdesc order by sessions desc)### t group by website, catdesc order by hits desc

Dataset Name

Description

Log Category

web-Top-500-Website-Sessions-by-Bandwidth

Web top website sessions by bandwidth usage

traffic

select 
  from_dtime(dtime) as timestamp, 
  user_src, 
  website, 
  catdesc, 
  cast(
    sum(dura)/ 60 as decimal(18, 2)
  ) as dura, 
  sum(bandwidth) as bandwidth 
from 
  ###(select dtime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname as website, catdesc, sum(coalesce(duration, 0)) as dura, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and hostname is not null and (logflag&1>0) and action in ('accept','close','timeout') group by dtime, user_src, website, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by dtime, user_src, website, catdesc order by bandwidth desc

Dataset Name

Description

Log Category

web-Top-500-User-Visted-Websites-by-Bandwidth

Web top user visted websites by bandwidth usage

traffic

select 
  website, 
  catdesc, 
  sum(bandwidth) as bandwidth 
from 
  ###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by hostname, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by website, catdesc order by bandwidth desc

Dataset Name

Description

Log Category

web-Top-500-User-Visted-Websites-by-Session

Web top user visted websites by session

webfilter

select 
  website, 
  catdesc, 
  sum(sessions) as sessions 
from 
  ###(select hostname as website, catdesc, count(*) as sessions from $log where $filter and hostname is not null and (eventtype is null or logver>=52) group by hostname, catdesc order by sessions desc)### t group by website, catdesc order by sessions desc

Dataset Name

Description

Log Category

fct-Installed-Feature-Summary

Installed Feature Summary

fct-event

select 
  clientfeature, 
  count(distinct hostname) as totalnum 
from 
  ###(select hostname, os, fctver, clientfeature from $log where $filter group by hostname, os, fctver, clientfeature)### t where clientfeature is not null group by clientfeature order by totalnum desc

Dataset Name

Description

Log Category

fct-Device-by-Operating-System

Device by OS

fct-event

select 
  os, 
  count(distinct hostname) as totalnum 
from 
  ###(select hostname, os, fctver, clientfeature from $log where $filter group by hostname, os, fctver, clientfeature)### t where os is not null group by os order by totalnum desc

Dataset Name

Description

Log Category

fct-Installed-FortiClient-Version

FortiClient Version

fct-event

select 
  fctver as fctver_short, 
  count(distinct hostname) as totalnum 
from 
  ###(select hostname, os, fctver, clientfeature from $log where $filter group by hostname, os, fctver, clientfeature)### t where fctver is not null group by fctver order by totalnum desc

Dataset Name

Description

Log Category

fct-Endpoint-Profile-Deployment

Endpoint Profile Deployment

fct-event

select 
  profile, 
  count(distinct hostname) as totalnum 
from 
  ###(select hostname, coalesce(nullifna(usingpolicy), 'No Profile') as profile from $log where $filter group by hostname, profile)### t group by profile order by totalnum desc

Dataset Name

Description

Log Category

fct-Client-Summary

Client Summary

fct-event

select 
  hostname, 
  deviceip, 
  os, 
  profile, 
  hostuser, 
  fctver, 
  from_itime(
    max(itime)
  ) as last_seen 
from 
  ###(select hostname, deviceip, os, nullifna(usingpolicy) as profile, nullifna(`user`) as hostuser, fctver, max(itime) as itime from $log where $filter and os is not null group by hostname, deviceip, os, profile, hostuser, fctver order by itime desc)### t group by hostname, deviceip, os, profile, hostuser, fctver order by last_seen desc

Dataset Name

Description

Log Category

fct-Total-Threats-Found

Total Threats Found

fct-traffic

select 
  utmevent_s as utmevent, 
  count(distinct threat) as totalnum 
from 
  ###(select coalesce(nullifna(lower(utmevent)), 'unknown') as utmevent_s, threat from $log where $filter and threat is not null and utmaction='blocked' group by utmevent_s, threat)### t group by utmevent order by totalnum desc

Dataset Name

Description

Log Category

fct-Top10-AV-Threats-Detected

Top AV Threats Detected

fct-traffic

select 
  threat, 
  sum(totalnum) as totalnum 
from 
  (
    ###(select threat, count(*) as totalnum from $log-fct-traffic where $filter and threat is not null and lower(utmevent)='antivirus' group by threat order by totalnum desc)### union all ###(select virus as threat, count(*) as totalnum from $log-fct-event where $filter and virus is not null group by threat order by totalnum desc)###) t group by threat order by totalnum desc

Dataset Name

Description

Log Category

fct-Top10-Infected-Devices-with-Botnet

Top Infected Devices with Botnet

fct-traffic

select 
  hostname, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and hostname is not null 
  and lower(utmevent) in ('webfilter', 'appfirewall') 
  and lower(threat) like '%botnet%' 
group by 
  hostname 
order by 
  totalnum desc

Dataset Name

Description

Log Category

fct-Top10-Infected-Devices-with-Virus-Malware

Top Infected Devices with Virus Malware

fct-traffic

select 
  hostname, 
  sum(totalnum) as totalnum 
from 
  (
    ###(select hostname, count(*) as totalnum from $log-fct-traffic where $filter and hostname is not null and lower(utmevent) in ('antivirus', 'antimalware') group by hostname order by totalnum desc)### union all ###(select hostname, count(*) as totalnum from $log-fct-event where $filter and hostname is not null and virus is not null group by hostname order by totalnum desc)###) t group by hostname order by totalnum desc

Dataset Name

Description

Log Category

fct-All-Antivirus-Antimalware-Detections

All Antivirus and Antimalware Detections

fct-traffic

select 
  threat, 
  hostname, 
  hostuser, 
  utmaction, 
  from_dtime(
    max(dtime)
  ) as last_seen 
from 
  (
    ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime from $log-fct-traffic where $filter and lower(utmevent) in ('antivirus', 'antimalware') group by threat, hostname, hostuser, utmaction order by threat)### union all ###(select virus as threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, action as utmaction, max(dtime) as dtime from $log-fct-event where $filter and (logflag is null or logflag&8=0) and virus is not null group by threat, hostname, hostuser, utmaction order by threat)###) t group by threat, hostname, hostuser, utmaction order by threat

Dataset Name

Description

Log Category

fct-Web-Filter-Violations

Web Filter Violations

fct-traffic

select 
  remotename, 
  hostname, 
  hostuser, 
  utmaction, 
  sum(total) as totalnum, 
  from_dtime(
    max(dtime)
  ) as last_seen 
from 
  ###(select remotename, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, count(*) as total, max(dtime) as dtime from $log where $filter and lower(utmevent)='webfilter' and utmaction='blocked' group by remotename, hostname, hostuser, utmaction order by total desc)### t group by remotename, hostname, hostuser, utmaction order by totalnum desc

Dataset Name

Description

Log Category

fct-Application-Firewall

Application Firewall

fct-traffic

select 
  threat, 
  hostname, 
  hostuser, 
  utmaction, 
  from_dtime(
    max(dtime)
  ) as last_seen 
from 
  ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime from $log where $filter and lower(utmevent)='appfirewall' and utmaction='blocked' group by threat, hostname, hostuser, utmaction order by dtime desc)### t1 left join app_mdata t2 on t1.threat=t2.name group by threat, risk, hostname, hostuser, utmaction order by risk desc

Dataset Name

Description

Log Category

fct-Errors-and-Alerts

Errors and Alerts

fct-event

select 
  msg, 
  hostname, 
  hostuser, 
  from_dtime(
    max(dtime)
  ) as last_seen 
from 
  ###(select msg, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, max(dtime) as dtime from $log where $filter and level in ('error', 'alert') group by msg, hostname, hostuser order by dtime desc)### t group by msg, hostname, hostuser order by last_seen desc

Dataset Name

Description

Log Category

fct-Threats-by-Top-Devices

Threats by Top Devices

fct-traffic

select 
  hostname, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and hostname is not null 
  and utmevent is not null 
  and utmaction = 'blocked' 
group by 
  hostname 
order by 
  totalnum desc

Dataset Name

Description

Log Category

fct-vuln-Device-Vulnerabilities

Vulnerabilities Detected by User/Device

fct-netscan

select 
  vulnseverity, 
  count(distinct vulnname) as totalnum 
from 
  ###(select vulnseverity, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null group by vulnseverity, vulnname)### t group by vulnseverity order by totalnum desc

Dataset Name

Description

Log Category

fct-vuln-Category-Type-Vulnerabilities

Vulnerabilities Detected by Category Type

fct-netscan

select 
  vulncat, 
  count(distinct vulnname) as totalnum 
from 
  ###(select vulncat, vulnname from $log where $filter and nullifna(vulncat) is not null and nullifna(vulnname) is not null group by vulncat, vulnname)### t group by vulncat order by totalnum desc

Dataset Name

Description

Log Category

fct-vuln-Vulnerabilities-by-OS

Forticlient Vulnerabilities by OS

fct-netscan

select 
  os, 
  count(distinct vulnname) as totalnum 
from 
  ###(select os, vulnname from $log where $filter and nullifna(os) is not null and nullifna(vulnname) is not null group by os, vulnname)### t group by os order by totalnum desc

Dataset Name

Description

Log Category

fct-vuln-Vulnerabilities-by-Risk-Level

Number Vulnerability by Device and Risk Level

fct-netscan

select 
  vulnseverity, 
  (
    case when vulnseverity = 'Critical' then 5 when vulnseverity = 'High' then 4 when vulnseverity = 'Medium' then 3 when vulnseverity = 'Low' then 2 when vulnseverity = 'Info' then 1 else 0 end
  ) as severity_number, 
  count(distinct vulnname) as vuln_num, 
  count(distinct devid) as dev_num 
from 
  ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null and nullifna(devid) is not null group by vulnseverity, vulnname, devid)### t group by vulnseverity order by dev_num desc, severity_number desc

Dataset Name

Description

Log Category

fct-vuln-Device-by-Risk-Level

Number Vulnerability by Device and Risk Level

fct-netscan

select 
  vulnseverity, 
  (
    case when vulnseverity = 'Critical' then 5 when vulnseverity = 'High' then 4 when vulnseverity = 'Medium' then 3 when vulnseverity = 'Low' then 2 when vulnseverity = 'Info' then 1 else 0 end
  ) as severity_number, 
  count(distinct vulnname) as vuln_num, 
  count(distinct devid) as dev_num 
from 
  ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null and nullifna(devid) is not null group by vulnseverity, vulnname, devid)### t group by vulnseverity order by dev_num desc, severity_number desc

Dataset Name

Description

Log Category

fct-vuln-Vulnerability-Trend

Vulnerability Trend

fct-netscan

select 
  $flex_timescale(timestamp) as hodex, 
  count(distinct vulnname) as total_num 
from 
  ###(select $flex_timestamp as timestamp, vulnname from $log where $filter and nullifna(vulnname) is not null group by timestamp, vulnname order by timestamp desc)### t group by hodex order by hodex

Dataset Name

Description

Log Category

fct-vuln-Details-by-Risk-Level-Device

Vulnerability Details for Each Risk Level by Device

fct-netscan

select 
  hostname, 
  os, 
  vulnseverity, 
  count(distinct vulnname) as vuln_num, 
  count(distinct products) as products, 
  count(distinct cve_id) as cve_count 
from 
  ###(select hostname, os, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and vulnseverity is not null and hostname is not null group by hostname, os, vulnname, vulnseverity, vulnid)### t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, os, vulnseverity order by vuln_num desc, hostname

Dataset Name

Description

Log Category

fct-vuln-Details-by-Device-User

Vulnerability Details by Device User

fct-netscan

select 
  hostname, 
  (
    '<div style=word-break:normal>' || vulnname || '</div>'
  ) as vulnname, 
  vulnseverity, 
  vulncat, 
  string_agg(distinct products, ',') as products, 
  string_agg(distinct cve_id, ',') as cve_list, 
  (
    '<a href=' || String_agg(DISTINCT vendor_link, ',') || '>Remediation Info</a>'
  ) as vendor_link 
from 
  ###(select hostname, vulnname, vulnseverity, vulncat, vulnid from $log where $filter and vulnname is not null and hostname is not null group by hostname, vulnname, vulnseverity, vulncat, vulnid)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, vulnname, vulnseverity, vulncat order by hostname

Dataset Name

Description

Log Category

fct-vuln-Remediation-by-Device

Remediate The Vulnerability Found on Device

fct-netscan

select 
  hostname, 
  (
    '<div style=word-break:normal>' || vulnname || '</div>'
  ) as vulnname, 
  vulnseverity, 
  string_agg(distinct vendor_link, ',') as vendor_link 
from 
  ###(select hostname, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and hostname is not null group by hostname, vulnname, vulnseverity, vulnid)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, vulnname, vulnseverity order by vulnseverity, hostname

Dataset Name

Description

Log Category

fct-vuln-Remediation-by-Vulnerability

Remediation by Vulnerability

fct-netscan

select 
  (
    '<b>' || vulnname || '</b><br/><br/>' || 'Description<br/><div style=word-break:normal>' || description || '</div><br/><br/>' || 'Affected Products<br/>' || products || '<br/><br/>' || 'Impact<br/>' || impact || '<br/><br/>' || 'Recommended Actions<br/>' || vendor_link || '<br/><br/><br/>'
  ) as remediation 
from 
  ###(select devid, vulnname, vulnseverity, (case vulnseverity when 'low' then 1 when 'info' then 2 when 'medium' then 3 when 'high' then 4 when 'critical' then 5 else 0 end) as severity_level, vulnid from $log where $filter and vulnname is not null group by devid, vulnname, vulnseverity, severity_level, vulnid order by severity_level)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by remediation order by remediation

Dataset Name

Description

Log Category

fct-vuln-Top-30-Targeted-High-Risk-Vulnerabilities

Top 30 Targeted High Risk Vulnerabilities

fct-netscan

select 
  t3.cve_id, 
  score, 
  string_agg(distinct products, ',') as products, 
  (
    '<a href=' || String_agg(vendor_link, ',') || '>Mitigation Infomation</a>'
  ) as vendor_link 
from 
  ###(select vulnid from $log where $filter group by vulnid)### t1 inner join fct_mdata t2 on t2.vid=t1.vulnid::text inner join fct_cve_score t3 on strpos(t2.cve_id, t3.cve_id) > 0 group by t3.cve_id, score order by score desc, t3.cve_id

Dataset Name

Description

Log Category

os-Detect-OS-Count

Detected operation system count

traffic

select 
  (
    coalesce(osname, 'Unknown')
  ) as os, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  os 
order by 
  totalnum desc

Dataset Name

Description

Log Category

drilldown-Top-App-By-Sessions-Table

Drilldown top applications by session count

traffic

select 
  appid, 
  app, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-App-By-Sessions-Bar

Drilldown top applications by session count

traffic

select 
  appid, 
  app, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-App-By-Bandwidth-Table

Drilldown top applications by bandwidth usage

traffic

select 
  appid, 
  app, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-App-By-Bandwidth-Bar

Drilldown top applications by bandwidth usage

traffic

select 
  appid, 
  app, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-Destination-By-Sessions-Table

Drilldown top destination by session count

traffic

select 
  dstip, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and dstip is not null group by dstip order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-Destination-By-Bandwidth-Table

Drilldown top destination by bandwidth usage

traffic

select 
  dstip, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and dstip is not null group by dstip having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-User-By-Sessions-Table

Drilldown top user by session count

traffic

select 
  user_src, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-User-By-Sessions-Bar

Drilldown top user by session count

traffic

select 
  user_src, 
  sum(sessions) as sessions 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src order by sessions desc

Dataset Name

Description

Log Category

drilldown-Top-User-By-Bandwidth-Table

Drilldown top user by bandwidth usage

traffic

select 
  user_src, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-User-By-Bandwidth-Bar

Drilldown top user by bandwidth usage

traffic

select 
  user_src, 
  sum(bandwidth) as bandwidth 
from 
  ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src having sum(bandwidth)>0 order by bandwidth desc

Dataset Name

Description

Log Category

drilldown-Top-Web-User-By-Visit-Table

Drilldown top web user by visit

traffic

select 
  user_src, 
  sum(requests) as visits 
from 
  (
    ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and (eventtype is null or logver>=52) and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and user_src is not null group by user_src order by visits desc

Dataset Name

Description

Log Category

drilldown-Top-Web-User-By-Visit-Bar

Drilldown top web user by visit

traffic

select 
  user_src, 
  sum(requests) as visits 
from 
  (
    ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and (eventtype is null or logver>=52) and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and user_src is not null group by user_src order by visits desc

Dataset Name

Description

Log Category

drilldown-Top-Website-By-Request-Table

Drilldown top website by request

traffic

select 
  hostname, 
  sum(requests) as visits 
from 
  (
    ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and (eventtype is null or logver>=52) and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and hostname is not null group by hostname order by visits desc

Dataset Name

Description

Log Category

drilldown-Top-Website-By-Request-Bar

Drilldown top website by request

traffic

select 
  hostname, 
  sum(requests) as visits 
from 
  (
    ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and (eventtype is null or logver>=52) and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and hostname is not null group by hostname order by visits desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Sender-By-Volume

Drilldown top email sender by volume

traffic

select 
  sender, 
  sum(bandwidth) as volume 
from 
  (
    ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by volume desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Send-Recipient-By-Volume

Drilldown top email send recipient by volume

traffic

select 
  recipient, 
  sum(bandwidth) as volume 
from 
  (
    ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient having sum(bandwidth)>0 order by volume desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Sender-By-Count

Drilldown top email sender by count

traffic

select 
  sender, 
  sum(requests) as requests 
from 
  (
    ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender order by requests desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Send-Recipient-By-Count

Drilldown top email send recipient by count

traffic

select 
  recipient, 
  sum(requests) as requests 
from 
  (
    ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient order by requests desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Recipient-By-Volume

Drilldown top email receiver by volume

traffic

select 
  recipient, 
  sum(bandwidth) as volume 
from 
  (
    ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient having sum(bandwidth)>0 order by volume desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Receive-Sender-By-Volume

Drilldown top email receive sender by volume

traffic

select 
  sender, 
  sum(bandwidth) as volume 
from 
  (
    ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by volume desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Recipient-By-Count

Drilldown top email receiver by count

traffic

select 
  recipient, 
  sum(requests) as requests 
from 
  (
    ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient order by requests desc

Dataset Name

Description

Log Category

drilldown-Top-Email-Receive-Sender-By-Count

Drilldown top email receive sender by count

traffic

select 
  sender, 
  sum(requests) as requests 
from 
  (
    ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender order by requests desc

Dataset Name

Description

Log Category

drilldown-Top-Attack-Destination

Drilldown top attack dest

attack

select 
  dstip, 
  sum(totalnum) as totalnum 
from 
  ###(select srcip, dstip, count(*) as totalnum from $log where $filter-exclude-var group by srcip, dstip order by totalnum desc)### t where $filter-drilldown and dstip is not null group by dstip order by totalnum desc

Dataset Name

Description

Log Category

drilldown-Top-Attack-Source

Drilldown top attack source

attack

select 
  srcip, 
  sum(totalnum) as totalnum 
from 
  ###(select srcip, dstip, count(*) as totalnum from $log where $filter-exclude-var group by srcip, dstip order by totalnum desc)### t where $filter-drilldown and srcip is not null group by srcip order by totalnum desc

Dataset Name

Description

Log Category

drilldown-Top-Attack-List

Drilldown top attack list

attack

select 
  from_itime(itime) as timestamp, 
  attack, 
  srcip, 
  dstip 
from 
  ###(select itime, attack, srcip, dstip from $log where $filter-exclude-var order by itime desc)### t where $filter-drilldown order by timestamp desc

Dataset Name

Description

Log Category

drilldown-Top-Virus

UTM top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  (
    case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end
  ) as malware_type, 
  sum(totalnum) as totalnum 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc

Dataset Name

Description

Log Category

drilldown-Virus-Detail

Drilldown virus detail

virus

select 
  from_itime(itime) as timestamp, 
  virus, 
  user_src, 
  dstip, 
  hostname, 
  recipient 
from 
  ###(select itime, virus, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, dstip,  cast(' ' as char) as hostname, cast(' ' as char) as recipient from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null order by itime desc)### t where $filter-drilldown order by timestamp desc

Dataset Name

Description

Log Category

user-drilldown-Top-Blocked-Web-Sites-By-Requests

User drilldown top blocked web sites by requests

webfilter

select 
  hostname, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, action, count(*) as requests from $log where $filter and hostname is not null group by user_src, hostname, action order by requests desc)### t where $filter-drilldown and action='blocked' group by hostname order by requests desc

Dataset Name

Description

Log Category

user-drilldown-Top-Allowed-Web-Sites-By-Requests

User drilldown top allowed web sites by requests

webfilter

select 
  hostname, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, action, count(*) as requests from $log where $filter and hostname is not null group by user_src, hostname, action order by requests desc)### t where $filter-drilldown and action!='blocked' group by hostname order by requests desc

Dataset Name

Description

Log Category

user-drilldown-Top-Blocked-Web-Categories

User drilldown top blocked web categories

webfilter

select 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as requests from $log where $filter and catdesc is not null group by user_src, catdesc, action order by requests desc)### t where $filter-drilldown and action='blocked' group by catdesc order by requests desc

Dataset Name

Description

Log Category

user-drilldown-Top-Allowed-Web-Categories

User drilldown top allowed web categories

webfilter

select 
  catdesc, 
  sum(requests) as requests 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as requests from $log where $filter and catdesc is not null group by user_src, catdesc, action order by requests desc)### t where $filter-drilldown and action!='blocked' group by catdesc order by requests desc

Dataset Name

Description

Log Category

user-drilldown-Top-Attacks

User drilldown top attacks by name

attack

select 
  attack, 
  sum(attack_count) as attack_count 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, (case when severity in ('critical', 'high') then 1 else 0 end) as high_severity, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack, high_severity order by attack_count desc)### t where $filter-drilldown group by attack order by attack_count desc

Dataset Name

Description

Log Category

user-drilldown-Top-Attacks-High-Severity

User drilldown top attacks high severity

attack

select 
  attack, 
  sum(attack_count) as attack_count 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, (case when severity in ('critical', 'high') then 1 else 0 end) as high_severity, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack, high_severity order by attack_count desc)### t where $filter-drilldown and high_severity=1 group by attack order by attack_count desc

Dataset Name

Description

Log Category

user-drilldown-Top-Virus-By-Name

User drilldown top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by user_src, virus, virusid_s order by totalnum desc)### t where $filter-drilldown group by virus order by totalnum desc

Dataset Name

Description

Log Category

user-drilldown-Top-Virus-Receivers-Over-Email

User drilldown top virus receivers over email

virus

select 
  receiver, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `to` as receiver, count(*) as totalnum from $log where $filter and subtype='infected' and (service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') or service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp')) and nullifna(virus) is not null group by user_src, receiver order by totalnum desc)### t where $filter-drilldown group by receiver order by totalnum desc

Dataset Name

Description

Log Category

user-drilldown-Count-Spam-Activity-by-Hour-of-Day

User drilldown count spam activity by hour of day

emailfilter

select 
  hourstamp, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, $hour_of_day as hourstamp, count(*) as totalnum from $log where $filter and `to` is not null and action in ('detected', 'blocked') group by user_src, hourstamp order by hourstamp)### t where $filter-drilldown group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

user-drilldown-Top-Spam-Sources

User drilldown top spam sources

emailfilter

select 
  mf_sender, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `from` as mf_sender, count(*) as totalnum from $log where $filter and `from` is not null and action in ('detected', 'blocked') group by user_src, mf_sender order by totalnum desc)### t where $filter-drilldown group by mf_sender order by totalnum desc

Dataset Name

Description

Log Category

event-Usage-CPU

Event usage CPU

event

select 
  hourstamp, 
  cast(
    sum(cpu_usage)/ sum(num) as decimal(6, 2)
  ) as cpu_avg_usage 
from 
  ###(select $hour_of_day as hourstamp, sum(cpu) as cpu_usage, count(*) as num from $log where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

event-Usage-Memory

Event usage memory

event

select 
  hourstamp, 
  cast(
    sum(mem_usage)/ sum(num) as decimal(6, 2)
  ) as mem_avg_usage 
from 
  ###(select $hour_of_day as hourstamp, sum(mem) as mem_usage, count(*) as num from $log where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

event-Usage-Sessions

Event usage sessions

event

select 
  hourstamp, 
  cast(
    sum(sess_usage)/ sum(num) as decimal(10, 2)
  ) as sess_avg_usage 
from 
  ###(select $hour_of_day as hourstamp, sum(totalsession) as sess_usage, count(*) as num from $log where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

event-Usage-CPU-Sessions

Event usage CPU sessions

event

select 
  hourstamp, 
  cast(
    sum(sess_usage)/ sum(num) as decimal(10, 2)
  ) as sess_avg_usage, 
  cast(
    sum(cpu_usage)/ sum(num) as decimal(6, 2)
  ) as cpu_avg_usage 
from 
  ###(select $hour_of_day as hourstamp, sum(cpu) as cpu_usage, sum(totalsession) as sess_usage, count(*) as num from $log where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

App-Risk-Top-Users-By-Bandwidth

Top users by bandwidth usage

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  srcip, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  sum(
    coalesce(rcvdbyte, 0)
  ) as traffic_in, 
  sum(
    coalesce(sentbyte, 0)
  ) as traffic_out 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and srcip is not null 
group by 
  user_src, 
  srcip 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

App-Risk-Top-User-Source-By-Sessions

Application risk top user source by session count

traffic

select 
  srcip, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and srcip is not null 
group by 
  srcip, 
  user_src 
order by 
  sessions desc

Dataset Name

Description

Log Category

App-Risk-Top-Users-By-Reputation-Scores-Bar

Application risk reputation top users by scores

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  user_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

App-Risk-Top-Devices-By-Reputation-Scores

Application risk reputation top devices by scores

traffic

select 
  devtype, 
  coalesce(
    nullifna(`srcname`), 
    nullifna(`srcmac`), 
    ipstr(`srcip`)
  ) as dev_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  devtype, 
  dev_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

App-Risk-Application-Usage-By-Category-With-Pie

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

App-Risk-App-Usage-by-Category

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Top-20-Categories-By-Bandwidth

Webfilter categories by bandwidth usage

webfilter

select 
  catdesc, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc is not null group by catdesc /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by catdesc order by bandwidth desc

Dataset Name

Description

Log Category

App-Risk-Key-Applications-Crossing-The-Network

Application risk application activity

traffic

select 
  app_group_name(app) as app_group, 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  count(*) as num_session 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app_group, 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

App-Risk-Applications-Running-Over-HTTP

Application risk applications running over HTTP

traffic

select 
  app_group_name(app) as app_group, 
  service, 
  count(*) as sessions, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
  and service in (
    '80/tcp', '443/tcp', 'HTTP', 'HTTPS', 
    'http', 'https'
  ) 
group by 
  app_group, 
  service 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

App-Risk-Top-Web-Sites-Visited-By-Network-Users-Pie-Cha

Application risk web browsing summary category

traffic

select 
  catdesc, 
  sum(num_sess) as num_sess, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, count(*) as num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc is not null group by catdesc order by num_sess desc)### t group by catdesc order by num_sess desc

Dataset Name

Description

Log Category

App-Risk-Top-Web-Sites-Visited-By-Network-Users

Application risk web browsing summary category

traffic

select 
  catdesc, 
  sum(num_sess) as num_sess, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, count(*) as num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc is not null group by catdesc order by num_sess desc)### t group by catdesc order by num_sess desc

Dataset Name

Description

Log Category

App-Risk-Web-Browsing-Hostname-Category

Application risk web browsing activity hostname category

webfilter

select 
  domain, 
  catdesc, 
  sum(visits) as visits 
from 
  ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, count(*) as visits from $log where $filter and (eventtype is null or logver>=52) and catdesc is not null group by domain, catdesc order by visits desc)### t group by domain, catdesc order by visits desc

Dataset Name

Description

Log Category

Top-Destination-Countries-By-Browsing-Time

Traffic top destination countries by browsing time

traffic

select 
  dstcountry, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc

Dataset Name

Description

Log Category

Top-Destination-Countries-By-Browsing-Time-Enhanced

Traffic top destination countries by browsing time enhanced

traffic

select 
  dstcountry, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc

Dataset Name

Description

Log Category

App-Risk-Traffic-Top-Hostnames-By-Browsing-Time

Traffic top domains by browsing time

traffic

select 
  hostname, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname) t group by hostname /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

App-Risk-Traffic-Top-Hostnames-By-Browsing-Time-Enhanced

Traffic top domains by browsing time enhanced

traffic

select 
  hostname, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname) t group by hostname /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

App-Risk-Top-Threat-Vectors-Crossing-The-Network

Application risk top threat vectors

attack

select 
  severity, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
group by 
  severity 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Critical-Threat-Vectors-Crossing-The-Network

Application risk top critical threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'critical' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-High-Threat-Vectors-Crossing-The-Network

Application risk top high threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'high' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Medium-Threat-Vectors-Crossing-The-Network

Application risk top medium threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'medium' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Low-Threat-Vectors-Crossing-The-Network

Application risk top low threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'low' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Info-Threat-Vectors-Crossing-The-Network

Application risk top info threat vectors

attack

select 
  attack, 
  severity, 
  ref, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and severity = 'info' 
  and nullifna(attack) is not null 
group by 
  attack, 
  severity, 
  ref 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Virus-By-Name

UTM top virus

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  (
    case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end
  ) as malware_type, 
  sum(totalnum) as totalnum 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc

Dataset Name

Description

Log Category

App-Risk-Top-Virus-Victim

UTM top virus user

virus

select 
  user_src, 
  sum(totalnum) as totalnum 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not null group by user_src /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by user_src order by totalnum desc

Dataset Name

Description

Log Category

App-Risk-Data-Loss-Prevention-Type-Events

Application risk DLP UTM event

dlp

select 
  utmsubtype, 
  sum(number) as number 
from 
  ###(select subtype::text as utmsubtype, count(*) as number from $log where $filter and subtype is not null group by subtype order by number desc)### t group by utmsubtype order by number desc

Dataset Name

Description

Log Category

App-Risk-Vulnerability-Discovered

Application risk vulnerability discovered

netscan

select 
  vuln, 
  vulnref as ref, 
  vulncat, 
  severity, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and vuln is not null 
group by 
  vuln, 
  vulnref, 
  vulncat, 
  severity 
order by 
  totalnum desc

Dataset Name

Description

Log Category

App-Risk-Malware-Discovered

Application risk virus discovered

virus

select 
  dom, 
  sum(totalnum) as totalnum 
from 
  ###(select $DAY_OF_MONTH as dom, count(*) as totalnum from $log where $filter and nullifna(virus) is not null and (eventtype is null or logver>=52) group by dom order by totalnum desc)### t group by dom order by totalnum desc

Dataset Name

Description

Log Category

App-Risk-Breakdown-Of-Risk-Applications

Application risk breakdown of risk applications

traffic

select 
  unnest(
    string_to_array(behavior, ',')
  ) as d_behavior, 
  count(*) as number 
from 
  $log t1 
  inner join app_mdata t2 on t1.appid = t2.id 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  d_behavior 
order by 
  number desc

Dataset Name

Description

Log Category

App-Risk-Number-Of-Applications-By-Risk-Behavior

Application risk number of applications by risk behavior

traffic

select 
  risk as d_risk, 
  unnest(
    string_to_array(behavior, ',')
  ) as f_behavior, 
  count(*) as number 
from 
  $log t1 
  inner join app_mdata t2 on t1.appid = t2.id 
where 
  $filter 
  and (
    logflag&1>0
  ) 
group by 
  risk, 
  f_behavior 
order by 
  risk desc, 
  number desc

Dataset Name

Description

Log Category

App-Risk-High-Risk-Application

Application risk high risk application

traffic

select 
  risk as d_risk, 
  behavior as d_behavior, 
  t2.id, 
  t2.name, 
  t2.app_cat, 
  t2.technology, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  count(*) as sessions 
from 
  $log t1 
  inner join app_mdata t2 on t1.appid = t2.id 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and behavior is not null 
group by 
  t2.id 
order by 
  risk desc, 
  sessions desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Severe-High-Risk-Application

Severe and high risk applications

traffic

select 
  appcat, 
  count(distinct app) as total_num 
from 
  ###(select appcat, app from $log where $filter and app is not null and appcat is not null and (logflag&1>0) and apprisk in ('critical', 'high') group by appcat, app)### t group by appcat order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Threats-Prevention

Threat Prevention

app-ctrl

select 
  threat_name, 
  count(distinct threats) as total_num 
from 
  (
    ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, app as threats from $log-app-ctrl where $filter and lower(appcat)='botnet' group by app)### union all ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, virus as threats from $log-virus where $filter and nullifna(virus) is not null group by virus)### union all ###(select cast('Malicious & Phishing Sites' as char(32)) as threat_name, hostname as threats from $log-webfilter where $filter and cat in (26, 61) group by hostname)### union all ###(select cast('Critical & High Intrusion Attacks' as char(32)) as threat_name, attack as total_num from $log-attack where $filter and severity in ('critical', 'high') group by attack)###) t group by threat_name order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Application-Vulnerability

Application vulnerabilities discovered

attack

select 
  attack, 
  attackid, 
  vuln_type, 
  cve, 
  severity_number, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as sources, 
  sum(totalnum) as totalnum 
from 
  ###(select attack, attackid, vuln_type, t2.cve, (case when t1.severity='critical' then 5 when t1.severity='high' then 4 when t1.severity='medium' then 3 when t1.severity='low' then 2 when t1.severity='info' then 1 else 0 end) as severity_number, dstip, srcip, count(*) as totalnum from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null and t1.severity is not null group by attack, attackid, vuln_type, t2.cve, t1.severity, dstip, srcip )### t group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Breakdown-Of-High-Risk-Application

Severe and high risk applications

traffic

select 
  appcat, 
  count(distinct app) as total_num 
from 
  ###(select appcat, app from $log where $filter and app is not null and appcat is not null and (logflag&1>0) and apprisk in ('critical', 'high') group by appcat, app)### t group by appcat order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Top-20-High-Risk-Application

Application risk high risk application

traffic

select 
  risk as d_risk, 
  count(distinct user_src) as users, 
  id, 
  name, 
  app_cat, 
  technology, 
  sum(bandwidth) as bandwidth, 
  sum(sessions) as sessions 
from 
  ###(select lower(app) as lowapp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by lowapp, user_src order by bandwidth desc)### t1 inner join app_mdata t2 on t1.lowapp=lower(t2.name) where risk>='4' group by id, name, app_cat, technology, risk order by d_risk desc, sessions desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-High-Risk-Application-Behavioral

Application Behavioral Characteristics

traffic

select 
  behavior, 
  round(
    sum(total_num)* 100 / sum(
      sum(total_num)
    ) over (), 
    2
  ) as percentage 
from 
  ###(select (case when lower(appcat)='botnet' then 'malicious' when lower(appcat)='remote.access' then 'tunneling' when lower(appcat) in ('storage.backup', 'video/audio') then 'bandwidth-consuming' when lower(appcat)='p2p' then 'peer-to-peer' when lower(appcat)='proxy' then 'proxy' end) as behavior, count(*) as total_num from $log where $filter and lower(appcat) in ('botnet', 'remote.access', 'storage.backup', 'video/audio', 'p2p', 'proxy') and (logflag&1>0) and apprisk in ('critical', 'high') group by appcat)### t group by behavior order by percentage desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Key-Application-Crossing-The-Network

Key Application Crossing The Network

traffic

select 
  risk as d_risk, 
  count(distinct user_src) as users, 
  id, 
  name, 
  app_cat, 
  technology, 
  sum(bandwidth) as bandwidth, 
  sum(sessions) as sessions 
from 
  ###(select app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by app, user_src order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name group by id, app, app_cat, technology, risk order by bandwidth desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Risk-Application-Usage-By-Category-With-Pie

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Category-Breakdown-By-Bandwidth

Category breakdown of all applications, sorted by bandwidth

traffic

select 
  appcat, 
  count(distinct app) as app_num, 
  count(distinct f_user) as user_num, 
  sum(bandwidth) as bandwidth, 
  sum(num_session) as num_session 
from 
  ###(select appcat, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log where $filter and (logflag&1>0) and nullifna(appcat) is not null group by appcat, app, f_user)### t group by appcat order by bandwidth desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Top-Web-Applications-by-Bandwidth

Top 25 Web Categories by Bandwidtih

traffic

select 
  d_risk, 
  id, 
  name, 
  technology, 
  count(distinct f_user) as user_num, 
  sum(bandwidth) as bandwidth, 
  sum(num_session) as num_session 
from 
  ###(select risk as d_risk, t2.id, t2.name, t2.technology, coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and (logflag&1>0) and nullifna(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by risk, t2.id, t2.name, t2.technology, f_user)### t group by d_risk, id, name, technology order by bandwidth desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Top-Web-Categories-Visited

Top 25 Web Categories Visited

traffic

select 
  catdesc, 
  count(distinct f_user) as user_num, 
  sum(sessions) as sessions, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Common-Virus-Botnet-Spyware

Common virus disvocered, the botnet communictions and the spyware/adware

traffic

select 
  virus_s as virus, 
  (
    case when lower(appcat)= 'botnet' then 'Botnet C&C' else (
      case when virus_s like 'Riskware%' then 'Spyware' when virus_s like 'Adware%' then 'Adware' else 'Virus' end
    ) end
  ) as malware_type, 
  appid, 
  app, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  (
    ###(select app as virus_s, appcat, appid, app, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and lower(appcat)='botnet' group by virus_s, appcat, appid, dstip, srcip, app order by total_num desc)### union all ###(select unnest(string_to_array(virus, ',')) as virus_s, appcat, appid, app, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and virus is not null group by virus_s, appcat, appid, dstip, srcip, app order by total_num desc)###) t group by virus, appid, app, malware_type order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Zero-Day-Detected-On-Network

Zero-day malware detected on the network

traffic

select 
  virus_s, 
  appid, 
  app, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  ###(select unnest(string_to_array(virus, ',')) as virus_s, appid, app, dstip, srcip, count(*) as total_num from $log where $filter and (logflag&1>0) and virus like '%PossibleThreat.SB%' group by virus_s, dstip, srcip, appid, app )### t where virus_s like '%PossibleThreat.SB%' group by virus_s, appid, app  order by total_num desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-Files-Analyzed-By-FortiCloud-Sandbox

Files analyzed by FortiCloud Sandbox

virus

select 
  $DAY_OF_MONTH as dom, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(filename) is not null 
  and logid_to_int(logid)= 9233 
group by 
  dom 
order by 
  dom

Dataset Name

Description

Log Category

Apprisk-Ctrl-Malicious-Files-Detected-By-FortiCloud-Sandbox

Files detected by FortiCloud Sandbox

virus

select 
  filename, 
  analyticscksum, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source 
from 
  ###(select filename, analyticscksum, dstip, srcip from $log where $filter and filename is not null and logid_to_int(logid)=9233 and analyticscksum is not null group by filename, analyticscksum, srcip, dstip)### t group by filename, analyticscksum order by victims desc, source desc

Dataset Name

Description

Log Category

Apprisk-Ctrl-File-Transferred-By-Application

File transferred by applications on the network

app-ctrl

select 
  appid, 
  app, 
  filename, 
  cloudaction, 
  max(filesize) as filesize 
from 
  $log 
where 
  $filter 
  and filesize is not null 
  and clouduser is not null 
  and filename is not null 
group by 
  cloudaction, 
  appid, 
  app, 
  filename 
order by 
  filesize desc

Dataset Name

Description

Log Category

appctrl-Top-Blocked-SCCP-Callers

Appctrl top blocked SCCP callers

app-ctrl

select 
  srcname as caller, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and lower(appcat)= 'voip' 
  and app = 'sccp' 
  and action = 'block' 
  and srcname is not null 
group by 
  caller 
order by 
  totalnum desc

Dataset Name

Description

Log Category

appctrl-Top-Blocked-SIP-Callers

Appctrl top blocked SIP callers

app-ctrl

select 
  srcname as caller, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and srcname is not null 
  and lower(appcat)= 'voip' 
  and app = 'sip' 
  and action = 'block' 
group by 
  caller 
order by 
  totalnum desc

Dataset Name

Description

Log Category

security-Top20-High-Risk-Application-In-Use

High risk application in use

traffic

select 
  d_risk, 
  count(distinct f_user) as users, 
  name, 
  app_cat, 
  technology, 
  sum(bandwidth) as bandwidth, 
  sum(sessions) as sessions 
from 
  ###(select risk as d_risk, coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as f_user, t2.name, t2.app_cat, t2.technology, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth,  count(*) as sessions from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and risk>='4' and (logflag&1>0) group by f_user, t2.name, t2.app_cat, t2.technology, risk)### t group by d_risk, name, app_cat, technology order by d_risk desc, sessions desc

Dataset Name

Description

Log Category

security-High-Risk-Application-By-Category

High risk application by category

traffic

select 
  app_cat, 
  count(distinct app) as total_num 
from 
  ###(select app_cat, app from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and risk>='4' and (logflag&1>0) group by app_cat, app)### t group by app_cat order by total_num desc

Dataset Name

Description

Log Category

security-Top10-Application-Categories-By-Bandwidth

Application risk application usage by category

traffic

select 
  appcat, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(appcat) is not null 
group by 
  appcat 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

Security-Category-Breakdown-By-Bandwidth

Category breakdown of all applications, sorted by bandwidth

traffic

select 
  appcat, 
  count(distinct app) as app_num, 
  count(distinct f_user) as user_num, 
  sum(bandwidth) as bandwidth, 
  sum(num_session) as num_session 
from 
  ###(select appcat, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log where $filter and (logflag&1>0) and nullifna(appcat) is not null group by appcat, app, f_user)### t group by appcat order by bandwidth desc

Dataset Name

Description

Log Category

security-Top25-Web-Applications-By-Bandwidth

Top Web Applications by Bandwidtih

traffic

select 
  d_risk, 
  name, 
  app_cat, 
  technology, 
  count(distinct f_user) as users, 
  sum(bandwidth) as bandwidth, 
  sum(num_session) as sessions 
from 
  ###(select risk as d_risk, t2.app_cat, t2.name, t2.technology, coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and (logflag&1>0) and nullifna(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by risk, t2.app_cat, t2.name, t2.technology, f_user)### t group by d_risk, name, app_cat, technology order by bandwidth desc

Dataset Name

Description

Log Category

Security-Top25-Web-Categories-Visited

Top 25 Web Categories Visited

traffic

select 
  catdesc, 
  count(distinct f_user) as user_num, 
  sum(sessions) as sessions, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc

Dataset Name

Description

Log Category

security-Top25-Malware-Virus-Botnet-Spyware

Malware: viruses, Bots, Spyware/Adware

traffic

select 
  virus_s as virus, 
  (
    case when lower(appcat)= 'botnet' then 'Botnet C&C' else (
      case when virus_s like 'Riskware%' then 'Spyware' when virus_s like 'Adware%' then 'Adware' else 'Virus' end
    ) end
  ) as malware_type, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  (
    ###(select app as virus_s, appcat, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and lower(appcat)='botnet' group by virus_s, appcat, dstip, srcip order by total_num desc)### union all ###(select unnest(string_to_array(virus, ',')) as virus_s, appcat, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and virus is not null group by virus_s, appcat, dstip, srcip order by total_num desc)###) t group by virus, malware_type order by total_num desc

Dataset Name

Description

Log Category

security-Top10-Malware-Virus-Spyware

Malware: viruses, Spyware/Adware

virus

select 
  virus, 
  max(virusid_s) as virusid, 
  malware_type, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, srcip, dstip, (case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end)  as malware_type, count(*) as total_num from $log where $filter and nullifna(virus) is not null group by virus, virusid_s, srcip, dstip order by total_num desc)### t group by virus, malware_type order by total_num desc

Dataset Name

Description

Log Category

security-Top10-Malware-Botnet

Malware: Botnet

appctrl

select 
  app, 
  appid, 
  malware_type, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  ###(select app, appid, cast('Botnet C&C' as char(32)) as malware_type, srcip, dstip, count(*) as total_num from $log where $filter and lower(appcat)='botnet' and nullifna(app) is not null group by app, appid, malware_type, srcip, dstip order by total_num desc)### t group by app, appid, malware_type order by total_num desc

Dataset Name

Description

Log Category

security-Top10-Victims-of-Malware

Victims of Malware

virus

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  virus as malware, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and virus is not null 
group by 
  user_src, 
  malware 
order by 
  total_num desc

Dataset Name

Description

Log Category

security-Top10-Victims-of-Phishing-Site

Victims of Phishing Site

webfilter

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  (
    lower(service) || '://' || hostname || url
  ) as phishing_site, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and lower(service) in ('http', 'https') 
  and hostname is not null 
  and cat in (26, 61) 
group by 
  user_src, 
  phishing_site 
order by 
  total_num desc

Dataset Name

Description

Log Category

security-Top25-Malicious-Phishing-Sites

Malicious Phishing Site

webfilter

select 
  phishing_site, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total) as total_num 
from 
  ###(select (lower(service) || '://' || hostname || url) as phishing_site, dstip, srcip, count(*) as total from $log where $filter and lower(service) in ('http', 'https') and hostname is not null and cat in (26, 61) group by phishing_site, dstip, srcip order by total desc)### t group by phishing_site order by total_num desc

Dataset Name

Description

Log Category

security-Application-Vulnerability

Application vulnerabilities discovered

attack

select 
  attack, 
  attackid, 
  vuln_type, 
  cve, 
  severity_number, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as sources, 
  sum(totalnum) as totalnum 
from 
  ###(select attack, attackid, vuln_type, t2.cve, (case when t1.severity='critical' then 5 when t1.severity='high' then 4 when t1.severity='medium' then 3 when t1.severity='low' then 2 when t1.severity='info' then 1 else 0 end) as severity_number, dstip, srcip, count(*) as totalnum from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null and t1.severity is not null group by attack, attackid, vuln_type, t2.cve, t1.severity, dstip, srcip )### t group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc

Dataset Name

Description

Log Category

security-Files-Analyzed-By-FortiCloud-Sandbox

Files analyzed by FortiCloud Sandbox

virus

select 
  $day_of_week as dow, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(filename) is not null 
  and logid_to_int(logid)= 9233 
group by 
  dow 
order by 
  dow

Dataset Name

Description

Log Category

Security-Zero-Day-Detected-On-Network

Zero-day malware detected on the network

traffic

select 
  virus_s, 
  app, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  ###(select unnest(string_to_array(virus, ',')) as virus_s, app, dstip, srcip, count(*) as total_num from $log where $filter and (logflag&1>0) and virus like '%PossibleThreat.SB%' group by virus_s, dstip, srcip, app)### t group by virus_s, app order by total_num desc

Dataset Name

Description

Log Category

security-Data-Loss-Incidents-By-Severity

Data loss incidents summary by severity

dlp

select 
  initcap(severity : :text) as s_severity, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and severity is not null 
group by 
  s_severity 
order by 
  total_num desc

Dataset Name

Description

Log Category

security-Data-Loss-Files-By-Service

Data Lass Files By Service

dlp

select 
  filename, 
  (
    case direction when 'incoming' then 'Download' when 'outgoing' then 'Upload' end
  ) as action, 
  max(filesize) as filesize, 
  service 
from 
  $log 
where 
  $filter 
  and filesize is not null 
group by 
  filename, 
  direction, 
  service 
order by 
  filesize desc

Dataset Name

Description

Log Category

security-Endpoint-Security-Events-Summary

Endpoint Security Events summary

fct-traffic

select 
  (
    case utmevent when 'antivirus' then 'Malware incidents' when 'webfilter' then 'Malicious/phishing websites' when 'appfirewall' then 'Risk applications' when 'dlp' then 'Data loss incidents' when 'netscan' then 'Vulnerability detected' else 'Others' end
  ) as events, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and utmevent is not null 
group by 
  events 
order by 
  total_num desc

Dataset Name

Description

Log Category

security-Top-Endpoing-Running-High-Risk-Application

Endpoints Running High Risk Application

fct-traffic

select 
  coalesce(
    nullifna(`user`), 
    ipstr(`srcip`), 
    'Unknown'
  ) as f_user, 
  coalesce(
    nullifna(hostname), 
    'Unknown'
  ) as host_name, 
  threat as app, 
  t2.app_cat as appcat, 
  risk as d_risk 
from 
  $log t1 
  inner join app_mdata t2 on t1.threat = t2.name 
where 
  $filter 
  and utmevent = 'appfirewall' 
  and risk & gt;= '4' 
group by 
  f_user, 
  host_name, 
  t1.threat, 
  t2.app_cat, 
  t2.risk 
order by 
  risk desc

Dataset Name

Description

Log Category

security-Top-Endpoints-Infected-With-Malware

Endpoints Infected With Malware

fct-event

select 
  coalesce(
    nullifna(`user`), 
    ipstr(`deviceip`), 
    'Unknown'
  ) as f_user, 
  coalesce(
    nullifna(hostname), 
    'Unknown'
  ) as host_name, 
  virus, 
  file 
from 
  $log 
where 
  $filter 
  and clientfeature = 'av' 
  and virus is not null 
group by 
  f_user, 
  host_name, 
  virus, 
  file

Dataset Name

Description

Log Category

security-Top-Endpoints-With-Web-Violateions

Endpoints With Web Violations

fct-traffic

select 
  f_user, 
  host_name, 
  remotename, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as f_user, coalesce(nullifna(hostname), 'Unknown') as host_name, remotename, count(*) as total_num from $log where $filter and utmevent='webfilter' and remotename is not null and utmaction='blocked' group by f_user, host_name, remotename order by total_num desc)### t group by f_user, host_name, remotename order by total_num desc

Dataset Name

Description

Log Category

security-Top-Endpoints-With-Data-Loss-Incidents

Endpoints With Data Loss Incidents

fct-event

select 
  f_user, 
  host_name, 
  msg, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(nullifna(`user`), ipstr(`deviceip`), 'Unknown') as f_user, coalesce(nullifna(hostname), 'Unknown') as host_name, msg, count(*) as total_num from $log where $filter and clientfeature='dlp' group by f_user, host_name, msg order by total_num desc)### t group by f_user, host_name, msg order by total_num desc

Dataset Name

Description

Log Category

content-Count-Total-SCCP-Call-Registrations-by-Hour-of-Day

Content count total SCCP call registrations by hour of day

content

select 
  $hour_of_day as hourstamp, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sccp' 
  and kind = 'register' 
group by 
  hourstamp 
order by 
  hourstamp

Dataset Name

Description

Log Category

content-Count-Total-SCCP-Calls-Duration-by-Hour-of-Day

Content count total SCCP calls duration by hour of day

content

select 
  $hour_of_day as hourstamp, 
  sum(duration) as sccp_usage 
from 
  $log 
where 
  $filter 
  and proto = 'sccp' 
  and kind = 'call-info' 
  and status = 'end' 
group by 
  hourstamp 
order by 
  hourstamp

Dataset Name

Description

Log Category

content-Count-Total-SCCP-Calls-per-Status

Content count total SCCP calls per status

content

select 
  status, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sccp' 
  and kind = 'call-info' 
group by 
  status 
order by 
  totalnum desc

Dataset Name

Description

Log Category

content-Count-Total-SIP-Call-Registrations-by-Hour-of-Day

Content count total SIP call registrations by hour of day

content

select 
  $hour_of_day as hourstamp, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sip' 
  and kind = 'register' 
group by 
  hourstamp 
order by 
  hourstamp

Dataset Name

Description

Log Category

content-Count-Total-SIP-Calls-per-Status

Content count total SIP calls per status

content

select 
  status, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sip' 
  and kind = 'call' 
group by 
  status 
order by 
  totalnum desc

Dataset Name

Description

Log Category

content-Dist-Total-SIP-Calls-by-Duration

Content dist total SIP calls by duration

content

select 
  (
    case when duration<60 then 'LESS_ONE_MIN' when duration<600 then 'LESS_TEN_MIN' when duration<3600 then 'LESS_ONE_HOUR' when duration & gt;= 3600 then 'MORE_ONE_HOUR' else 'unknown' end
  ) as f_duration, 
  count(*) as totalnum 
from 
  $log 
where 
  $filter 
  and proto = 'sip' 
  and kind = 'call' 
  and status = 'end' 
group by 
  f_duration 
order by 
  totalnum desc

Dataset Name

Description

Log Category

Botnet-Activity-By-Sources

Botnet activity by sources

traffic

select 
  app, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
  and nullifna(app) is not null 
group by 
  app, 
  user_src 
order by 
  events desc

Dataset Name

Description

Log Category

Botnet-Infected-Hosts

Botnet infected hosts

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  devtype, 
  coalesce(srcname, srcmac) as host_mac, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
group by 
  user_src, 
  devtype, 
  host_mac 
order by 
  events desc

Dataset Name

Description

Log Category

Detected-Botnet

Detected botnet

traffic

select 
  app, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
  and nullifna(app) is not null 
group by 
  app 
order by 
  events desc

Dataset Name

Description

Log Category

Botnet-Sources

Botnet sources

traffic

select 
  dstip, 
  root_domain(hostname) as domain, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
  and dstip is not null 
group by 
  dstip, 
  domain 
order by 
  events desc

Dataset Name

Description

Log Category

Botnet-Victims

Botnet victims

traffic

select 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as events 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and appcat = 'Botnet' 
  and srcip is not null 
group by 
  user_src 
order by 
  events desc

Dataset Name

Description

Log Category

Botnet-Timeline

Botnet timeline

traffic

select 
  $flex_datetime(timestamp) as hodex, 
  sum(events) as events 
from 
  (
    ###(select $flex_timestamp as timestamp, count(*) as events from $log where $filter and (logflag&1>0) and appcat='Botnet' group by timestamp order by timestamp desc)### union all ###(select $flex_timestamp as timestamp, count(*) as events from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp order by timestamp)###) t group by hodex order by hodex

Dataset Name

Description

Log Category

Application-Session-History

Application session history

traffic

select 
  $flex_timescale(timestamp) as hodex, 
  sum(counter) as counter 
from 
  ###(select $flex_timestamp as timestamp, count(*) as counter from $log where $filter and (logflag&1>0) group by timestamp order by timestamp desc)### t group by hodex order by hodex

Dataset Name

Description

Log Category

Application-Usage-List

Detailed application usage

traffic

select 
  appid, 
  app, 
  appcat, 
  (
    case when (
      utmaction in ('block', 'blocked') 
      or action = 'deny'
    ) then 'Blocked' else 'Allowed' end
  ) as custaction, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth, 
  count(*) as num_session 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
  and policyid != 0 
group by 
  appid, 
  app, 
  appcat, 
  custaction 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

PCI-DSS-Compliance-Summary

PCI DSS Compliance Summary

event

select 
  status, 
  num_reason as requirements, 
  cast(
    num_reason * 100.0 /(
      sum(num_reason) over()
    ) as decimal(18, 2)
  ) as percent 
from 
  (
    select 
      (
        case when fail_count>0 then 'Non-Compliant' else 'Compliant' end
      ) as status, 
      count(distinct reason) as num_reason 
    from 
      (
        select 
          ftnt_pci_id, 
          (
            sum(fail_count) over (partition by ftnt_pci_id)
          ) as fail_count, 
          reason 
        from 
          ###(select ftnt_pci_id, (case when result='fail' then 1 else 0 end) as fail_count, reason from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, result, reason)### t) t group by status) t order by status

Dataset Name

Description

Log Category

PCI-DSS-Non-Compliant-Requirements-By-Severity

PCI DSS Non-Compliant Requirements by Severity

event

with query as (
  select 
    * 
  from 
    (
      select 
        ftnt_pci_id, 
        severity, 
        (
          sum(fail_count) over (partition by ftnt_pci_id)
        ) as fail_count, 
        reason 
      from 
        ###(select ftnt_pci_id, t2.severity, (case when result='fail' then 1 else 0 end) as fail_count, reason from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, t2.severity, result, reason)### t) t where fail_count>0) select t.severity, count(distinct t.reason) as requirements from (select distinct on (1) reason, severity from query order by reason, (case lower(severity) when 'high' then 4 when 'critical' then 3 when 'medium' then 2 when 'low' then 1 else 0 end) desc) t group by t.severity order by requirements desc

Dataset Name

Description

Log Category

PCI-DSS-Compliant-Requirements-By-Severity

PCI DSS Compliant Requirements by Severity

event

with query as (
  select 
    * 
  from 
    (
      select 
        ftnt_pci_id, 
        severity, 
        (
          sum(fail_count) over (partition by ftnt_pci_id)
        ) as fail_count, 
        reason 
      from 
        ###(select ftnt_pci_id, t2.severity, (case when result='fail' then 1 else 0 end) as fail_count, reason from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, t2.severity, result, reason)### t) t where fail_count=0) select t.severity, count(distinct t.reason) as requirements from (select distinct on (1) reason, severity from query order by reason, (case lower(severity) when 'high' then 4 when 'critical' then 3 when 'medium' then 2 when 'low' then 1 else 0 end) desc) t group by t.severity order by requirements desc

Dataset Name

Description

Log Category

PCI-DSS-Fortinet-Security-Best-Practice-Summary

PCI DSS Fortinet Security Best Practice Summary

event

select 
  status, 
  num_reason as practices, 
  cast(
    num_reason * 100.0 /(
      sum(num_reason) over()
    ) as decimal(18, 2)
  ) as percent 
from 
  (
    select 
      (
        case when result = 'fail' then 'Failed' else 'Passed' end
      ) as status, 
      count(distinct reason) as num_reason 
    from 
      ###(select result, reason from $log where $filter and subtype='compliance-check' and result in ('fail','pass') group by result, reason)### t group by status) t order by status desc

Dataset Name

Description

Log Category

PCI-DSS-Failed-Fortinet-Security-Best-Practices-By-Severity

PCI DSS Failed Fortinet Security Best Practices by Severity

event

select 
  status, 
  num_reason as practices, 
  cast(
    num_reason * 100.0 /(
      sum(num_reason) over()
    ) as decimal(18, 2)
  ) as percent 
from 
  (
    select 
      initcap(status) as status, 
      count(distinct reason) as num_reason 
    from 
      ###(select status, reason from $log where $filter and subtype='compliance-check' and result='fail' group by status, reason)### t group by status) t order by status

Dataset Name

Description

Log Category

PCI-DSS-Passed-Fortinet-Security-Best-Practices-By-Severity

PCI DSS Passed Fortinet Security Best Practices by Severity

event

select 
  status, 
  num_reason as practices, 
  cast(
    num_reason * 100.0 /(
      sum(num_reason) over()
    ) as decimal(18, 2)
  ) as percent 
from 
  (
    select 
      initcap(status) as status, 
      count(distinct reason) as num_reason 
    from 
      ###(select status, reason from $log where $filter and subtype='compliance-check' and result='pass' group by status, reason)### t group by status) t order by status

Dataset Name

Description

Log Category

PCI-DSS-Requirements-Compliance-Details

PCI DSS Requirements Compliance Details

event

select 
  ftnt_pci_id, 
  left(
    string_agg(distinct ftnt_id, ','), 
    120
  ) as practice, 
  (
    case when sum(fail_count)& gt; 0 then 'Non-Compliant' else 'Compliant' end
  ) as compliance, 
  pci_requirement 
from 
  ###(select ftnt_pci_id, ftnt_id, (case when result='fail' then 1 else 0 end) as fail_count, pci_requirement from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, ftnt_id, result, pci_requirement)### t group by ftnt_pci_id, pci_requirement order by ftnt_pci_id

Dataset Name

Description

Log Category

PCI-DSS-Fortinet-Security-Best-Practice-Details

PCI DSS Fortinet Security Best Practice Details

event

select 
  reason as ftnt_id, 
  msg, 
  initcap(status) as status, 
  module 
from 
  $log 
where 
  $filter 
  and subtype = 'compliance-check' 
group by 
  reason, 
  status, 
  module, 
  msg 
order by 
  ftnt_id

Dataset Name

Description

Log Category

DLP-Email-Activity-Details

Email DLP Violations Summary

dlp

select 
  from_itime(itime) as timestamp, 
  `from` as sender, 
  `to` as receiver, 
  regexp_replace(filename, '.*/', '') as filename, 
  filesize, 
  profile, 
  action, 
  direction 
from 
  $log 
where 
  $filter 
  and (
    service in (
      'smtp', 'SMTP', '25/tcp', '587/tcp', 
      'smtps', 'SMTPS', '465/tcp'
    ) 
    or service in (
      'pop3', 'POP3', '110/tcp', 'imap', 
      'IMAP', '143/tcp', 'imaps', 'IMAPS', 
      '993/tcp', 'pop3s', 'POP3S', '995/tcp'
    )
  ) 
order by 
  timestamp desc

Dataset Name

Description

Log Category

Email-DLP-Chart

Email DLP Activity Summary

dlp

select 
  profile, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and (
    service in (
      'smtp', 'SMTP', '25/tcp', '587/tcp', 
      'smtps', 'SMTPS', '465/tcp'
    ) 
    or service in (
      'pop3', 'POP3', '110/tcp', 'imap', 
      'IMAP', '143/tcp', 'imaps', 'IMAPS', 
      '993/tcp', 'pop3s', 'POP3S', '995/tcp'
    )
  ) 
group by 
  profile 
order by 
  total_num desc

Dataset Name

Description

Log Category

DLP-Web-Activity-Details

Web DLP Violations Summary

dlp

select 
  from_itime(itime) as timestamp, 
  srcip, 
  dstip, 
  hostname, 
  profile, 
  filename, 
  filesize, 
  action, 
  direction 
from 
  $log 
where 
  $filter 
  and lower(service) in ('http', 'https') 
order by 
  timestamp desc

Dataset Name

Description

Log Category

Web-DLP-Chart

Web DLP Activity Summary

dlp

select 
  profile, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and lower(service) in ('http', 'https') 
group by 
  profile 
order by 
  total_num desc

Dataset Name

Description

Log Category

DLP-FTP-Activity-Details

Web DLP Violations Summary

dlp

select 
  from_itime(itime) as timestamp, 
  srcip, 
  dstip, 
  filename, 
  profile, 
  filesize, 
  action, 
  direction 
from 
  $log 
where 
  $filter 
  and lower(service) in ('ftp', 'ftps') 
order by 
  timestamp desc

Dataset Name

Description

Log Category

FTP-DLP-Chart

FTP DLP Activity Summary

dlp

select 
  profile, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and lower(service) in ('ftp', 'ftps') 
group by 
  profile 
order by 
  total_num desc

Dataset Name

Description

Log Category

top-users-by-browsetime

Top Users by website browsetime

traffic

select 
  user_src, 
  domain, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime 
from 
  ###(select user_src, domain, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and $browse_time is not null group by user_src, domain) t group by user_src, domain order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src, domain order by browsetime desc

Dataset Name

Description

Log Category

wifi-usage-by-hour-authenticated

Wifi Usage by Hour - Authenticated

event

select 
  hod, 
  count(distinct stamac) as totalnum 
from 
  ###(select $HOUR_OF_DAY as hod, stamac from $log where $filter and subtype='wireless' and action='client-authentication' group by hod, stamac)### t group by hod order by hod

Dataset Name

Description

Log Category

wifi-usage-authenticated-timeline

Wifi Usage Timeline - Authenticated

event

select 
  $flex_timescale(timestamp) as hodex, 
  count(distinct stamac) as totalnum 
from 
  ###(select $flex_timestamp as timestamp, stamac from $log where $filter and subtype='wireless' and action='client-authentication' group by timestamp, stamac order by timestamp desc)### t group by hodex order by hodex

Dataset Name

Description

Log Category

app-top-user-by-bandwidth

Top 10 Applications Bandwidth by User Drilldown

traffic

select 
  app, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  sum(
    coalesce(`sentbyte`, 0)+ coalesce(`rcvdbyte`, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app, 
  user_src 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

app-top-user-by-session

Top 10 Application Sessions by User Drilldown

traffic

select 
  app, 
  coalesce(
    nullifna(`user`), 
    nullifna(`unauthuser`), 
    ipstr(`srcip`)
  ) as user_src, 
  count(*) as sessions 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
group by 
  app, 
  user_src 
order by 
  sessions desc

Dataset Name

Description

Log Category

traffic-Interface-Bandwidth-Usage

Interface Bandwidth Usage

traffic

with qry as (
  select 
    dom as dom_s, 
    devid as devid_s, 
    vd as vd_s, 
    srcintf, 
    dstintf, 
    total_sent, 
    total_rcvd 
  from 
    ###(select $DAY_OF_MONTH as dom, devid, vd, srcintf, dstintf, sum(coalesce(sentbyte, 0)) as total_sent, sum(coalesce(rcvdbyte, 0)) as total_rcvd, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as total from $log where $filter and (logflag&1>0) and nullifna(srcintf) is not null and nullifna(dstintf) is not null group by dom, devid, vd, srcintf, dstintf having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by total desc)### t) select dom, unnest(array['download', 'upload']) as type, unnest(array[sum(download), sum(upload)]) as bandwidth from (select coalesce(t1.dom_s, t2.dom_s) as dom, coalesce(t1.devid_s, t2.devid_s) as devid, coalesce(t1.vd_s, t2.vd_s) as vd, coalesce(t1.srcintf, t2.dstintf) as intf, sum(coalesce(t1.total_sent, 0)+coalesce(t2.total_rcvd, 0)) as download, sum(coalesce(t2.total_sent, 0)+coalesce(t1.total_rcvd, 0)) as upload from qry t1 full join qry t2 on t1.dom_s=t2.dom_s and t1.srcintf=t2.dstintf group by dom, devid, vd, intf) t where $filter-drilldown group by dom order by dom

Dataset Name

Description

Log Category

ctap-SB-Files-Needing-Inspection-vs-Others

Files Needing Inspection vs Others

virus

select 
  (
    case when suffix in (
      'bat', 'cmd', 'exe', 'jar', 'msi', 'vbs', 
      '7z', 'zip', 'gzip', 'lzw', 'tar', 
      'rar', 'cab', 'doc', 'docx', 'xls', 
      'xlsx', 'ppt', 'pptx', 'pdf', 'swf', 
      'lnk', 'js'
    ) then 'Higher Risk File Types' else 'Excluded Files' end
  ) as files, 
  sum(total_num) as total_num 
from 
  ###({{FGT_DATASET_BASE_VIRUS_FSA_DETECTED_FILE_TYPES}})### t group by files order by total_num desc

Dataset Name

Description

Log Category

ctap-SB-Breakdown-of-File-Types

Breakdown of File Types

virus

select 
  (
    case when suffix in (
      'exe', 'msi', 'upx', 'vbs', 'bat', 'cmd', 
      'dll', 'ps1', 'jar'
    ) then 'Executable Files' when suffix in ('pdf') then 'Adobe PDF' when suffix in ('swf') then 'Adobe Flash' when suffix in (
      'doc', 'docx', 'rtf', 'dotx', 'docm', 
      'dotm', 'dot'
    ) then 'Microsoft Word' when suffix in (
      'xls', 'xlsx', 'xltx', 'xlsm', 'xlsb', 
      'xlam', 'xlt'
    ) then 'Microsoft Excel' when suffix in (
      'ppsx', 'ppt', 'pptx', 'potx', 'sldx', 
      'pptm', 'ppsm', 'potm', 'ppam', 'sldm', 
      'pps', 'pot'
    ) then 'Microsoft PowerPoint' when suffix in ('msg') then 'Microsoft Outlook' when suffix in ('htm', 'js', 'url', 'lnk') then 'Web Files' when suffix in (
      'cab', 'tgz', 'z', '7z', 'tar', 'lzh', 
      'kgb', 'rar', 'zip', 'gz', 'xz', 'bz2'
    ) then 'Archive Files' when suffix in ('apk') then 'Android Files' else 'Others' end
  ) as filetype, 
  sum(total_num) as total_num 
from 
  ###({{FGT_DATASET_BASE_VIRUS_FSA_DETECTED_FILE_TYPES}})### t group by filetype order by total_num desc

Dataset Name

Description

Log Category

ctap-SB-Top-Sandbox-Malicious-Exes

virus

select 
  (
    case fsaverdict when 'malicious' then 5 when 'high risk' then 4 when 'medium risk' then 3 when 'low risk' then 2 else 1 end
  ) as risk, 
  filename, 
  service, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and dtype = 'fortisandbox' 
  and file_name_ext(filename)= 'exe' 
  and fsaverdict not in ('clean', 'submission failed') 
group by 
  filename, 
  risk, 
  service 
order by 
  risk desc, 
  total_num desc, 
  filename

Dataset Name

Description

Log Category

ctap-SB-Sources-of-Sandbox-Discovered-Malware

Sources of Sandbox Discovered Malware

virus

select 
  srcip, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and dtype = 'fortisandbox' 
  and nullifna(filename) is not null 
  and fsaverdict not in ('clean', 'submission failed') 
group by 
  srcip 
order by 
  total_num desc

Dataset Name

Description

Log Category

ctap-apprisk-ctrl-High-Risk-Application

Application risk high risk application

traffic

select 
  risk as d_risk, 
  count(distinct user_src) as users, 
  id, 
  name, 
  app_cat, 
  technology, 
  sum(bandwidth) as bandwidth, 
  sum(sessions) as sessions 
from 
  ###(select lower(app) as lowapp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by lowapp, user_src order by bandwidth desc)### t1 inner join app_mdata t2 on t1.lowapp=lower(t2.name) where risk>='4' group by id, name, app_cat, technology, risk order by d_risk desc, sessions desc

Dataset Name

Description

Log Category

ctap-apprisk-ctrl-Application-Vulnerability

Application vulnerabilities discovered

attack

select 
  attack, 
  attackid, 
  vuln_type, 
  cve, 
  severity_number, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as sources, 
  sum(totalnum) as totalnum 
from 
  ###(select attack, attackid, vuln_type, t2.cve, (case when t1.severity='critical' then 5 when t1.severity='high' then 4 when t1.severity='medium' then 3 when t1.severity='low' then 2 when t1.severity='info' then 1 else 0 end) as severity_number, dstip, srcip, count(*) as totalnum from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null and t1.severity is not null group by attack, attackid, vuln_type, t2.cve, t1.severity, dstip, srcip )### t group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc

Dataset Name

Description

Log Category

ctap-apprisk-ctrl-Common-Virus-Botnet-Spyware

Common Virus Botnet Spyware

app-ctrl

select 
  malware as virus, 
  (
    case when lower(appcat)= 'botnet' then 'Botnet C&C' else (
      case when malware like 'Riskware%' then 'Spyware' when malware like 'Adware%' then 'Adware' else 'Virus' end
    ) end
  ) as malware_type, 
  appid, 
  app, 
  count(distinct dstip) as victims, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  (
    ###(select app as malware, appcat, appid, app, dstip, srcip, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by malware, appcat, appid, app, dstip, srcip, app order by total_num desc)### union all ###(select virus as malware, 'null' as appcat, 0 as appid, service as app, dstip, srcip, count(*) as total_num from $log-virus where $filter and virus is not null group by malware, appcat, app, appid, dstip, srcip order by total_num desc)###) t group by malware, malware_type, app, appid order by total_num desc

Dataset Name

Description

Log Category

ctap-App-Risk-Reputation-Top-Devices-By-Scores

Reputation Top Devices By-Scores

traffic

select 
  coalesce(
    nullifna(`srcname`), 
    ipstr(`srcip`), 
    nullifna(`srcmac`)
  ) as dev_src, 
  sum(crscore % 65536) as scores 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and crscore is not null 
group by 
  dev_src 
having 
  sum(crscore % 65536)& gt; 0 
order by 
  scores desc

Dataset Name

Description

Log Category

ctap-HTTP-SSL-Traffic-Ratio

HTTP SSL Traffic Ratio

traffic

select 
  (
    case when service in ('80/tcp', 'HTTP', 'http') then 'HTTP' else 'HTTPS' end
  ) as service, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
  and service in (
    '80/tcp', '443/tcp', 'HTTP', 'HTTPS', 
    'http', 'https'
  ) 
group by 
  service 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-Source-Countries

Top Source Countries

traffic

select 
  srccountry, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(srccountry) is not null 
  and srccountry & lt;& gt; 'Reserved' 
group by 
  srccountry 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc, 
  srccountry

Dataset Name

Description

Log Category

ctap-SaaS-Apps

CTAP SaaS Apps

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where behavior like '%Cloud%' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-IaaS-Apps

CTAP IaaS Apps

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Cloud.IT' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-RAS-Apps

CTAP RAS Apps

traffic

select 
  name as app_group, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on t1.app_group=lower(t2.name) where app_cat='Remote.Access' group by name order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Proxy-Apps

CTAP Proxy Apps

traffic

select 
  name as app_group, 
  sum(bandwidth) as bandwidth 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on t1.app_group=lower(t2.name) where app_cat='Proxy' group by name order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-SocialMedia-App-By-Bandwidth

Top SocialMedia Applications by Bandwidth Usage

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Social.Media' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-Streaming-App-By-Bandwidth

Top Streaming applications by bandwidth usage

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Video/Audio' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-Game-App-By-Bandwidth

Top Game applications by bandwidth usage

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Game' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-Top-P2P-App-By-Bandwidth

Top P2P applications by bandwidth usage

traffic

select 
  app_group, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions 
from 
  ###({{FGT_DATASET_BASE_TRAFFIC_APP_BANDWIDTH}})### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='P2P' group by app_group order by bandwidth desc

Dataset Name

Description

Log Category

ctap-apprisk-ctrl-Top-Web-Categories-Visited

Top 25 Web Categories Visited

traffic

select 
  catdesc, 
  count(distinct f_user) as user_num, 
  sum(sessions) as sessions, 
  sum(bandwidth) as bandwidth 
from 
  ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<52) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc

Dataset Name

Description

Log Category

ctap-App-Risk-Applications-Running-Over-HTTP

Application risk applications running over HTTP

traffic

select 
  app_group_name(app) as app_group, 
  service, 
  count(*) as sessions, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and nullifna(app) is not null 
  and service in (
    '80/tcp', '443/tcp', 'HTTP', 'HTTPS', 
    'http', 'https'
  ) 
group by 
  app_group, 
  service 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )& gt; 0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

ctap-App-Risk-Web-Browsing-Activity-Hostname-Category

Application risk web browsing activity hostname category

webfilter

select 
  domain, 
  catdesc, 
  sum(visits) as visits 
from 
  ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, count(*) as visits from $log where $filter and (eventtype is null or logver>=52) and catdesc is not null group by domain, catdesc order by visits desc)### t group by domain, catdesc order by visits desc

Dataset Name

Description

Log Category

ctap-Top-Sites-By-Browsing-Time

Traffic top sites by browsing time

traffic

select 
  hostname, 
  string_agg(distinct catdesc, ', ') as agg_catdesc, 
  ebtr_value(
    ebtr_agg_flat(browsetime), 
    null, 
    $timespan
  ) as browsetime, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out 
from 
  ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc

Dataset Name

Description

Log Category

ctap-Average-Bandwidth-Hour

Average Bandwidth Hour

traffic

select 
  hourstamp, 
  sum(bandwidth)/ count(distinct daystamp) as bandwidth 
from 
  ###(select to_char(from_dtime(dtime), 'HH24:00') as hourstamp, to_char(from_dtime(dtime), 'DD Mon') as daystamp, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter group by hourstamp, daystamp having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by hourstamp)### t group by hourstamp order by hourstamp

Dataset Name

Description

Log Category

ctap-Top-Bandwidth-Hosts

Top Bandwidth Hosts

traffic

select 
  hostname, 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  ) as bandwidth 
from 
  $log - traffic 
where 
  $filter 
  and hostname is not null 
  and (
    logflag&1>0
  ) 
group by 
  hostname 
having 
  sum(
    coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
  )>0 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

saas-Application-Discovered

All Applications Discovered on the Network

traffic

select 
  (
    case is_saas when 1 then 'SaaS Apps' else 'Other Apps' end
  ) as app_type, 
  count(distinct app_s) as total_num 
from 
  ###(select app_s, (case when saas_s>=10 then 1 else 0 end) as is_saas from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t group by app_s, is_saas)### t group by is_saas order by is_saas

Dataset Name

Description

Log Category

saas-SaaS-Application-by-Category

Number of SaaS Applications by Category

traffic

select 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Unsanctioned' end
  ) as saas_cat_str, 
  count(distinct app_s) as num_saas_app 
from 
  ###(select app_s, saas_s%10 as saas_cat, sum(sentbyte+rcvdbyte) as bandwidth, count(*) as total_app from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat order by bandwidth desc)### t where saas_cat in (0, 1) group by saas_cat order by saas_cat

Dataset Name

Description

Log Category

saas-SaaS-Application-by-Bandwidth

Number of SaaS Applications by Bandwidth

traffic

select 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Tolerated' end
  ) as saas_cat_str, 
  sum(bandwidth) as bandwidth 
from 
  ###(select app_s, saas_s%10 as saas_cat, sum(sentbyte+rcvdbyte) as bandwidth, count(*) as total_app from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat order by bandwidth desc)### t where saas_cat in (0, 2) group by saas_cat order by saas_cat

Dataset Name

Description

Log Category

saas-SaaS-Application-by-Session

Number of SaaS Applications by Session

traffic

select 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Tolerated' end
  ) as saas_cat_str, 
  sum(total_app) as total_app 
from 
  ###(select app_s, saas_s%10 as saas_cat, sum(sentbyte+rcvdbyte) as bandwidth, count(*) as total_app from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat order by bandwidth desc)### t where saas_cat in (0, 2) group by saas_cat order by saas_cat

Dataset Name

Description

Log Category

saas-SaaS-App-Users-vs-Others

Number of Users of SaaS Apps vs Others

traffic

select 
  (
    case is_saas when 0 then 'Other Apps' else 'SaaS Apps' end
  ) as app_type, 
  count(distinct saasuser) as total_user 
from 
  ###(select saasuser, saas_s/10 as is_saas from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t group by saasuser, is_saas)### t group by app_type

Dataset Name

Description

Log Category

saas-SaaS-App-Users

Number of Users of SaaS Apps

traffic

select 
  (
    case saas_cat when 0 then 'Sanctioned' when 1 then 'Unsanctioned' else 'Others' end
  ) as app_type, 
  count(distinct saasuser) as total_user 
from 
  ###(select saasuser, saas_s%10 as saas_cat from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t where saas_s>=10 group by saasuser, saas_cat)### t group by saas_cat order by saas_cat

Dataset Name

Description

Log Category

saas-Top-SaaS-User-by-Bandwidth-Session

Top SaaS Users by Bandwidth and Session

traffic

select 
  saasuser, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions, 
  sum(session_block) as session_block, 
  (
    sum(sessions)- sum(session_block)
  ) as session_pass, 
  count(distinct app_s) as total_app 
from 
  ###(select saasuser, app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by saasuser, app_s order by bandwidth desc)### t group by saasuser order by bandwidth desc

Dataset Name

Description

Log Category

saas-Top-Category-by-SaaS-Application-Usage

Top Categories by SaaS Application Usage

traffic

select 
  app_cat, 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Unsactioned' end
  ) as saas_cat_str, 
  count(distinct app_s) as total_app 
from 
  ###(select app_s, saas_s%10 as saas_cat from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat)### t1 inner join app_mdata t2 on t1.app_s=t2.name where saas_cat in (0, 1) group by app_cat, saas_cat order by total_app desc

Dataset Name

Description

Log Category

saas-Top-SaaS-Category-by-Number-of-User

Top SaaS Categories by Number of Users

traffic

select 
  app_cat, 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Unsactioned' end
  ) as saas_cat_str, 
  count(distinct saasuser) as total_user 
from 
  ###(select app_s, saas_s%10 as saas_cat, saasuser from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat, saasuser)### t1 inner join app_mdata t2 on t1.app_s=t2.name where saas_cat in (0, 1) group by app_cat, saas_cat order by total_user desc

Dataset Name

Description

Log Category

saas-Top-User-by-Number-of-SaaS-Application

Top Users by Number of SaaS Applications

traffic

select 
  saasuser, 
  (
    case saas_cat when 0 then 'Sanctioned' else 'Unsactioned' end
  ) as saas_cat_str, 
  count(distinct app_s) as total_app 
from 
  ###(select app_s, saas_s%10 as saas_cat, saasuser from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat, saasuser)### t where saas_cat in (0, 1) group by saasuser, saas_cat order by total_app desc

Dataset Name

Description

Log Category

saas-Top-SaaS-Application-by-Bandwidth-Session

Top SaaS Applications by Sessions and Bandwidth

traffic

select 
  t2.id as app_id, 
  app_s, 
  app_cat, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions, 
  sum(session_block) as session_block, 
  (
    sum(sessions)- sum(session_block)
  ) as session_pass 
from 
  ###(select app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_s)### t1 inner join app_mdata t2 on t1.app_s=t2.name group by app_id, app_s, app_cat order by bandwidth desc

Dataset Name

Description

Log Category

saas-Top-Tolerated-SaaS-Application-by-Bandwidth

Top Tolerated SaaS Applications by Bandwidth

traffic

select 
  app_s, 
  sum(sentbyte + rcvdbyte) as bandwidth 
from 
  (
    select 
      unnest(apps) as app_s, 
      unnest(saasinfo) as saas_s, 
      coalesce(sentbyte, 0) as sentbyte, 
      coalesce(rcvdbyte, 0) as rcvdbyte 
    from 
      $log 
    where 
      $filter 
      and apps is not null
  ) t 
where 
  saas_s = 12 
group by 
  app_s 
order by 
  bandwidth desc

Dataset Name

Description

Log Category

saas-drilldown-Top-Tolerated-SaaS-Application

Top Tolerated SaaS Applications

traffic

select 
  app_s, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions, 
  sum(session_block) as session_block, 
  (
    sum(sessions)- sum(session_block)
  ) as session_pass 
from 
  ###(select saasuser, app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s=12 group by saasuser, app_s order by bandwidth desc)### t where $filter-drilldown group by app_s order by bandwidth desc

Dataset Name

Description

Log Category

saas-Top-User-by-Tolerated-SaaS-Application-Drilldown

Top Users by Tolerated SaaS Applications

traffic

select 
  saasuser, 
  count(distinct app_s) as total_app 
from 
  ###(select saasuser, app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s=12 group by saasuser, app_s order by bandwidth desc)### t group by saasuser order by total_app desc

Dataset Name

Description

Log Category

saas-drilldown-Top-File-Sharing-SaaS-Application-Detail

Top File Sharing SaaS Applications Detail

traffic

select 
  saasuser, 
  sum(bandwidth) as bandwidth, 
  sum(traffic_in) as traffic_in, 
  sum(traffic_out) as traffic_out, 
  sum(sessions) as sessions, 
  sum(session_block) as session_block, 
  (
    sum(sessions)- sum(session_block)
  ) as session_pass 
from 
  ###(select app_group_name(app_s) as app_group, saasuser, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_group, saasuser order by bandwidth desc)### t where $filter-drilldown group by saasuser order by sessions desc

Dataset Name

Description

Log Category

saas-Top-File-Sharing-SaaS-Application

Top File Sharing Applications

traffic

select 
  t2.id as appid, 
  (
    case t2.risk when '5' then 'Critical' when '4' then 'High' when '3' then 'Medium' when '2' then 'Info' else 'Low' end
  ) as risk, 
  app_group, 
  bandwidth, 
  traffic_in, 
  traffic_out, 
  sessions, 
  session_block, 
  session_pass, 
  total_user 
from 
  (
    select 
      app_group, 
      count(distinct saasuser) as total_user, 
      sum(bandwidth) as bandwidth, 
      sum(traffic_in) as traffic_in, 
      sum(traffic_out) as traffic_out, 
      sum(sessions) as sessions, 
      sum(session_block) as session_block, 
      (
        sum(sessions)- sum(session_block)
      ) as session_pass 
    from 
      ###(select app_group_name(app_s) as app_group, saasuser, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_group, saasuser order by bandwidth desc)### t group by app_group) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where t2.app_cat='Storage.Backup' order by total_user desc, bandwidth desc

Dataset Name

Description

Log Category

saas-Top-File-Sharing-SaaS-Application-Drilldown

Top File Sharing Applications

traffic

select 
  t2.id as appid, 
  (
    case t2.risk when '5' then 'Critical' when '4' then 'High' when '3' then 'Medium' when '2' then 'Info' else 'Low' end
  ) as risk, 
  app_group, 
  bandwidth, 
  traffic_in, 
  traffic_out, 
  sessions, 
  session_block, 
  session_pass, 
  total_user 
from 
  (
    select 
      app_group, 
      count(distinct saasuser) as total_user, 
      sum(bandwidth) as bandwidth, 
      sum(traffic_in) as traffic_in, 
      sum(traffic_out) as traffic_out, 
      sum(sessions) as sessions, 
      sum(session_block) as session_block, 
      (
        sum(sessions)- sum(session_block)
      ) as session_pass 
    from 
      ###(select app_group_name(app_s) as app_group, saasuser, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_group, saasuser order by bandwidth desc)### t group by app_group) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where t2.app_cat='Storage.Backup' order by total_user desc, bandwidth desc

Dataset Name

Description

Log Category

aware-Device-By-Location

Device by Location

traffic

select 
  'All' : :text as country, 
  count(distinct devid) as device_count 
from 
  ###(select devid from $log where $filter group by devid)### t

Dataset Name

Description

Log Category

aware-Network-Devices

Network Devices

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select hostname, os, srcip, max(itime) as max_itime from $log where $pre_period $filter and hostname is not null group by hostname, os, srcip order by max_itime desc)###; create temporary table rpt_tmptbl_2 as ###(select hostname, os, srcip, max(itime) as max_itime from $log where $filter and hostname is not null group by hostname, os, srcip order by max_itime desc)###; select 'Unseen Devices' as category, count(distinct hostname) as total_num from rpt_tmptbl_1 where not exists (select 1 from rpt_tmptbl_2 where rpt_tmptbl_1.hostname=rpt_tmptbl_2.hostname) union all select 'New Devices', count(distinct hostname) as total_num from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_1.hostname=rpt_tmptbl_2.hostname) union all select 'Seen Devices', count(distinct t1.hostname) as total_num from rpt_tmptbl_1 t1 inner join rpt_tmptbl_2 t2 on t1.hostname=t2.hostname

Dataset Name

Description

Log Category

aware-New-Devices

New Devices

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select hostname, os, max(srcip) as srcip, max(itime) as max_itime from $log where $pre_period $filter and hostname is not null group by hostname, os order by max_itime desc)###; create temporary table rpt_tmptbl_2 as ###(select hostname, os, max(srcip) as srcip, max(itime) as max_itime from $log where $filter and hostname is not null group by hostname, os order by max_itime desc)###; select from_itime(max(max_itime)) as timestamp, hostname, max(fctos_to_devtype(os)) as devtype, string_agg(distinct os, '/') as os_agg, max(srcip) as srcip from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.hostname=rpt_tmptbl_1.hostname) group by hostname order by timestamp desc

Dataset Name

Description

Log Category

aware-Top-Endpoint-Operating-Systems

Top Endpoint Operating Systems

fct-traffic

select 
  os1 as os, 
  count(distinct hostname) as total_num 
from 
  ###(select split_part(os, ',', 1) as os1, hostname from $log where $filter and nullifna(os) is not null group by os1, hostname)### t group by os order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Endpoint-Applications-Windows

Top Endpoint Applications Windows

fct-traffic

select 
  srcname1 as srcname, 
  count(distinct hostname) as total_num 
from 
  ###(select split_part(srcname, '.', 1) as srcname1, hostname from $log where $filter and nullifna(srcname) is not null and lower(os) like '%windows%' group by srcname, hostname)### t group by srcname order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Endpoint-Applications-Mac

Top Endpoint Applications Mac

fct-traffic

select 
  srcname1 as srcname, 
  count(distinct hostname) as total_num 
from 
  ###(select split_part(srcname, '.', 1) as srcname1, hostname from $log where $filter and nullifna(srcname) is not null and lower(os) like '%mac os%' group by srcname, hostname)### t group by srcname order by total_num desc

Dataset Name

Description

Log Category

aware-Top-SaaS-Application-by-Number-of-Users

Top SaaS Applications by Number of Users

traffic

select 
  app_group, 
  count(distinct saasuser) as total_user 
from 
  ###(select app_group_name(app_s) as app_group, saasuser from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser from $log where $filter and (logflag&1>0) and apps is not null) t group by app_group, saasuser)### t group by app_group order by total_user desc

Dataset Name

Description

Log Category

aware-Summary-Of-Changes

Summary of Changes

event

select 
  regexp_replace(msg, '[^ ]*$', '') as msg_trim, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and logid_to_int(logid)= 44547 
group by 
  msg_trim 
order by 
  total_num desc

Dataset Name

Description

Log Category

aware-Change-Details

Change Details

event

select 
  $calendar_time as timestamp, 
  `user`, 
  ui, 
  msg 
from 
  $log 
where 
  $filter 
  and logid_to_int(logid)= 44547 
order by 
  timestamp desc

Dataset Name

Description

Log Category

aware-Vulnerabilities-By-Severity

Vulnerabilities by Security

fct-netscan

select 
  vulnseverity, 
  count(distinct vulnname) as vuln_num 
from 
  ###(select vulnseverity, vulnname from $log where $filter and nullifna(vulnname) is not null and nullifna(vulnseverity) is not null group by vulnseverity, vulnname)### t group by vulnseverity order by vuln_num desc

Dataset Name

Description

Log Category

aware-Vulnerabilities-Trend

Vulnerabilities Trend

fct-netscan

select 
  $flex_timescale(timestamp) as timescale, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium, 
  sum(low) as low 
from 
  ###(select $flex_timestamp as timestamp, sum(case when lower(vulnseverity) = 'critical' then 1 else 0 end) as critical, sum(case when lower(vulnseverity) = 'high' then 1 else 0 end) as high, sum(case when lower(vulnseverity) = 'medium' then 1 else 0 end) as medium, sum(case when lower(vulnseverity) = 'notice' then 1 else 0 end) as Low from $log where $filter group by timestamp order by timestamp desc)### t group by timescale order by timescale

Dataset Name

Description

Log Category

aware-Top-Critical-Vulnerabilities

Top Critical Vulnerabilities

fct-netscan

select 
  vulnname, 
  vulnseverity, 
  vulncat, 
  count(distinct hostname) as total_num 
from 
  ###(select hostname, vulnname, vulnseverity, vulncat, count(*) as total_num from $log where $filter and nullifna(vulnname) is not null and vulnseverity='Critical' group by hostname, vulnname, vulnseverity, vulncat order by total_num desc)### t group by vulnname, vulnseverity, vulncat order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Vulnerabilities-Last-Period

Top Vulnerabilities Last Period

fct-netscan

select 
  vulnname, 
  vulnseverity, 
  sev_num, 
  vulncat, 
  count(distinct hostname) as total_num 
from 
  ###(select hostname, vulnname, vulnseverity, (CASE vulnseverity WHEN 'Critical' THEN 5 WHEN 'High' THEN 4 WHEN 'Medium' THEN 3 WHEN 'Info' THEN 2 WHEN 'Low' THEN 1 ELSE 0 END) as sev_num, vulncat, count(*) as total_num from $log where $pre_period $filter and nullifna(vulnname) is not null group by hostname, vulnname, vulnseverity, vulncat order by sev_num desc, total_num desc)### t group by vulnname, vulnseverity, sev_num, vulncat order by sev_num desc, total_num desc

Dataset Name

Description

Log Category

aware-Top-Device-Attack-Targets

Top Device Attack Targets

fct-netscan

select 
  hostname, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(hostname) is not null 
  and nullifna(vulnname) is not null 
group by 
  hostname 
order by 
  total_num desc

Dataset Name

Description

Log Category

aware-Top-Attack-Targets

Top Attack Targets

fct-netscan

select 
  hostname, 
  srcip, 
  os, 
  vuln_num, 
  (
    CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END
  ) as vulnseverity, 
  sevid as severity_num, 
  left(cve_agg, 512) as cve_agg 
from 
  (
    select 
      hostname, 
      max(srcip) as srcip, 
      string_agg(distinct os1, '/') as os, 
      count(distinct vulnname) as vuln_num, 
      max(
        (
          CASE vulnseverity WHEN 'Critical' THEN 5 WHEN 'High' THEN 4 WHEN 'Medium' THEN 3 WHEN 'Info' THEN 2 WHEN 'Low' THEN 1 ELSE 0 END
        )
      ) as sevid, 
      string_agg(distinct cve_id, ',') as cve_agg 
    from 
      ###(select hostname, max(deviceip) as srcip, split_part(os, ',', 1) as os1, vulnname, vulnseverity, vulnid from $log where $filter and nullifna(vulnname) is not null and nullifna(vulnseverity) is not null group by hostname, os1, vulnname, vulnseverity, vulnid)### t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname) t order by severity_num desc, vuln_num desc

Dataset Name

Description

Log Category

aware-Threats-By-Severity

Threats by Severity

attack

select 
  initcap(sev) as severity, 
  sum(total_num) as total_num 
from 
  (
    ###(select crlevel::text as sev, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null  and crlevel is not null group by sev order by total_num desc)### union all ###(select severity::text as sev, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by sev order by total_num desc)### union all ###(select apprisk::text as sev, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' and apprisk is not null group by sev order by total_num desc)###) t group by severity order by total_num desc

Dataset Name

Description

Log Category

aware-Threats-Type-By-Severity

Threats Type by Severity

virus

select 
  threat_type, 
  sum(critical) as critical, 
  sum(high) as high, 
  sum(medium) as medium, 
  sum(low) as low 
from 
  (
    ###(select (case when eventtype='botnet' then 'Botnets' else 'Malware' end) as threat_type, sum(case when crlevel = 'critical' then 1 else 0 end) as critical, sum(case when crlevel = 'high' then 1 else 0 end) as high, sum(case when crlevel = 'medium' then 1 else 0 end) as medium, sum(case when crlevel = 'low' then 1 else 0 end) as low from $log-virus where $filter and nullifna(virus) is not null group by threat_type)### union all ###(select 'Intrusions' as threat_type, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity = 'low' then 1 else 0 end) as low from $log-attack where $filter and nullifna(attack) is not null group by threat_type)### union all ###(select 'Botnets' as threat_type, sum(case when apprisk = 'critical' then 1 else 0 end) as critical, sum(case when apprisk = 'high' then 1 else 0 end) as high, sum(case when apprisk = 'medium' then 1 else 0 end) as medium, sum(case when apprisk = 'low' then 1 else 0 end) as low from $log-app-ctrl where $filter and lower(appcat)='botnet' group by threat_type)###) t group by threat_type

Dataset Name

Description

Log Category

aware-Threats-By-Day

Threats by Day

virus

select 
  daystamp, 
  sum(total_num) as total_num 
from 
  (
    ###(select $day_of_week as daystamp, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by daystamp)###) t group by daystamp order by daystamp

Dataset Name

Description

Log Category

aware-Threats-By-Day-Radar

Threats by Day

virus

select 
  daystamp, 
  sum(total_num) as total_num 
from 
  (
    ###(select $day_of_week as daystamp, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by daystamp)###) t group by daystamp order by daystamp

Dataset Name

Description

Log Category

aware-Count-Of-Malware-Events

Count of Malware Events

virus

select 
  virus, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(virus) is not null 
group by 
  virus 
order by 
  total_num desc

Dataset Name

Description

Log Category

aware-Top-Malware-By-Count

Top Malware by Count

app-ctrl

select 
  virus, 
  malware_type, 
  risk_level, 
  count(distinct dstip) as victim, 
  count(distinct srcip) as source, 
  sum(total_num) as total_num 
from 
  (
    ###(select app as virus, 'Botnet C&C' as malware_type, apprisk::text as risk_level, dstip, srcip, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' and apprisk is not null group by app, malware_type, apprisk, dstip, srcip order by total_num desc)### union all ###(select virus, (case when eventtype='botnet' then 'Botnet C&C' else 'Virus' end) as malware_type, crlevel::text as risk_level, dstip, srcip, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null and crlevel is not null group by virus, malware_type, crlevel, dstip, srcip order by total_num desc)###) t group by virus, malware_type, risk_level order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Failed-Login-Attempts

Top Failed Login Attempts

event

select 
  `user` as f_user, 
  ui, 
  dstip, 
  count(status) as total_failed 
from 
  $log 
where 
  $filter 
  and nullifna(`user`) is not null 
  and logid_to_int(logid) = 32002 
group by 
  ui, 
  f_user, 
  dstip 
order by 
  total_failed desc

Dataset Name

Description

Log Category

aware-Top-Failed-Authentication-Attempts

VPN failed logins

event

select 
  f_user, 
  tunneltype, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype='ipsec' or left(tunneltype, 3)='ssl') and action in ('ssl-login-fail', 'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user, tunneltype)### t group by f_user, tunneltype order by total_num desc

Dataset Name

Description

Log Category

aware-Top-Denied-Connections

Top Denied Connections

traffic

select 
  coalesce(
    nullifna(`user`), 
    ipstr(`srcip`)
  ) as user_src, 
  service || '(' || ipstr(srcip) || ')' as interface, 
  dstip, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and (
    logflag&1>0
  ) 
  and action = 'deny' 
group by 
  user_src, 
  interface, 
  dstip 
order by 
  total_num desc

Dataset Name

Description

Log Category

aware-Failed-Compliance-Checked-By-Device

Failed Compliance Checked by Device

event

select 
  devid, 
  'Failed' as results, 
  count(distinct reason) as total_num 
from 
  ###(select devid, reason from $log where $filter and subtype='compliance-check' and result='fail' group by devid, reason)### t group by devid, results order by total_num desc

Dataset Name

Description

Log Category

aware-Ioc-Blacklist-Summary

IOC Blacklist Summary

app-ctrl

select 
  coalesce(
    nullifna(epname), 
    nullifna(
      ipstr(`srcip`)
    ), 
    'Unknown'
  ) as epname, 
  sevid, 
  (
    CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END
  ) as severity, 
  total_bl, 
  threats 
from 
  (
    select 
      t1.epname, 
      t1.srcip, 
      t2.total_bl, 
      t2.total_cs, 
      (t2.max_verdict + 1) as sevid, 
      t2.max_cs, 
      t2.threats 
    from 
      $ADOMTBL_PLHD_PBD_EP t1 
      inner join (
        select 
          epid, 
          sum(bl_count) as total_bl, 
          sum(cs_count) as total_cs, 
          max(verdict) as max_verdict, 
          max(cs_score) as max_cs, 
          string_agg(distinct t2.name, ',') as threats 
        from 
          (
            select 
              epid, 
              bl_count, 
              cs_count, 
              verdict, 
              cs_score, 
              unnest(threatid) as thid 
            from 
              $ADOMTBL_PLHD_PBD_STSUM
          ) t1 
          inner join td_threat_name_mdata t2 on t1.thid = t2.id 
        group by 
          epid
      ) t2 on t1.epid = t2.epid
  ) t 
where 
  total_bl>0 
order by 
  total_bl desc

Dataset Name

Description

Log Category

aware-Ioc-Potential-Breach-By-Day

IOC Potential Breach by Day

app-ctrl

select 
  number, 
  to_char(
    from_itime(day_st), 
    'Day'
  ) as itime 
from 
  (
    select 
      count(epid) as number, 
      day_st 
    from 
      $ADOMTBL_PLHD_PBD_STSUM 
    where 
      cs_count>0 
    group by 
      day_st 
    limit 
      7
  ) t 
order by 
  itime

Dataset Name

Description

Log Category

aware-Ioc-Potential-Breach-By-Day-Bar

IOC Potential Breach by Day

app-ctrl

select 
  number, 
  to_char(
    from_itime(day_st), 
    'Day'
  ) as itime 
from 
  (
    select 
      count(epid) as number, 
      day_st 
    from 
      $ADOMTBL_PLHD_PBD_STSUM 
    where 
      cs_count>0 
    group by 
      day_st 
    limit 
      7
  ) t 
order by 
  itime

Dataset Name

Description

Log Category

aware-Ioc-Suspicion-Summary

IOC Suspicion Summary

app-ctrl

select 
  coalesce(
    nullifna(epname), 
    nullifna(
      ipstr(`srcip`)
    ), 
    'Unknown'
  ) as epname, 
  total_cs, 
  max_cs, 
  max_verdict, 
  threats 
from 
  (
    select 
      t1.epname, 
      t1.srcip, 
      t2.total_bl, 
      t2.total_cs, 
      t2.max_verdict, 
      t2.max_cs, 
      t2.threats 
    from 
      $ADOMTBL_PLHD_PBD_EP t1 
      inner join (
        select 
          epid, 
          sum(bl_count) as total_bl, 
          sum(cs_count) as total_cs, 
          max(verdict) as max_verdict, 
          max(cs_score) as max_cs, 
          string_agg(distinct t2.name, ',') as threats 
        from 
          (
            select 
              epid, 
              bl_count, 
              cs_count, 
              verdict, 
              cs_score, 
              unnest(threatid) as thid 
            from 
              $ADOMTBL_PLHD_PBD_STSUM
          ) t1 
          inner join td_threat_name_mdata t2 on t1.thid = t2.id 
        group by 
          epid
      ) t2 on t1.epid = t2.epid
  ) t 
where 
  total_bl = 0 
  and total_cs>0 
order by 
  max_verdict desc, 
  max_cs desc, 
  total_cs desc

Dataset Name

Description

Log Category

newthing-New-Users

New users

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as f_user, min(dtime) as start_time from $log where $pre_period $filter group by f_user order by start_time desc)###; create temporary table rpt_tmptbl_2 as ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as f_user, min(dtime) as start_time from $log where $filter group by f_user order by start_time desc)###; select f_user, from_dtime(min(start_time)) as start_time from rpt_tmptbl_2 where f_user is not null and not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.f_user=rpt_tmptbl_1.f_user) group by f_user order by start_time desc

Dataset Name

Description

Log Category

newthing-New-Devices

New devices

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select hostname, os, srcip, fctver from $log where $pre_period $filter and hostname is not null group by hostname, os, srcip, fctver order by hostname)###; create temporary table rpt_tmptbl_2 as ###(select hostname, os, srcip, fctver from $log where $filter and hostname is not null group by hostname, os, srcip, fctver order by hostname)###; select hostname, max(fctos_to_devtype(os)) as devtype, string_agg(distinct os, '/') as os_agg, string_agg(distinct ipstr(srcip), '/') as srcip_agg, string_agg(distinct fctver, '/') as fctver_agg from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.hostname=rpt_tmptbl_1.hostname) group by hostname order by hostname

Dataset Name

Description

Log Category

newthing-New-Software-Installed

New software installed

fct-traffic

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select srcproduct, hostname from $log where $pre_period $filter and nullifna(srcproduct) is not null group by srcproduct, hostname order by srcproduct)###; create temporary table rpt_tmptbl_2 as ###(select srcproduct, hostname from $log where $filter and nullifna(srcproduct) is not null group by srcproduct, hostname order by srcproduct)###; select srcproduct, string_agg(distinct hostname, ',') as host_agg from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.srcproduct=rpt_tmptbl_1.srcproduct) group by srcproduct order by srcproduct

Dataset Name

Description

Log Category

newthing-New-Security-Threats

New security threats

virus

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as 
select 
  * 
from 
  (
    ###(select app as threat_name, 1 as cat_id, srcip from $log-app-ctrl where $pre_period $filter and nullifna(app) is not null and lower(appcat)='botnet' group by threat_name, cat_id, srcip)### union all ###(select virus as threat_name, 2 as cat_id, srcip from $log-virus where $pre_period $filter and nullifna(virus) is not null group by threat_name, cat_id, srcip)### union all ###(select attack as threat_name, 3 as cat_id, srcip from $log-attack where $pre_period $filter and nullifna(attack) is not null group by threat_name, cat_id, srcip)###) t; create temporary table rpt_tmptbl_2 as select * from (###(select $DAY_OF_MONTH as daystamp, app as threat_name, 1 as cat_id, srcip from $log-app-ctrl where $filter and nullifna(app) is not null and lower(appcat)='botnet' group by daystamp, threat_name, cat_id, srcip order by daystamp)### union all ###(select $DAY_OF_MONTH as daystamp, virus as threat_name, 2 as cat_id, srcip from $log-virus where $filter and nullifna(virus) is not null group by daystamp, threat_name, cat_id, srcip order by daystamp)### union all ###(select $DAY_OF_MONTH as daystamp, attack as threat_name, 3 as cat_id, srcip from $log-attack where $filter and nullifna(attack) is not null group by daystamp, threat_name, cat_id, srcip order by daystamp)###) t; select threat_name, (case cat_id when 1 then 'Botnet' when 2 then 'Malware' when 3 then 'Attack' end) as threat_cat, count(distinct srcip) as host_num, string_agg(distinct cve, ',') as cve_agg from rpt_tmptbl_2 left join ips_mdata t2 on rpt_tmptbl_2.threat_name=t2.name where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.threat_name=rpt_tmptbl_1.threat_name) group by threat_name, threat_cat order by host_num desc

Dataset Name

Description

Log Category

newthing-dns-Botnet-Domain-IP

New Queried Botnet C&C Domains and IPs

dns

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $pre_period $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)###; create temporary table rpt_tmptbl_2 as ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)###; select domain, srcip, sevid, (CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END) as severity from rpt_tmptbl_2 where (domain is not null and not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.domain=rpt_tmptbl_1.domain)) or (srcip is not null and not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.srcip=rpt_tmptbl_1.srcip)) group by domain, srcip, sevid order by sevid desc, domain

Dataset Name

Description

Log Category

newthing-New-Security-Threats-Timeline

New security threats timeline

virus

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as 
select 
  * 
from 
  (
    ###(select app as threat_name, 1 as cat_id, srcip from $log-app-ctrl where $pre_period $filter and nullifna(app) is not null and lower(appcat)='botnet' group by threat_name, cat_id, srcip)### union all ###(select virus as threat_name, 2 as cat_id, srcip from $log-virus where $pre_period $filter and nullifna(virus) is not null group by threat_name, cat_id, srcip)### union all ###(select attack as threat_name, 3 as cat_id, srcip from $log-attack where $pre_period $filter and nullifna(attack) is not null group by threat_name, cat_id, srcip)###) t; create temporary table rpt_tmptbl_2 as select * from (###(select $flex_timestamp as timestamp, app as threat_name, 1 as cat_id, srcip from $log-app-ctrl where $filter and nullifna(app) is not null and lower(appcat)='botnet' group by timestamp, threat_name, cat_id, srcip order by timestamp)### union all ###(select $flex_timestamp as timestamp, virus as threat_name, 2 as cat_id, srcip from $log-virus where $filter and nullifna(virus) is not null group by timestamp, threat_name, cat_id, srcip order by timestamp)### union all ###(select $flex_timestamp as timestamp, attack as threat_name, 3 as cat_id, srcip from $log-attack where $filter and nullifna(attack) is not null group by timestamp, threat_name, cat_id, srcip order by timestamp)###) t; select $flex_datetime(timestamp) as timescale, count(distinct srcip) as host_num, (case cat_id when 1 then 'Botnet' when 2 then 'Malware' when 3 then 'Attack' end) as threat_cat from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.threat_name=rpt_tmptbl_1.threat_name) group by timescale, cat_id order by timescale, cat_id

Dataset Name

Description

Log Category

newthing-New-Vulnerability

New vulnerabilities

fct-netscan

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $pre_period $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)###; create temporary table rpt_tmptbl_2 as ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)###; select vulnname, (case when vulnseverity='Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) as sev, vulnseverity, vulncat, count(distinct hostname) as host_num, cve_id from rpt_tmptbl_2 t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int where not exists (select 1 from rpt_tmptbl_1 where t1.vulnid=rpt_tmptbl_1.vulnid) group by vulnname, sev, vulnseverity, vulncat, cve_id order by sev desc, host_num desc

Dataset Name

Description

Log Category

newthing-New-Vulnerability-Graph

New vulnerabilities (Graph)

fct-netscan

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $pre_period $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)###; create temporary table rpt_tmptbl_2 as ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)###; select vulnseverity, count (distinct vulnid) as vuln_num from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.vulnid=rpt_tmptbl_1.vulnid) group by vulnseverity order by (case when vulnseverity='Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) desc

Dataset Name

Description

Log Category

newthing-System-Alerts

System Alerts

local-event

select 
  from_itime(itime) as timestamp, 
  msg 
from 
  $log 
where 
  $filter 
  and msg is not null 
  and pri = 'critical' 
order by 
  timestamp desc

Dataset Name

Description

Log Category

newthing-Configuration-Changes

Configuration Changes

event

select 
  `user` as f_user, 
  devid, 
  from_dtime(dtime) as time_s, 
  ui, 
  msg 
from 
  $log 
where 
  $filter 
  and cfgtid>0 
order by 
  time_s desc

Dataset Name

Description

Log Category

newthing-FortiGate-Upgrades

FortiGate Upgrades

event

select 
  devid, 
  from_dtime(dtime) as time_s, 
  info[1] as intf, 
  info[2] as prev_ver, 
  info[3] as new_ver 
from 
  (
    select 
      devid, 
      dtime, 
      regexp_matches(
        msg, 'from ([^ ]+) \\(([^ ]+) -> ([^)]+)\\)'
      ) as info 
    from 
      $log 
    where 
      $filter 
      and action = 'restore-image'
  ) t 
order by 
  time_s desc

Dataset Name

Description

Log Category

newthing-User-Upgrades

User Upgrades

fct-event

drop 
  table if exists rpt_tmptbl_1; 
drop 
  table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as ###(select distinct on (1, 2) fgtserial, hostname, deviceip, os, dtime from $log where $pre_period $filter and hostname is not null order by fgtserial, hostname, dtime desc)###; create temporary table rpt_tmptbl_2 as ###(select distinct on (1, 2) fgtserial, hostname, deviceip, os, dtime from $log where $filter and hostname is not null order by fgtserial, hostname, dtime desc)###; select distinct on (1, 2) t2.fgtserial as devid, t2.hostname, t2.deviceip, t1.os as prev_os, t2.os as cur_os, from_dtime(t1.dtime) as time_s from rpt_tmptbl_2 t2 inner join rpt_tmptbl_1 t1 on t2.fgtserial=t1.fgtserial and t2.hostname=t1.hostname and t2.os!=t1.os order by devid, t2.hostname, t1.dtime desc

Dataset Name

Description

Log Category

GTP-List-of-APN-Used

List of APNs Used

gtp

select 
  apn, 
  from_dtime(
    min(first_seen)
  ) as first_seen, 
  from_dtime(
    max(last_seen)
  ) as last_seen 
from 
  ###(select apn, min(dtime) as first_seen, max(dtime) as last_seen from $log where $filter and nullifna(apn) is not null group by apn order by last_seen desc)### t group by apn order by last_seen desc, first_seen

Dataset Name

Description

Log Category

GTP-Top-APN-by-Bytes

Top APNs by Bytes

gtp

select 
  apn, 
  sum(
    coalesce(`u-bytes`, 0)
  ) as total_bytes 
from 
  $log 
where 
  $filter 
  and nullifna(apn) is not null 
  and status = 'traffic-count' 
group by 
  apn 
having 
  sum(
    coalesce(`u-bytes`, 0)
  )& gt; 0 
order by 
  total_bytes desc

Dataset Name

Description

Log Category

GTP-Top-APN-by-Duration

Top APNs by Duration

gtp

select 
  apn, 
  sum(
    coalesce(duration, 0)
  ) as total_dura 
from 
  $log 
where 
  $filter 
  and nullifna(apn) is not null 
  and status = 'traffic-count' 
group by 
  apn 
having 
  sum(
    coalesce(duration, 0)
  )>0 
order by 
  total_dura desc

Dataset Name

Description

Log Category

GTP-Top-APN-by-Packets

Top APNs by Number of Packets

gtp

select 
  apn, 
  sum(
    coalesce(`u-pkts`, 0)
  ) as total_num 
from 
  $log 
where 
  $filter 
  and nullifna(apn) is not null 
  and status = 'traffic-count' 
group by 
  apn 
having 
  sum(
    coalesce(`u-pkts`, 0)
  )& gt; 0 
order by 
  total_num desc

Dataset Name

Description

Log Category

Top10-dns-Botnet-Domain-IP

Top Queried Botnet C&C Domains and IPs

dns

select 
  domain, 
  malware_type, 
  action, 
  count(distinct srcip) as victims, 
  count(distinct sources_s) as sources, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)### t group by domain, malware_type, action order by total_num desc

Dataset Name

Description

Log Category

dns-Botnet-Usage

Top Queried Botnet C&C Domains and IPs

dns

select 
  domain, 
  malware_type, 
  action, 
  count(distinct srcip) as victims, 
  count(distinct sources_s) as sources, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)### t group by domain, malware_type, action order by total_num desc

Dataset Name

Description

Log Category

Dns-Detected-Botnet

Top Queried Botnet C&C Domains and IPs

dns

select 
  domain, 
  malware_type, 
  action, 
  count(distinct srcip) as victims, 
  count(distinct sources_s) as sources, 
  sum(total_num) as total_num 
from 
  ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)### t group by domain, malware_type, action order by total_num desc

Dataset Name

Description

Log Category

dns-Botnet-Domain-IP

Queried Botnet C&C Domains and IPs

dns

select 
  domain, 
  srcip, 
  sevid, 
  (
    CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END
  ) as severity 
from 
  ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action, srcip, sevid order by sevid desc)### t group by domain, srcip, sevid order by sevid desc, domain

Dataset Name

Description

Log Category

dns-High-Risk-Source

High Risk Sources

dns

select 
  srcip, 
  sum(total_num) as total_num, 
  sum(
    case when sevid = 5 then total_num else 0 end
  ) as num_cri, 
  sum(
    case when sevid = 4 then total_num else 0 end
  ) as num_hig, 
  sum(
    case when sevid = 3 then total_num else 0 end
  ) as num_med 
from 
  ###(select srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, count(*) as total_num from $log where $filter and srcip is not null group by srcip, sevid order by total_num desc)### t where sevid>=3 group by srcip having sum(total_num)>0 order by total_num desc

Dataset Name

Description

Log Category

dns-DNS-Request-Over-Time

DNS Request Over Time

dns

select 
  $flex_timescale(timestamp) as timescale, 
  sum(
    case when sevid = 5 then total_num else 0 end
  ) as num_cri, 
  sum(
    case when sevid = 4 then total_num else 0 end
  ) as num_hig, 
  sum(
    case when sevid = 3 then total_num else 0 end
  ) as num_med, 
  sum(
    case when sevid = 2 then total_num else 0 end
  ) as num_inf, 
  sum(
    case when sevid = 1 then total_num else 0 end
  ) as num_low 
from 
  ###(select $flex_timestamp as timestamp, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, count(*) as total_num from $log where $filter group by timestamp, sevid order by total_num desc)### t group by timescale order by timescale

Dataset Name

Description

Log Category

dns-Top-Queried-Domain

Top Queried Domain

dns

select 
  qname, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and qname is not null 
group by 
  qname 
order by 
  total_num desc

Dataset Name

Description

Log Category

dns-Top-Domain-Lookup-Failure-Bar

Top Domain Lookup Failures

dns

select 
  qname, 
  srcip, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and qname is not null 
  and (
    action = 'block' 
    or logid_to_int(logid)= 54001
  ) 
group by 
  qname, 
  srcip 
order by 
  total_num desc

Dataset Name

Description

Log Category

dns-Top-Domain-Lookup-Failure-Table

Top Domain Lookup Failures

dns

select 
  qname, 
  srcip, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and qname is not null 
  and (
    action = 'block' 
    or logid_to_int(logid)= 54001
  ) 
group by 
  qname, 
  srcip 
order by 
  total_num desc

Dataset Name

Description

Log Category

dns-Query-Timeout

Query Timeout

dns

select 
  srcip, 
  qname, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and srcip is not null 
  and logid_to_int(logid)= 54001 
group by 
  qname, 
  srcip 
order by 
  total_num desc

Dataset Name

Description

Log Category

dns-Blocked-Query

Blocked Queries

dns

select 
  srcip, 
  msg, 
  count(*) as total_num 
from 
  $log 
where 
  $filter 
  and srcip is not null 
  and action = 'block' 
group by 
  srcip, 
  msg 
order by 
  total_num desc

Dataset Name

Description

Log Category

perf-stat-cpu-usage-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-mem-usage-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-disk-usage-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-sessions-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-lograte-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-connections-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-bandwidth-drilldown

Fortigate resource detail timeline

event

select 
  $flex_timescale(timestamp) as hodex, 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak, 
  cast(
    sum(cps)/ sum(count) as decimal(10, 0)
  ) as cps_ave, 
  max(cps_peak) as cps_peak 
from 
  ###(select $flex_timestamp as timestamp, devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak from $log where $filter and action='perf-stats' group by timestamp, devid)### t where $filter-drilldown group by hodex, devid order by hodex

Dataset Name

Description

Log Category

perf-stat-usage-summary-average

Fortigate resource summary view

event

select 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak 
from 
  ###(select devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak from $log where $filter and action='perf-stats' group by devid)### t group by devid order by devid

Dataset Name

Description

Log Category

perf-stat-usage-summary-peak

Fortigate resource summary view

event

select 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak 
from 
  ###(select devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak from $log where $filter and action='perf-stats' group by devid)### t group by devid order by devid

Dataset Name

Description

Log Category

perf-stat-usage-details-drilldown-master

Fortigate resource summary view

event

select 
  devid, 
  cast(
    sum(total_cpu)/ sum(count) as decimal(6, 0)
  ) as cpu_ave, 
  cast(
    sum(total_mem)/ sum(count) as decimal(6, 0)
  ) as mem_ave, 
  cast(
    sum(total_disk)/ sum(count) as decimal(6, 0)
  ) as disk_ave, 
  cast(
    (
      sum(
        total_trate + total_erate + total_orate
      )
    )/ 100.00 / sum(count) as decimal(10, 2)
  ) as log_rate, 
  cast(
    sum(totalsession)/ sum(count) as decimal(10, 0)
  ) as sessions, 
  cast(
    sum(sent)/ sum(count) as decimal(10, 0)
  ) as sent_kbps, 
  cast(
    sum(recv)/ sum(count) as decimal(10, 0)
  ) as recv_kbps, 
  cast(
    sum(sent + recv)/ sum(count) as decimal(10, 0)
  ) as transmit_kbps, 
  max(mem_peak) as mem_peak, 
  max(disk_peak) as disk_peak, 
  max(cpu_peak) as cpu_peak, 
  cast(
    max(lograte_peak)/ 100.00 as decimal(10, 2)
  ) as lograte_peak, 
  max(session_peak) as session_peak, 
  max(transmit_peak) as transmit_kbps_peak 
from 
  ###(select devid, count(*) as count, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak from $log where $filter and action='perf-stats' group by devid)### t group by devid order by devid

Dataset Name

Description

Log Category

360-degree-security-Application-Visiblity-and-Control-Summary

Application Visibolity and Control Summary

app-ctrl

select 
  appcat, 
  count(distinct app) as total_num 
from 
  ###(select appcat, app from $log where $filter and app is not null and appcat is not null group by appcat, app)### t group by appcat order by total_num desc

Dataset Name

Description

Log Category

360-degree-security-Threats-Detection-and-Prevention-Summary

Threat Prevention

app-ctrl

select 
  threat_name, 
  count(distinct threats) as total_num 
from 
  (
    ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, app as threats from $log-app-ctrl where $filter and lower(appcat)='botnet' group by app)### union all ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, virus as threats from $log-virus where $filter and nullifna(virus) is not null group by virus)### union all ###(select cast('Malicious & Phishing Sites' as char(32)) as threat_name, hostname as threats from $log-webfilter where $filter and cat in (26, 61) group by hostname)### union all ###(select cast('Critical & High Intrusion Attacks' as char(32)) as threat_name, attack as total_num from $log-attack where $filter and severity in ('critical', 'high') group by attack)###) t group by threat_name order by total_num desc

Dataset Name

Description

Log Category

360-degree-security-Data-Exfiltration-Detection-and-Prevention-Summary

Data Exfiltration Summary

dlp

select 
  data_loss, 
  count(*) as total_num 
from 
  (
    select 
      (
        case when severity = 'critical' then 'Critical Data Exfiltration' else (
          case when coalesce(
            nullifna(`user`), 
            ipstr(`srcip`)
          ) is not null then 'User Associated Data Loss' else NULL end
        ) end
      ) as data_loss 
    from 
      $log 
    where 
      $filter
  ) t 
where 
  data_loss is not null 
group by 
  data_loss 
order by 
  total_num desc

Dataset Name

Description

Log Category

360-degree-security-Endpoint-Protection-Summary

Endpoint Protection

fct-traffic

select 
  blocked_event, 
  count(*) as total_num 
from 
  (
    select 
      (
        case utmevent when 'antivirus' then 'Malware Deteced and Blocked' when 'appfirewall' then 'Risk Application Blocked' when 'webfilter' then (
          case when coalesce(
            nullifna(`user`), 
            ipstr(`srcip`)
          ) is not null then 'Web Sites Violation Blocked' else 'Non User Initiated Web Visits' end
        ) else NULL end
      ) as blocked_event 
    from 
      $log 
    where 
      $filter 
      and utmaction in ('blocked', 'quarantined')
  ) t 
where 
  blocked_event is not null 
group by 
  blocked_event 
order by 
  total_num desc