Dataset Reference List
The following tables list the datasets included with FortiAnalyzer. The tables contain the name, SQL query syntax, and log category for each dataset.
Dataset Name |
Description |
Log Category |
---|---|---|
Traffic-Bandwidth-Summary-Day-Of-Month |
Traffic bandwidth timeline |
traffic |
select $flex_timescale(timestamp) as hodex, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in from ###(select timestamp, sum(bandwidth) as bandwidth, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)base### base_query group by timestamp order by bandwidth desc, sessions desc)### t where $filter-drilldown group by hodex having sum(traffic_out+traffic_in)>0 order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Session-Summary-Day-Of-Month |
Number of session timeline |
traffic |
select $flex_timescale(timestamp) as hodex, sum(sessions) as sessions from ###(select timestamp, sum(bandwidth) as bandwidth, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)base### base_query group by timestamp order by bandwidth desc, sessions desc)### t where $filter-drilldown group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Users-By-Bandwidth |
Bandwidth application top users by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-App-By-Bandwidth |
Top applications by bandwidth usage |
traffic |
select app_group_name(app) as app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by app_group having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-User-Source-By-Sessions |
Top user source by session count |
traffic |
select user_src, sum(sessions) as sessions from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, count(*) as sessions from $log where $filter and (logflag&1>0) group by user_src order by sessions desc)### t group by user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-App-By-Sessions |
Top applications by session count |
traffic |
select app_group, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, appcat, service, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by app_group, appcat, service order by bandwidth desc)### t group by app_group order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Destination-Addresses-By-Sessions |
Top destinations by session count |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(dstip) ) as domain, count(*) as sessions from $log where $filter and ( logflag&1>0 ) group by domain order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Destination-Addresses-By-Bandwidth |
Top destinations by bandwidth usage |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(dstip) ) as domain, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(rcvdbyte, 0) ) as traffic_in, sum( coalesce(sentbyte, 0) ) as traffic_out from $log where $filter and ( logflag&1>0 ) and coalesce( nullifna( root_domain(hostname) ), ipstr(`dstip`) ) is not null group by domain having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
DHCP-Summary-By-Port |
Event top dhcp summary |
event |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; drop table if exists rpt_tmptbl_3; create temporary table rpt_tmptbl_1 as select devintf, mac from ###(select concat(interface, '.', devid) as devintf, mac from $log where $last3day_period $filter and logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by devintf, mac)### t group by devintf, mac; create temporary table rpt_tmptbl_2 as select devintf, mac from ###(select concat(interface, '.', devid) as devintf, mac from $log where $filter and logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by devintf, mac)### t group by devintf, mac; create temporary table rpt_tmptbl_3 as select distinct on (1) devintf, cast(used*100.0/total as decimal(18,2)) as percent_of_allocated_ip from ###(select distinct on (devintf) concat(interface, '.', devid) as devintf, used, total, itime from $log where $filter and logid_to_int(logid)=26003 and total>0 /*SkipSTART*/order by devintf, itime desc/*SkipEND*/)### t order by devintf, itime desc; select t1.devintf as interface, percent_of_allocated_ip, new_cli_count from rpt_tmptbl_3 t1 inner join (select devintf, count(mac) as new_cli_count from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.mac=rpt_tmptbl_1.mac) group by devintf) t2 on t1.devintf=t2.devintf order by interface, percent_of_allocated_ip desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Wifi-Client-By-Bandwidth |
Traffic top WiFi client by bandwidth usage |
traffic |
select user_src, srcssid, devtype_new, hostname_mac, sum(bandwidth) as bandwidth from ( select user_src, srcssid, get_devtype(srcswversion, osname, devtype) as devtype_new, hostname_mac, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by user_src, srcssid, devtype_new, hostname_mac having sum(bandwidth)>0 union all select user_src, ssid as srcssid, null as devtype_new, stamac as hostname_mac, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where user_src is not null group by user_src, ssid, devtype_new, stamac having sum(bandwidth)>0) t group by user_src, srcssid, devtype_new, hostname_mac order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Traffic-History-By-Active-User |
Traffic history by active user |
traffic |
select $flex_timescale(timestamp) as hodex, count( distinct(user_src) ) as total_user from ###(select timestamp, user_src, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)base### base_query group by timestamp, user_src order by sessions desc)### t where $filter-drilldown group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Allowed-Websites-By-Requests |
UTM top allowed web sites by request |
traffic |
select hostname, catdesc, count(*) as requests from $log where $filter and ( logflag&1>0 ) and utmevent in ( & #039;webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null and (utmaction not in ('block', 'blocked') or action!='deny') group by hostname, catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-50-Websites-By-Bandwidth |
Webfilter top allowed web sites by bandwidth usage |
traffic |
select domain, string_agg( distinct catdesc, & #039;, ') as agg_catdesc, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and utmaction!='blocked' and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by domain, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by domain, catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Blocked-Websites |
UTM top blocked web sites by request |
traffic |
select hostname, count(*) as requests from $log where $filter and ( logflag&1>0 ) and utmevent in ( & #039;webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null and (utmaction in ('block', 'blocked') or action='deny') group by hostname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Web-Users-By-Request |
UTM top web users by request |
traffic |
select user_src, devtype_new, srcname, sum(requests) as requests from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, get_devtype(srcswversion, osname, devtype) as devtype_new, srcname, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log where $filter and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') group by user_src, devtype_new, srcname, action, utmaction order by requests desc)### t group by user_src, devtype_new, srcname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Allowed-WebSites-By-Bandwidth |
UTM top allowed websites by bandwidth usage |
traffic |
select appid, hostname, catdesc, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(rcvdbyte, 0) ) as traffic_in, sum( coalesce(sentbyte, 0) ) as traffic_out from $log where $filter and ( logflag&1>0 ) and utmevent in ( & #039;webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by appid, hostname, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Blocked-Web-Users |
UTM top blocked web users |
traffic |
select user_src, devtype_new, srcname, sum(requests) as requests from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, get_devtype(srcswversion, osname, devtype) as devtype_new, srcname, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log where $filter and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') group by user_src, devtype_new, srcname, action, utmaction order by requests desc)### t where (utmaction in ('block', 'blocked') or action='deny') group by user_src, devtype_new, srcname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-20-Web-Users-By-Bandwidth |
Webfilter top web users by bandwidth usage |
traffic |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select dvid, f_user, srcip, ep_id, eu_id, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by dvid, f_user, srcip, ep_id, eu_id having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by dvid, f_user, srcip, ep_id, eu_id order by bandwidth desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Web-Users-By-Bandwidth |
UTM top web users by bandwidth usage |
traffic |
select user_src, devtype_new, srcname, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, get_devtype(srcswversion, osname, devtype) as devtype_new, srcname, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log where $filter and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') group by user_src, devtype_new, srcname, action, utmaction order by requests desc)### t group by user_src, devtype_new, srcname having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Video-Streaming-Websites-By-Bandwidth |
UTM top video streaming websites by bandwidth usage |
traffic |
select appid, hostname, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(rcvdbyte, 0) ) as traffic_in, sum( coalesce(sentbyte, 0) ) as traffic_out from $log where $filter and ( logflag&1>0 ) and catdesc in ( & #039;Streaming Media and Download') group by appid, hostname having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Email-Senders-By-Count |
Default top email senders by count |
traffic |
select user_src, sum(requests) as requests from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as requests from $log where $filter and (logflag&1>0) group by user_src, service order by requests desc)### t where service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group by user_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Email-Receivers-By-Count |
Default email top receivers by count |
traffic |
select user_src, sum(requests) as requests from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as requests from $log where $filter and (logflag&1>0) group by user_src, service order by requests desc)### t where service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group by user_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Email-Senders-By-Bandwidth |
Default email top senders by bandwidth usage |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and service in ( & #039;smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group by user_src having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Email-Receivers-By-Bandwidth |
Default email top receivers by bandwidth usage |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and service in ( & #039;pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group by user_src having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Malware-By-Name |
UTM top virus |
virus |
select virus, max(virusid_s) as virusid, ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, sum(totalnum) as totalnum from ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Virus-By-Name |
UTM top virus |
virus |
select virus, max(virusid_s) as virusid, ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, sum(totalnum) as totalnum from ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Virus-Victim |
UTM top virus user |
virus |
select user_src, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, eventtype, logver, virus, count(*) as totalnum from $log where $filter group by user_src, eventtype, logver, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where nullifna(virus) is not null group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Attack-Source |
UTM top attack source |
attack |
select user_src, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, eventtype, logver, count(*) as totalnum from $log where $filter group by user_src, eventtype, logver /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Attack-Victim |
UTM top attack dest |
attack |
select victim, count(*) as totalnum from ( select ( CASE WHEN direction =& #039;incoming' THEN srcip ELSE dstip END) as victim from $log where $filter) t where victim is not null group by victim order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Static-IPSEC-Tunnels-By-Bandwidth |
Top static IPsec tunnels by bandwidth usage |
event |
select vpn_name, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, tunnelid, vpn_name, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, tunnelip, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and nullifna(vpntunnel) is not null and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, vpn_name, tunnelid, tunnelip order by max_traffic desc)### t where (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_in+traffic_out)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-VPN-Tunnel-Users-By-Bandwidth |
Top SSL VPN tunnel users by bandwidth usage |
event |
select user_src, remip as remote_ip, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, user_src, tunnelid, min(s_time) as s_time, max(e_time) as e_time, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-tunnel' group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src, remote_ip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Dial-Up-IPSEC-Tunnels-By-Bandwidth |
Top dial up IPsec tunnels by bandwidth usage |
event |
select vpn_name, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, tunnelid, remip, vpn_name, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, tunnelip, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and nullifna(vpntunnel) is not null and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, vpn_name, tunnelid, tunnelip order by max_traffic desc)### t where not (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_out+traffic_in)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Dial-Up-IPSEC-Users-By-Bandwidth |
Top dial up IPsec users by bandwidth usage |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, remip, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src, remip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Dial-Up-IPSEC-Users-By-Duration |
Top dial up IPsec users by duration |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, from_dtime( min(s_time) ) as start_time, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_duration) else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-VPN-Web-Mode-Users-By-Bandwidth |
Top SSL VPN web mode users by bandwidth usage |
event |
select user_src, remip as remote_ip, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, user_src, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src, remote_ip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-VPN-Web-Mode-Users-By-Duration |
Top SSL VPN web mode users by duration |
event |
select user_src, remip as remote_ip, from_dtime( min(s_time) ) as start_time, sum(duration) as duration from ( select devid, vd, user_src, remip, tunnelid, min(s_time) as s_time, ( case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end ) as duration from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-web' group by devid, vd, user_src, remip, tunnelid) tt group by user_src, remote_ip order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-VPN-Users-By-Duration |
Top SSL VPN users by duration |
event |
select user_src, tunneltype, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, user_src, tunneltype, tunnelid, ( case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end ) as duration, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t group by devid, vd, remip, user_src, tunnelid, tunneltype) tt where bandwidth>0 group by user_src, tunneltype order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-User-Login-history |
VPN user login history |
event |
select $flex_timescale(timestamp) as hodex, sum(tunnelup) as total_num from ( select timestamp, devid, vd, remip, tunnelid, max(tunnelup) as tunnelup, max(traffic_in) as traffic_in, max(traffic_out) as traffic_out from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, max((case when action='tunnel-up' then 1 else 0 end)) as tunnelup, max(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as traffic_in from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null group by timestamp, devid, vd, remip, tunnelid /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timestamp, devid, vd, remip, tunnelid having max(traffic_in)+max(traffic_out)>0) t group by hodex order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Failed-Login-Atempts |
VPN failed logins |
event |
select f_user, tunneltype, sum(total_num) as total_num from ###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('ssl-login-fail', 'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user, tunneltype)### t group by f_user, tunneltype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Traffic-Usage-Trend-VPN-Summary |
VPN traffic usage trend |
event |
select hodex, sum(ssl_traffic_bandwidth) as ssl_bandwidth, sum(ipsec_traffic_bandwidth) as ipsec_bandwidth from ( select $flex_timescale(timestamp) as hodex, devid, vd, remip, tunnelid, ( case when t_type like & #039;ssl%' then (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) else 0 end) as ssl_traffic_bandwidth, (case when t_type like 'ipsec%' then (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) else 0 end) as ipsec_traffic_bandwidth, min(s_time) as s_time, max(e_time) as e_time from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up','tunnel-stats', 'tunnel-down', 'ssl-login-fail', 'ipsec-login-fail') group by timestamp, devid, vd, remip, t_type, tunnelid, action, f_user, tunneltype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where action in ('tunnel-up','tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by hodex, devid, t_type, vd, remip, tunnelid) tt group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-S2S-IPSEC-Tunnels-By-Bandwidth-and-Availability |
Top S2S IPsec tunnels by bandwidth usage and avail |
event |
select vpntunnel, tunneltype, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(bandwidth) as bandwidth, sum(uptime) as uptime from ( select vpntunnel, tunneltype, tunnelid, devid, vd, sum(sent_end - sent_beg) as traffic_out, sum(rcvd_end - rcvd_beg) as traffic_in, sum( sent_end - sent_beg + rcvd_end - rcvd_beg ) as bandwidth, sum(duration_end - duration_beg) as uptime from ###(select tunnelid, tunneltype, vpntunnel, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype like 'ipsec%' and (tunnelip is null or tunnelip='0.0.0.0') and nullifna(`user`) is null and tunnelid is not null and tunnelid!=0 group by tunnelid, tunneltype, vpntunnel, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by vpntunnel, tunneltype, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by vpntunnel, tunneltype order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Dialup-IPSEC-By-Bandwidth-and-Availability |
Top dialup IPsec users by bandwidth usage and avail |
event |
select user_src, remip, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(bandwidth) as bandwidth, sum(uptime) as uptime from ( select user_src, remip, tunnelid, devid, vd, sum(sent_end - sent_beg) as traffic_out, sum(rcvd_end - rcvd_beg) as traffic_in, sum( sent_end - sent_beg + rcvd_end - rcvd_beg ) as bandwidth, sum(duration_end - duration_beg) as uptime from ###(select tunnelid, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and tunnelid is not null and tunnelid!=0 group by tunnelid, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by user_src, remip, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by user_src, remip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-Tunnel-Mode-By-Bandwidth-and-Availability |
Top SSL tunnel users by bandwidth usage and avail |
event |
select user_src, remote_ip, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(bandwidth) as bandwidth, sum(uptime) as uptime from ( select user_src, remip as remote_ip, tunnelid, devid, vd, sum(sent_end - sent_beg) as traffic_out, sum(rcvd_end - rcvd_beg) as traffic_in, sum( sent_end - sent_beg + rcvd_end - rcvd_beg ) as bandwidth, sum(duration_end - duration_beg) as uptime from ###(select tunnelid, tunneltype, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by tunnelid, tunneltype, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t where tunneltype in ('ssl-tunnel', 'ssl') group by user_src, remote_ip, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by user_src, remote_ip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-Web-Mode-By-Bandwidth-and-Availability |
Top SSL web users by bandwidth usage and avail |
event |
select user_src, remote_ip, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(bandwidth) as bandwidth, sum(uptime) as uptime from ( select user_src, remip as remote_ip, tunnelid, devid, vd, sum(sent_end - sent_beg) as traffic_out, sum(rcvd_end - rcvd_beg) as traffic_in, sum( sent_end - sent_beg + rcvd_end - rcvd_beg ) as bandwidth, sum(duration_end - duration_beg) as uptime from ###(select tunnelid, tunneltype, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by tunnelid, tunneltype, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t where tunneltype='ssl-web' group by user_src, remote_ip, tunnelid, devid, vd having sum(sent_end-sent_beg+rcvd_end-rcvd_beg)>0 order by bandwidth desc) t where bandwidth>0 group by user_src, remote_ip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Admin-Login-Summary |
Event admin login summary |
event |
select f_user, ui, sum(login) as total_num, sum(login_duration) as total_duration, sum(config_change) as total_change from ( select `user` as f_user, ui, ( case when logid_to_int(logid)= 32001 then 1 else 0 end ) as login, ( case when logid_to_int(logid)= 32003 then duration else 0 end ) as login_duration, ( case when logid_to_int(logid)= 32003 and state is not null then 1 else 0 end ) as config_change from $log where $filter and nullifna(`user`) is not null and logid_to_int(logid) in (32001, 32003) ) t group by f_user, ui having sum(login)+ sum(config_change)> 0 order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Admin-Login-Summary-By-Date |
Event admin login summary by date |
event |
select $flex_timescale(timestamp) as dom, sum(total_num) as total_num, sum(total_change) as total_change from ###(select timestamp, sum(login) as total_num, sum(config_change) as total_change from (select $flex_timestamp as timestamp, (case when logid_to_int(logid)=32001 then 1 else 0 end) as login, (case when logid_to_int(logid)=32003 and state is not null then 1 else 0 end) as config_change from $log where $filter and logid_to_int(logid) in (32001, 32003)) t group by timestamp having sum(login)+sum(config_change)>0 /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom
Dataset Name |
Description |
Log Category |
---|---|---|
Admin-Failed-Login-Summary |
Event admin failed login summary |
event |
select `user` as f_user, ui, count(status) as total_failed from $log where $filter and nullifna(`user`) is not null and logid_to_int(logid) = 32002 group by ui, f_user order by total_failed desc
Dataset Name |
Description |
Log Category |
---|---|---|
System-Summary-By-Severity |
Event system summary by severity |
event |
select severity_tmp as severity, sum(count) as total_num from ###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in ('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High' when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end) as severity_tmp, count(*) as count from $log where $filter and subtype='system' group by msg_desc, severity_tmp /*SkipSTART*/order by count desc/*SkipEND*/)### t group by severity order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
System-Summary-By-Date |
Event system summary by date |
event |
select $flex_timescale(timestamp) as dom, sum(critical) as critical, sum(high) as high, sum(medium) as medium from ###(select $flex_timestamp as timestamp, sum(case when level in ('critical', 'alert', 'emergency') then 1 else 0 end) as critical, sum(case when level = 'error' then 1 else 0 end) as high, sum(case when level = 'warning' then 1 else 0 end) as medium from $log where $filter and subtype='system' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom
Dataset Name |
Description |
Log Category |
---|---|---|
Important-System-Summary-By-Date |
Event system summary by date |
event |
select $flex_timescale(timestamp) as dom, sum(critical) as critical, sum(high) as high, sum(medium) as medium from ###(select $flex_timestamp as timestamp, sum(case when level in ('critical', 'alert', 'emergency') then 1 else 0 end) as critical, sum(case when level = 'error' then 1 else 0 end) as high, sum(case when level = 'warning' then 1 else 0 end) as medium from $log where $filter and subtype='system' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom
Dataset Name |
Description |
Log Category |
---|---|---|
System-Critical-Severity-Events |
Event system critical severity events |
event |
select msg_desc as msg, severity_tmp as severity, sum(count) as counts from ###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in ('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High' when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end) as severity_tmp, count(*) as count from $log where $filter and subtype='system' group by msg_desc, severity_tmp /*SkipSTART*/order by count desc/*SkipEND*/)### t where severity_tmp='Critical' group by msg, severity_tmp order by counts desc
Dataset Name |
Description |
Log Category |
---|---|---|
System-High-Severity-Events |
Event system high severity events |
event |
select msg_desc as msg, severity_tmp as severity, sum(count) as counts from ###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in ('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High' when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end) as severity_tmp, count(*) as count from $log where $filter and subtype='system' group by msg_desc, severity_tmp /*SkipSTART*/order by count desc/*SkipEND*/)### t where severity_tmp='High' group by msg, severity_tmp order by counts desc
Dataset Name |
Description |
Log Category |
---|---|---|
System-Medium-Severity-Events |
Event system medium severity events |
event |
select msg_desc as msg, severity_tmp as severity, sum(count) as counts from ###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in ('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High' when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end) as severity_tmp, count(*) as count from $log where $filter and subtype='system' group by msg_desc, severity_tmp /*SkipSTART*/order by count desc/*SkipEND*/)### t where severity_tmp='Medium' group by msg, severity_tmp order by counts desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Traffic-Summary |
UTM drilldown traffic summary |
traffic |
select srcip, srcname from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, srcname, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) group by user_src, srcip, srcname order by bandwidth desc)### t where $filter-drilldown group by srcip, srcname
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-User-Destination |
UTM drilldown top user destination |
traffic |
select appid, app, dstip, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, appid, app, dstip, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and dstip is not null and nullifna(app) is not null group by user_src, appid, app, dstip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t where $filter-drilldown group by appid, app, dstip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Email-Senders-Summary |
UTM drilldown email senders summary |
traffic |
select sum(requests) as requests, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group by user_src, sender order by requests desc)### t where $filter-drilldown
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Email-Receivers-Summary |
UTM drilldown email receivers summary |
traffic |
select sum(requests) as requests, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and recipient is not null and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group by user_src, recipient order by requests desc)### t where $filter-drilldown
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Email-Recipients-By-Bandwidth |
UTM drilldown top email recipients |
traffic |
select recipient, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and recipient is not null and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group by user_src, recipient order by requests desc)### t where $filter-drilldown group by recipient having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Email-Senders-By-Bandwidth |
UTM drilldown top email senders |
traffic |
select sender, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group by user_src, sender order by requests desc)### t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Allowed-Websites-By-Bandwidth |
UTM drilldown top allowed web sites by bandwidth |
traffic |
select appid, hostname, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, appid, hostname, (case when utmaction in ('block', 'blocked') then 1 else 0 end) as blocked, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and hostname is not null group by user_src, appid, hostname, blocked order by bandwidth desc)### t where $filter-drilldown and blocked=0 group by appid, hostname order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Blocked-Websites-By-Request |
UTM drilldown top blocked web sites by request |
webfilter |
select appid, hostname, sum(requests) as requests from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, 0 as appid, hostname, (case when action='blocked' then 1 else 0 end) as blocked, count(*) as requests from $log where $filter and hostname is not null group by user_src, appid, hostname, blocked order by requests desc)### t where $filter-drilldown and blocked=1 group by appid, hostname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Virus-By-Name |
UTM drilldown top virus |
virus |
select virus, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by user_src, virus order by totalnum desc)### t where $filter-drilldown group by virus order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Attacks |
UTM drilldown top attacks by name |
attack |
select attack, sum(attack_count) as attack_count from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack order by attack_count desc)### t where $filter-drilldown group by attack order by attack_count desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Vulnerability |
UTM drilldown top vulnerability by name |
netscan |
select vuln, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, vuln, count(*) as totalnum from $log where $filter and action='vuln-detection' and vuln is not null group by user_src, vuln order by totalnum desc)### t where $filter-drilldown group by vuln order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-App-By-Bandwidth |
UTM drilldown top applications by bandwidth usage |
traffic |
select appid, app, sum(bandwidth) as bandwidth from ###(select user_src, appid, app, appcat, apprisk, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by user_src, appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t where $filter-drilldown group by appid, app having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-App-By-Sessions |
UTM drilldown top applications by session count |
traffic |
select appid, app, sum(sessions) as sessions from ###(select user_src, appid, app, appcat, apprisk, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by user_src, appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t where $filter-drilldown group by appid, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top5-Users-By-Bandwidth |
UTM drilldown top users by bandwidth usage |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as dldn_user, count(*) as session, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(sentbyte, 0) ) as traffic_out, sum( coalesce(rcvdbyte, 0) ) as traffic_in from $log where $filter and ( logflag&1>0 ) group by dldn_user having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-App-By-Bandwidth-Sessions |
Top applications by bandwidth usage |
traffic |
select app_group_name(app) as app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by app_group having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Category-By-Bandwidth |
Application Risk Application Usage by Category |
traffic |
select appcat, sum(bandwidth) as bandwidth from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t where $filter-drilldown and nullifna(appcat) is not null group by appcat having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Users-By-Bandwidth-Sessions |
Bandwidth application top users by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Traffic-By-Active-User-Number |
Bandwidth application traffic by active user number |
traffic |
select $flex_timescale(timestamp) as hodex, count(distinct user_src) as total_user from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log where $filter and (logflag&(1|32)>0) group by timestamp, user_src order by sessions desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Dest-By-Bandwidth-Sessions |
Bandwidth application top dest by bandwidth usage sessions |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(`dstip`) ) as dst, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by dst order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Policies-By-Bandwidth-Sessions |
Top policies by bandwidth and sessions |
traffic |
select coalesce( pol.name, cast(policyid as text) ) as polid, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select policyid, poluuid, sum(coalesce(rcvddelta, rcvdbyte, 0) + coalesce(sentdelta, sentbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log where $filter and (logflag&(1|32)>0) group by policyid, poluuid order by bandwidth desc)### t1 left join $ADOMTBL_PLHD_POLINFO pol on t1.poluuid=pol.uuid group by polid order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Traffic-Statistics |
Bandwidth application traffic statistics |
traffic |
drop table if exists rpt_tmptbl_1; create temporary table rpt_tmptbl_1( total_sessions varchar(255), total_bandwidth varchar(255), ave_session varchar(255), ave_bandwidth varchar(255), active_date varchar(255), total_users varchar(255), total_app varchar(255), total_dest varchar(255) ); insert into rpt_tmptbl_1 ( total_sessions, total_bandwidth, ave_session, ave_bandwidth ) select format_numeric_no_decimal( sum(sessions) ) as total_sessions, bandwidth_unit( sum(bandwidth) ) as total_bandwidth, format_numeric_no_decimal( cast( sum(sessions)/ $days_num as decimal(18, 0) ) ) as ave_session, bandwidth_unit( cast( sum(bandwidth)/ $days_num as decimal(18, 0) ) ) as ave_bandwidth from ###(select timestamp, sum(bandwidth) as bandwidth, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### base_query group by timestamp order by bandwidth desc, sessions desc)### t; update rpt_tmptbl_1 set active_date=t1.dom from (select dom, sum(sessions) as sessions from ###(select $DAY_OF_MONTH as dom, count(*) as sessions from $log where $filter and (logflag&(1|32)>0) group by dom order by sessions desc)### t group by dom order by sessions desc limit 1) as t1; update rpt_tmptbl_1 set total_users=t2.totalnum from (select format_numeric_no_decimal(count(distinct(user_src))) as totalnum from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t) as t2; update rpt_tmptbl_1 set total_app=t3.totalnum from (select format_numeric_no_decimal(count(distinct(app_group_name(app)))) as totalnum from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t) as t3; update rpt_tmptbl_1 set total_dest=t4.totalnum from (select format_numeric_no_decimal(count(distinct(dstip))) as totalnum from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t ) as t4; select 'Total Sessions' as summary, total_sessions as stats from rpt_tmptbl_1 union all select 'Total Bytes Transferred' as summary, total_bandwidth as stats from rpt_tmptbl_1 union all select 'Most Active Date By Sessions' as summary, active_date as stats from rpt_tmptbl_1 union all select 'Total Users' as summary, total_users as stats from rpt_tmptbl_1 union all select 'Total Applications' as summary, total_app as stats from rpt_tmptbl_1 union all select 'Total Destinations' as summary, total_dest as stats from rpt_tmptbl_1 union all select 'Average Sessions Per Day' as summary, ave_session as stats from rpt_tmptbl_1 union all select 'Average Bytes Per Day' as summary, ave_bandwidth as stats from rpt_tmptbl_1
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Bandwidth-Usage-Summary |
Application Traffic Usage Timeline |
traffic |
select $flex_timescale(timestamp) as hodex, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in from ###(select timestamp, sum(bandwidth) as bandwidth, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### base_query group by timestamp order by bandwidth desc, sessions desc)### t where $filter-drilldown group by hodex having sum(bandwidth)>0 order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Sessions-Summary |
Number of session timeline |
traffic |
select $flex_timescale(timestamp) as hodex, sum(sessions) as sessions from ###(select timestamp, sum(bandwidth) as bandwidth, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)base### base_query group by timestamp order by bandwidth desc, sessions desc)### t where $filter-drilldown group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-App-Bandwidth-Usage |
Top Application by Bandwidth |
traffic |
select app, appcat, count(distinct user_src) as num_user, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t where $filter-drilldown group by app, appcat having sum(bandwidth) > 0 order by bandwidth desc, sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-App-Category-By-Bandwidth |
Application Risk Application Usage by App and Category |
traffic |
select appcat, app, sum(bandwidth) as bandwidth from ###(select app, appcat, user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by app, appcat, user_src /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by appcat, app order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Active-User-Count-Timeline |
Bandwidth application traffic by active user number |
traffic |
select $flex_timescale(timestamp) as hodex, count(distinct user_src) as total_user from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log where $filter and (logflag&(1|32)>0) group by timestamp, user_src order by sessions desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Dest-By-Bandwidth |
Bandwidth application top dest by bandwidth usage sessions |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(`dstip`) ) as dst, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by dst order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Dest-By-Session |
Bandwidth application top dest by bandwidth usage sessions |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(`dstip`) ) as dst, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by dst order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Bandwidth-Users |
Bandwidth application top users by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Session-Users |
Bandwidth application top users by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, user_src, hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by bandwidth desc, sessions desc)base### t group by appid, app, appcat, apprisk, user_src, hostname, dstip /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Score-Summary-For-All-Users-Devices |
Reputation score summary for all users devices |
traffic |
select $flex_timescale(timestamp) as hodex, sum(scores) as scores from ###(select $flex_timestamp as timestamp, sum(crscore%65536) as scores, count(*) as totalnum from $log where $filter and (logflag&1>0) and crscore is not null group by timestamp having sum(crscore%65536)>0 order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Number-Of-Incidents-For-All-Users-Devices |
Reputation number of incidents for all users devices |
traffic |
select $flex_timescale(timestamp) as hodex, sum(scores) as scores, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, sum(crscore%65536) as scores, count(*) as totalnum from $log where $filter and (logflag&1>0) and crscore is not null group by timestamp having sum(crscore%65536)>0 order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Users-By-Reputation-Scores |
Reputation top users by scores |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum(crscore % 65536) as scores from $log where $filter and ( logflag&1>0 ) and crscore is not null group by user_src having sum(crscore % 65536)> 0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Devices-By-Reputation-Scores |
Reputation top devices by scores |
traffic |
select max( get_devtype(srcswversion, osname, devtype) ) as devtype_new, coalesce( nullifna(`srcname`), nullifna(`srcmac`), ipstr(`srcip`) ) as dev_src, sum(crscore % 65536) as scores from $log where $filter and ( logflag&1>0 ) and crscore is not null group by dev_src having sum(crscore % 65536)> 0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Users-With-Increased-Scores |
Reputation top users with increased scores |
traffic |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select f_user, sum(sum_rp_score) as sum_rp_score from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and (logflag&1>0) and crscore is not null group by f_user having sum(crscore%65536)>0 order by sum_rp_score desc)### t group by f_user; create temporary table rpt_tmptbl_2 as select f_user, sum(sum_rp_score) as sum_rp_score from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from $log where $filter and (logflag&1>0) and crscore is not null group by f_user having sum(crscore%65536)>0 order by sum_rp_score desc)### t group by f_user; select t1.f_user, sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from rpt_tmptbl_1 as t1 inner join rpt_tmptbl_2 as t2 on t1.f_user=t2.f_user where t2.sum_rp_score > t1.sum_rp_score group by t1.f_user order by delta desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Devices-With-Increased-Scores |
Reputation top devices with increased scores |
traffic |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select f_device, devtype_new, sum(sum_rp_score) as sum_rp_score from ###(select coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device, get_devtype(srcswversion, osname, devtype) as devtype_new, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and (logflag&1>0) and crscore is not null group by f_device, devtype_new having sum(crscore%65536)>0 order by sum_rp_score desc)### t group by f_device, devtype_new; create temporary table rpt_tmptbl_2 as select f_device, devtype_new, sum(sum_rp_score) as sum_rp_score from ###(select coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device, get_devtype(srcswversion, osname, devtype) as devtype_new, sum(crscore%65536) as sum_rp_score from $log where $filter and (logflag&1>0) and crscore is not null group by f_device, devtype_new having sum(crscore%65536)>0 order by sum_rp_score desc)### t group by f_device, devtype_new; select t1.f_device, t1.devtype_new , sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from rpt_tmptbl_1 as t1 inner join rpt_tmptbl_2 as t2 on t1.f_device=t2.f_device and t1.devtype_new=t2.devtype_new where t2.sum_rp_score > t1.sum_rp_score group by t1.f_device, t1.devtype_new order by delta desc
Dataset Name |
Description |
Log Category |
---|---|---|
Attacks-By-Severity |
Threat attacks by severity |
attack |
select ( case when severity =& #039;critical' then 'Critical' when severity='high' then 'High' when severity='medium' then 'Medium' when severity='low' then 'Low' when severity='info' then 'Info' end) as severity, count(*) as totalnum from $log where $filter group by severity order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Attacks-Detected |
Threat top attacks detected |
attack |
select attack, attackid, cve, severity, sum(attack_count) as attack_count from ###(select attack, attackid, t1.severity, cve, (case when t1.severity = 'critical' then 1 when t1.severity = 'high' then 2 when t1.severity = 'medium' then 3 when t1.severity = 'low' then 4 else 5 end) as severity_level, count(*) as attack_count from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null group by attack, attackid, t1.severity, severity_level, cve /*SkipSTART*/order by severity_level, attack_count desc/*SkipEND*/)### t group by attack, attackid, severity, severity_level, cve order by severity_level, attack_count desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Attacks-Blocked |
Threat top attacks blocked |
attack |
select attack, count(*) as attack_count from $log where $filter and nullifna(attack) is not null and action not in ( & #039;detected', 'pass_session') group by attack order by attack_count desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Virus-Source |
Threat top virus source |
virus |
select source, hostname, sum(totalnum) as totalnum from ###(select source, ipstr(`victim`) as hostname, sum(totalnum) as totalnum from ( select (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by source, victim ) t group by source, hostname /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by source, hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Intrusion-in-Last-7-Days |
Threat intrusion timeline |
attack |
select $flex_timescale(timestamp) as hodex, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Virus-Time-Line |
Threat virus timeline |
virus |
select $flex_datetime(timestamp) as hodex, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Spyware-Victims |
Threat top spyware victims |
virus |
select user_src, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter group by user_src, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Riskware%' group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Spyware-by-Name |
Threat top spyware by name |
virus |
select virus, max(virusid_s) as virusid, sum(totalnum) as totalnum from ###(select filename, analyticscksum, service, fsaverdict, dtype, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by filename, analyticscksum, service, fsaverdict, dtype, user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Riskware%' group by virus order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Spyware-Source |
Threat top spyware source |
traffic |
select srcip, hostname, sum(totalnum) as totalnum from ###(select srcip, hostname, virus, count(*) as totalnum from $log where $filter and (logflag&1>0) group by srcip, hostname, virus order by totalnum desc)### t where virus like 'Riskware%' group by srcip, hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Spyware-Time-Line |
Threat spyware timeline |
virus |
select $flex_timescale(timestamp) as hodex, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, virus, count(*) as totalnum from $log where $filter group by timestamp, virus /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where virus like 'Riskware%' group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Adware-Victims |
Threat top adware victims |
virus |
select user_src, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter group by user_src, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Adware%' group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Adware-by-Name |
Threat top adware by name |
virus |
select virus, max(virusid_s) as virusid, sum(totalnum) as totalnum from ###(select filename, analyticscksum, service, fsaverdict, dtype, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by filename, analyticscksum, service, fsaverdict, dtype, user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Adware%' group by virus order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Adware-Source |
Threat top adware source |
traffic |
select srcip, hostname, sum(totalnum) as totalnum from ###(select srcip, hostname, virus, count(*) as totalnum from $log where $filter and (logflag&1>0) group by srcip, hostname, virus order by totalnum desc)### t where virus like 'Adware%' group by srcip, hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Adware-Time-Line |
Threat adware timeline |
virus |
select $flex_timescale(timestamp) as hodex, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, virus, count(*) as totalnum from $log where $filter group by timestamp, virus /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where virus like 'Adware%' group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Intrusions-Timeline-By-Severity |
Threat intrusions timeline by severity |
attack |
select $flex_timescale(timestamp) as timescale, sum(critical) as critical, sum(high) as high, sum(medium) as medium, sum(low) as low, sum(info) as info from ###(select $flex_timestamp as timestamp, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity in ('notice', 'low') then 1 else 0 end) as low, sum(case when severity = 'info' or severity = 'debug' then 1 else 0 end) as info from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timescale order by timescale
Dataset Name |
Description |
Log Category |
---|---|---|
Important-Intrusions-Timeline-By-Severity |
Threat intrusions timeline by severity |
attack |
select $flex_timescale(timestamp) as timescale, sum(critical) as critical, sum(high) as high, sum(medium) as medium, sum(low) as low, sum(info) as info from ###(select $flex_timestamp as timestamp, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity in ('notice', 'low') then 1 else 0 end) as low, sum(case when severity = 'info' or severity = 'debug' then 1 else 0 end) as info from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timescale order by timescale
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Intrusions-By-Types |
Threat top intrusions by types |
attack |
select vuln_type, count(*) as totalnum from $log t1 left join ( select name, cve, vuln_type from ips_mdata ) t2 on t1.attack = t2.name where $filter and vuln_type is not null group by vuln_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Critical-Severity-Intrusions |
Threat critical severity intrusions |
attack |
select attack, attackid, cve, vuln_type, count(*) as totalnum from $log t1 left join ( select name, cve, vuln_type from ips_mdata ) t2 on t1.attack = t2.name where $filter and t1.severity = & #039;critical' and nullifna(attack) is not null group by attack, attackid, cve, vuln_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
High-Severity-Intrusions |
Threat high severity intrusions |
attack |
select attack, attackid, vuln_type, cve, count(*) as totalnum from $log t1 left join ( select name, cve, vuln_type from ips_mdata ) t2 on t1.attack = t2.name where $filter and t1.severity =& #039;high' and nullifna(attack) is not null group by attack, attackid, vuln_type, cve order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Medium-Severity-Intrusions |
Threat medium severity intrusions |
attack |
select attack, vuln_type, cve, count(*) as totalnum from $log t1 left join ( select name, cve, vuln_type from ips_mdata ) t2 on t1.attack = t2.name where $filter and t1.severity =& #039;medium' and nullifna(attack) is not null group by attack, vuln_type, cve order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Intrusion-Victims |
Threat top intrusion victims |
attack |
select victim, sum(cri_num) as critical, sum(high_num) as high, sum(med_num) as medium, sum(cri_num + high_num + med_num) as totalnum from ###(select (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, sum((case when severity='critical' then 1 else 0 end)) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case when severity='medium' then 1 else 0 end) as med_num from $log where $filter and severity in ('critical', 'high', 'medium') group by victim)### t group by victim order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Intrusion-Sources |
Threat top intrusion sources |
attack |
select source, sum(cri_num) as critical, sum(high_num) as high, sum(med_num) as medium, sum(cri_num + high_num + med_num) as totalnum from ###(select (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, sum(case when severity='critical' then 1 else 0 end) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case when severity='medium' then 1 else 0 end) as med_num from $log where $filter and severity in ('critical', 'high', 'medium') group by source)### t group by source order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Blocked-Intrusions |
Threat top blocked intrusions |
attack |
select attack, attackid, ( case when severity =& #039;critical' then 'Critical' when severity='high' then 'High' when severity='medium' then 'Medium' when severity='low' then 'Low' when severity='info' then 'Info' end) as severity_name, sum(totalnum) as totalnum, vuln_type, (case when severity='critical' then 0 when severity='high' then 1 when severity='medium' then 2 when severity='low' then 3 when severity='info' then 4 else 5 end) as severity_number from ###(select attack, attackid, t1.severity, count(*) as totalnum, vuln_type, action from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null group by attack, attackid, t1.severity, vuln_type, action order by totalnum desc)### t where action not in ('detected', 'pass_session') group by attack, attackid, severity, vuln_type order by severity_number, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Monitored-Intrusions |
Threat top monitored intrusions |
attack |
select attack, attackid, ( case when severity =& #039;critical' then 'Critical' when severity='high' then 'High' when severity='medium' then 'Medium' when severity='low' then 'Low' when severity='info' then 'Info' end) as severity_name, sum(totalnum) as totalnum, vuln_type, (case when severity='critical' then 0 when severity='high' then 1 when severity='medium' then 2 when severity='low' then 3 when severity='info' then 4 else 5 end) as severity_number from ###(select attack, attackid, t1.severity, count(*) as totalnum, vuln_type, action from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null group by attack, attackid, t1.severity, vuln_type, action order by totalnum desc)### t where action in ('detected', 'pass_session') group by attack, attackid, severity, vuln_type order by severity_number, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Attacks-Over-HTTP-HTTPs |
Threat attacks over HTTP HTTPs |
attack |
select attack, attackid, ( case when severity =& #039;critical' then 'Critical' when severity='high' then 'High' when severity='medium' then 'Medium' when severity='low' then 'Low' when severity='info' then 'Info' end) as severity, count(*) as totalnum, (case when severity='critical' then 0 when severity='high' then 1 when severity='medium' then 2 when severity='low' then 3 when severity='info' then 4 else 5 end) as severity_number from $log where $filter and severity in ('critical', 'high', 'medium') and upper(service) in ('HTTP', 'HTTPS') group by attack, attackid, severity, severity_number order by severity_number, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-AP-Detection-Summary-by-Status-OffWire |
Default access point detection summary by status off-wire |
event |
select ( case apstatus when 1 then & #039;rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, count(*) as totalnum from (select apstatus, bssid, ssid from ###(select apstatus, bssid, ssid, onwire, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid, onwire order by subtotal desc)### t where onwire='no' group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-AP-Detection-Summary-by-Status-OffWire_table |
Default access point detection summary by status off-wire |
event |
select ( case apstatus when 1 then & #039;rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, count(*) as totalnum from (select apstatus, bssid, ssid from ###(select apstatus, bssid, ssid, onwire, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid, onwire order by subtotal desc)### t where onwire='no' group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-AP-Detection-Summary-by-Status-OnWire |
Default access point detection summary by status on-wire |
event |
select ( case apstatus when 1 then & #039;rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, count(*) as totalnum from (select apstatus, bssid, ssid from ###(select apstatus, bssid, ssid, onwire, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid, onwire order by subtotal desc)### t where onwire='yes' group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-AP-Detection-Summary-by-Status-OnWire_table |
Default access point detection summary by status on-wire |
event |
select ( case apstatus when 1 then & #039;rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, count(*) as totalnum from (select apstatus, bssid, ssid from ###(select apstatus, bssid, ssid, onwire, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid, onwire order by subtotal desc)### t where onwire='yes' group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Managed-AP-Summary |
Default managed access point summary |
event |
select ( case when ( action like & #039;%join%' and logid_to_int(logid) in (43522, 43551)) then 'Authorized' else 'Unauthorized' end) as ap_status, count(*) as totalnum from $log where $filter and logid_to_int(logid) in (43522, 43551) group by ap_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Managed-AP-Summary_table |
Default managed access point summary |
event |
select ( case when ( action like & #039;%join%' and logid_to_int(logid) in (43522, 43551)) then 'Authorized' else 'Unauthorized' end) as ap_status, count(*) as totalnum from $log where $filter and logid_to_int(logid) in (43522, 43551) group by ap_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Unclassified-AP-Summary |
Default unclassified access point summary |
event |
select ( case onwire when & #039;no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end) as ap_status, count(*) as totalnum from ###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Unclassified-AP-Summary_table |
Default unclassified access point summary |
event |
select ( case onwire when & #039;no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end) as ap_status, count(*) as totalnum from ###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-selected-AP-Details-OffWire |
Default selected access point details off-wire |
event |
select ( case apstatus when 0 then & #039;unclassified' when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, from_dtime(min(first_seen)) as first_seen, from_dtime(max(last_seen)) as last_seen, detectionmethod, itime, onwire as on_wire from ###(select apstatus, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, min(dtime) as first_seen, max(dtime) as last_seen, detectionmethod, itime, onwire from $log where $filter and apstatus is not null and bssid is not null and logid_to_int(logid) in (43521, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by apstatus, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire order by itime desc)### t where onwire='no' group by ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire, apstatus order by itime desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-selected-AP-Details-OnWire |
Default selected access point details on-wire |
event |
select ( case apstatus when 0 then & #039;unclassified' when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, from_dtime(min(first_seen)) as first_seen, from_dtime(max(last_seen)) as last_seen, detectionmethod, itime, onwire as on_wire from ###(select apstatus, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, min(dtime) as first_seen, max(dtime) as last_seen, detectionmethod, itime, onwire from $log where $filter and apstatus is not null and bssid is not null and logid_to_int(logid) in (43521, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by apstatus, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire order by itime desc)### t where onwire='yes' group by ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire, apstatus order by itime desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Client-Details |
Event wireless client details |
event |
drop table if exists rpt_tmptbl_1; create temporary table rpt_tmptbl_1 as select ip, lmac, sn, ssid, channel, radioband, min(first) as first, max(last) as last from ###(select ip, lower(mac) as lmac, sn, ssid, channel, radioband, min(dtime) as first, max(dtime) as last from $log-event where $filter and ip is not null and mac is not null and sn is not null and ssid is not null group by ip, lmac, sn, ssid, channel, radioband order by ip)### t group by ip, lmac, sn, ssid, channel, radioband; select user_src, ip, lmac, sn, ssid, channel, radioband, from_dtime(first) as first_seen, from_dtime(last) as last_seen, cast(volume as decimal(18,2)) as bandwidth from (select * from rpt_tmptbl_1 inner join (select user_src, srcip, sum(volume) as volume from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as volume from $log-traffic where $filter-time and (logflag&1>0) and srcip is not null group by user_src, srcip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by volume desc)### t group by user_src, srcip order by user_src, srcip) t on rpt_tmptbl_1.ip = t.srcip) t order by volume desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Accepted-Offwire |
Event wireless accepted off-wire |
event |
select & #039;accepted' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'no' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen desc)### t where apstatus=2 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Accepted-Onwire |
Event wireless accepted on-wire |
event |
select & #039;accepted' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'yes' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal order by last_seen desc)### t where apstatus=2 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Rogue-Offwire |
Event wireless rogue off-wire |
event |
select & #039;rogue' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'no' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen desc)### t where apstatus=1 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Rogue-Onwire |
Event wireless rogue on-wire |
event |
select & #039;rogue' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'yes' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal order by last_seen desc)### t where apstatus=1 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Suppressed-Offwire |
Event wireless suppressed off-wire |
event |
select & #039;suppressed' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'no' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen desc)### t where apstatus=3 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Suppressed-Onwire |
Event wireless suppressed on-wire |
event |
select & #039;suppressed' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'yes' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal order by last_seen desc)### t where apstatus=3 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Unclassified-Offwire |
Event wireless unclassified off-wire |
event |
select & #039;unclassified' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'no' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen desc)### t where apstatus=0 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Unclassified-Onwire |
Event wireless unclassified on-wire |
event |
select & #039;unclassified' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'yes' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal order by last_seen desc)### t where apstatus=0 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Top-IPSEC-Vpn-Dial-Up-User-By-Bandwidth |
Default top IPsec VPN dial up user by bandwidth usage |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Top-Sources-Of-SSL-VPN-Tunnels-By-Bandwidth |
Default top sources of SSL VPN tunnels by bandwidth usage |
event |
select remip as remote_ip, sum(bandwidth) as bandwidth from ( select devid, vd, remip, tunnelid, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up','tunnel-stats', 'tunnel-down', 'ssl-login-fail', 'ipsec-login-fail') group by timestamp, devid, vd, remip, t_type, tunnelid, action, f_user, tunneltype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where t_type like 'ssl%' and action in ('tunnel-up','tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, tunnelid) t group by remote_ip having sum(traffic_in+traffic_out)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Login-Connection-Count-by-Type |
VPN authenticated logins |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as f_user, t_type as tunneltype, from_dtime( min(s_time) ) as start_time, count(distinct tunnelid) as total_num, sum(duration) as duration from ( select string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, t_type, devid, vd, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then NULL else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out, count(distinct tunnelid) as total_num from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t group by t_type, devid, vd, remip, tunnelid) tt where bandwidth>0 group by f_user, tunneltype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Login-User-Count-by-Type |
VPN Login User Count by VPN Type |
event |
select type_agg, count(distinct f_user) as num_user from ( select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as f_user, string_agg( distinct t_type, & #039; ') as type_agg from (select string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, t_type, devid, vd, remip, tunnelid, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t group by t_type, devid, vd, remip, tunnelid) tt where bandwidth>0 group by f_user) ttt group by type_agg order by num_user desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Login-Total-Bandwidth-by-Type |
VPN Login Total Bandwidth by VPN Type |
event |
select t_type, sum(bandwidth) as total_bandwidth from ( select t_type, devid, vd, remip, tunnelid, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t group by t_type, devid, vd, remip, tunnelid) tt where bandwidth>0 group by t_type order by total_bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Login-Attempt-by-Type |
VPN Login Attempts by VPN Type |
event |
select ( case when action like & #039;%fail' then 'Failed' else 'Success' end) as type, sum(total_num) as total_num from ###(select coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('ssl-login-fail', 'ipsec-login-fail', 'tunnel-up', 'tunnel-stats', 'tunnel-down') group by f_user, tunneltype, action order by total_num desc)### t group by type order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Traffic-Usage-Trend |
VPN traffic usage trend |
event |
select hodex, sum(ssl_traffic_bandwidth) as ssl_bandwidth, sum(ipsec_traffic_bandwidth) as ipsec_bandwidth from ( select $flex_timescale(timestamp) as hodex, devid, vd, remip, tunnelid, ( case when t_type like & #039;ssl%' then (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) else 0 end) as ssl_traffic_bandwidth, (case when t_type like 'ipsec%' then (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) else 0 end) as ipsec_traffic_bandwidth, min(s_time) as s_time, max(e_time) as e_time from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up','tunnel-stats', 'tunnel-down', 'ssl-login-fail', 'ipsec-login-fail') group by timestamp, devid, vd, remip, t_type, tunnelid, action, f_user, tunneltype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where action in ('tunnel-up','tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by hodex, devid, t_type, vd, remip, tunnelid) tt group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Authenticated-Logins |
VPN authenticated logins |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as f_user, t_type as tunneltype, from_dtime( min(s_time) ) as start_time, count(distinct tunnelid) as total_num, sum(duration) as duration from ( select string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, t_type, devid, vd, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then NULL else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out, count(distinct tunnelid) as total_num from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t group by t_type, devid, vd, remip, tunnelid) tt where bandwidth>0 group by f_user, tunneltype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Failed-Login-Attempt-by-User |
VPN failed logins |
event |
select f_user, tunneltype, sum(total_num) as total_num from ###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('ssl-login-fail', 'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user, tunneltype)### t group by f_user, tunneltype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Failed-Login-Timeline |
VPN Failed Login Timeline |
event |
select $flex_timescale(timestamp) as hodex, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up','tunnel-stats', 'tunnel-down', 'ssl-login-fail', 'ipsec-login-fail') group by timestamp, devid, vd, remip, t_type, tunnelid, action, f_user, tunneltype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where action in ('ssl-login-fail', 'ipsec-login-fail') and f_user is not null group by hodex order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-Dial-Up-VPN-Users-By-Duration |
Top dial up VPN users by duration |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, t_type as tunneltype, from_dtime( min(s_time) ) as start_time, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, t_type, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_duration) else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t where (t_type like 'ssl%' or (t_type like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0'))) group by devid, vd, remip, t_type, tunnelid) tt where bandwidth>0 group by user_src, tunneltype order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-SSL-VPN-Tunnel-Duration-By-Users |
Top SSL VPN Tunnel Duration by Users |
event |
select user_src, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, user_src, tunnelid, ( case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end ) as duration, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-tunnel' group by devid, vd, remip, user_src, tunnelid) tt where bandwidth>0 group by user_src order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-SSL-VPN-Tunnel-Users-By-Traffic-Directions |
Top SSL VPN Tunnel Users by Traffic Directions |
event |
select user_src, unnest(traffic_direction) as direction, unnest(traffic) as traffic from ( select user_src, sum(bandwidth) as bandwidth, array[ & #039;Received', 'Sent'] as traffic_direction, array[sum(traffic_in), sum(traffic_out)] as traffic from (select devid, vd, remip, user_src, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-tunnel' group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src) ttt order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-SSL-VPN-Web-Mode-Users-By-Duration |
Top SSL VPN web mode users by duration |
event |
select user_src, remip as remote_ip, from_dtime( min(s_time) ) as start_time, sum(duration) as duration from ( select devid, vd, user_src, remip, tunnelid, min(s_time) as s_time, ( case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end ) as duration from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-web' group by devid, vd, user_src, remip, tunnelid) tt group by user_src, remote_ip order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-SSL-VPN-Web-Mode-Users-By-Traffic-Directions |
Top SSL VPN Web Mode Users by Traffic Directions |
event |
select user_src, unnest(traffic_direction) as direction, unnest(traffic) as traffic from ( select user_src, sum(bandwidth) as bandwidth, array[ & #039;Received', 'Sent'] as traffic_direction, array[sum(traffic_in), sum(traffic_out)] as traffic from (select devid, vd, user_src, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-web' group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src) ttt order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-IPsec-Vpn-Dial-Up-User-By-Bandwidth |
Default top IPsec VPN dial up user by bandwidth usage |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-Static-IPsec-Tunnels-By-Traffic-Directions |
Top Static IPsec Tunnels by Traffic Directions |
event |
select vpn_name, unnest(traffic_direction) as direction, unnest(traffic) as traffic from ( select vpn_name, sum(bandwidth) as bandwidth, array[ & #039;Received', 'Sent'] as traffic_direction, array[sum(traffic_in), sum(traffic_out)] as traffic from (select devid, vd, remip, tunnelid, vpn_name, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth from ###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, tunnelip, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and nullifna(vpntunnel) is not null and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, vpn_name, tunnelid, tunnelip order by max_traffic desc)### t where (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_in+traffic_out)>0) ttt order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-Dial-Up-IPsec-Users-By-Duration |
Top dial up IPsec users by duration |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, from_dtime( min(s_time) ) as start_time, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_duration) else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-Dial-Up-IPsec-Tunnels-By-Traffic-Directions |
Top Dial Up IPsec Tunnels by Traffic Directions |
event |
select vpn_name, unnest(traffic_direction) as direction, unnest(traffic) as traffic from ( select vpn_name, sum(bandwidth) as bandwidth, array[ & #039;Received', 'Sent'] as traffic_direction, array[sum(traffic_in), sum(traffic_out)] as traffic from (select devid, vd, tunnelid, remip, vpn_name, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth from ###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, tunnelip, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and nullifna(vpntunnel) is not null and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, vpn_name, tunnelid, tunnelip order by max_traffic desc)### t where not (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_out+traffic_in)>0) ttt order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Web-Activity-Summary-By-Requests |
Webfilter web activity summary by requests |
webfilter |
select $flex_timescale(timestamp) as hodex, sum(allowed_request) as allowed_request, sum(blocked_request) as blocked_request from ###(select $flex_timestamp as timestamp, sum(case when action!='blocked' then 1 else 0 end) as allowed_request, sum(case when action='blocked' then 1 else 0 end) as blocked_request from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Browsing-Time-Summary |
Traffic browsing time summary |
traffic |
select $flex_timescale(timestamp) as hodex, cast( ebtr_value( ebtr_agg_flat(browsetime), null, $timespan )/ 60.0 as decimal(18, 2) ) as browsetime from ###(select $flex_timestamp as timestamp, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Web-Users-By-Blocked-Requests |
Webfilter top web users by blocked requests |
webfilter |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, sum(requests) as requests from ( select dvid, f_user, srcip, ep_id, eu_id, sum(requests) as requests from ###(select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, action, count(*) as requests from $log where $filter and coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) is not null group by dvid, f_user, srcip, ep_id, eu_id, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action='blocked' group by dvid, f_user, srcip, ep_id, eu_id order by requests desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Web-Users-By-Allowed-Requests |
Webfilter top web users by allowed requests |
webfilter |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, sum(requests) as requests from ( select dvid, f_user, srcip, ep_id, eu_id, sum(requests) as requests from ###(select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, action, count(*) as requests from $log where $filter and coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) is not null group by dvid, f_user, srcip, ep_id, eu_id, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action!='blocked' group by dvid, f_user, srcip, ep_id, eu_id order by requests desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Top-Web-Users-By-Browsing-Time |
Traffic top web users by browsing time |
traffic |
select user_src, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select user_src, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and $browse_time is not null group by user_src) t group by user_src /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by user_src order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Blocked-Web-Sites-By-Requests |
Webfilter top blocked web sites by requests |
webfilter |
select domain, catdesc, sum(requests) as requests from ###(select hostname as domain, catdesc, action, count(*) as requests from $log where $filter and hostname is not null and catdesc is not null group by domain, catdesc, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action='blocked' group by domain, catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Allowed-Web-Sites-By-Requests |
Webfilter top allowed web sites by requests |
webfilter |
select domain, string_agg( distinct catdesc, & #039;, ') as agg_catdesc, sum(requests) as requests from ###(select hostname as domain, catdesc, action, count(*) as requests from $log where $filter and hostname is not null and catdesc is not null group by domain, catdesc, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action!='blocked' group by domain order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Video-Streaming-Websites-By-Bandwidth |
Webfilter top video streaming websites by bandwidth usage |
webfilter |
select domain, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select coalesce(nullifna(root_domain(hostname)), 'other') as domain, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc in ('Streaming Media and Download') group by domain having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by domain order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Blocked-Web-Categories |
Webfilter top blocked web categories |
webfilter |
select catdesc, sum(requests) as requests from ###(select catdesc, action, count(*) as requests from $log-webfilter where $filter and catdesc is not null group by catdesc, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action='blocked' group by catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Allowed-Web-Categories |
Webfilter top allowed web categories |
webfilter |
select catdesc, sum(requests) as requests from ###(select catdesc, action, count(*) as requests from $log-webfilter where $filter and catdesc is not null group by catdesc, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action!='blocked' group by catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Top-50-Sites-By-Browsing-Time |
Traffic top sites by browsing time |
traffic |
select hostname, string_agg( distinct catdesc, & #039;, ') as agg_catdesc, ebtr_value(ebtr_agg_flat(browsetime), null, $timespan) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Top-10-Categories-By-Browsing-Time |
Traffic top category by browsing time |
traffic |
select catdesc, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime, sum(bandwidth) as bandwidth from ###(select catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and catdesc is not null and $browse_time is not null group by catdesc) t group by catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by catdesc order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Top-Destination-Countries-By-Browsing-Time |
Traffic top destination countries by browsing time |
traffic |
select dstcountry, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Search-Phrases |
Webfilter top search phrases |
webfilter |
select keyword, count(*) as requests from $log where $filter and keyword is not null group by keyword order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-10-Users-Browsing-Time |
Estimated browsing time |
traffic |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ( select dvid, f_user, srcip, ep_id, eu_id, ebtr_agg_flat(browsetime) as browsetime from ###(select dvid, f_user, srcip, ep_id, eu_id, ebtr_agg_flat(browsetime) as browsetime from (select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by dvid, f_user, srcip, ep_id, eu_id) t group by dvid, f_user, srcip, ep_id, eu_id order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by dvid, f_user, srcip, ep_id, eu_id order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
Estimated-Browsing-Time |
Estimated browsing time |
traffic |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ( select dvid, f_user, srcip, ep_id, eu_id, ebtr_agg_flat(browsetime) as browsetime from ###(select dvid, f_user, srcip, ep_id, eu_id, ebtr_agg_flat(browsetime) as browsetime from (select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by dvid, f_user, srcip, ep_id, eu_id) t group by dvid, f_user, srcip, ep_id, eu_id order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by dvid, f_user, srcip, ep_id, eu_id order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-AP-By-Bandwidth |
Top access point by bandwidth usage |
traffic |
select ap_srcintf, sum(bandwidth) as bandwidth from ( select coalesce(ap, srcintf) as ap_srcintf, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by ap_srcintf having sum(bandwidth)>0 union all select ap as ap_srcintf, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by ap having sum(bandwidth)>0) t group by ap_srcintf order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-AP-By-Client |
Top access point by client |
traffic |
select ap_srcintf as srcintf, count(distinct srcmac) as totalnum from ( select coalesce(ap, srcintf) as ap_srcintf, srcmac from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null group by ap_srcintf, srcmac union all (select ap as ap_srcintf, stamac as srcmac from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where stamac is not null group by ap, stamac)) t group by srcintf order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-SSID-By-Bandwidth |
Top SSIDs by bandwidth usage |
traffic |
select srcssid, sum(bandwidth) as bandwidth from ( select srcssid, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcssid is not null group by srcssid having sum(bandwidth)>0 union all select ssid as srcssid, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by ssid having sum(bandwidth)>0) t group by srcssid order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-SSID-By-Client |
Top SSIDs by client |
traffic |
select srcssid, count(distinct srcmac) as totalnum from ( select srcssid, srcmac from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null group by srcssid, srcmac union all select ssid as srcssid, stamac as srcmac from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where stamac is not null group by ssid, stamac) t where srcssid is not null group by srcssid order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-App-By-Bandwidth |
Top WiFi applications by bandwidth usage |
traffic |
select appid, app, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and ( srcssid is not null or dstssid is not null ) and nullifna(app) is not null group by appid, app having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-Client-By-Bandwidth |
Top WiFi client by bandwidth usage |
traffic |
select client, sum(bandwidth) as bandwidth from ( select ( coalesce( hostname_mac, & #039;unknown') || ' (' || get_devtype(srcswversion, osname, devtype) || ', ' || coalesce(osname, '') || (case when srcswversion is null then '' else ' ' || srcswversion end) || ')') as client, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by client having sum(bandwidth)>0 union all select (coalesce(stamac, 'unknown')) as client, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by client having sum(bandwidth) > 0) t where client is not null group by client order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-OS-By-Bandwidth |
Top WiFi os by bandwidth usage |
traffic |
select ( coalesce( osname, & #039;unknown') || ' ' || coalesce(srcswversion, '')) as os, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by os having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-OS-By-WiFi-Client |
Top WiFi os by WiFi client |
traffic |
select ( coalesce( osname, & #039;unknown') || ' ' || coalesce(osversion, '')) as os, count(distinct srcmac) as totalnum from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null group by os order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-Device-By-Bandwidth |
Top WiFi device by bandwidth usage |
traffic |
select get_devtype(srcswversion, osname, devtype) as devtype_new, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where devtype is not null group by devtype_new having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-Device-By-Client |
Top WiFi device by client |
traffic |
select devtype_new, count(distinct srcmac) as totalnum from ( select get_devtype(srcswversion, osname, devtype) as devtype_new, srcmac from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null) t where devtype_new is not null group by devtype_new order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Overall-Traffic |
WiFi overall traffic |
traffic |
select sum(bandwidth) as bandwidth from ( select sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by srcssid union all select sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t) t
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Num-Distinct-Client |
WiFi num distinct client |
traffic |
select count(distinct srcmac) as totalnum from ( select srcmac from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null group by srcmac union all select stamac as srcmac from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where stamac is not null group by stamac) t
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Bandwidth-and-Sessions |
Top subnets by application bandwidth |
traffic |
select ip_subnet(`srcip`) as subnet, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(rcvdbyte, 0) ) as traffic_in, sum( coalesce(sentbyte, 0) ) as traffic_out, count(*) as sessions from $log where $filter and ( logflag&1>0 ) group by subnet having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Application-Bandwidth |
Top applications by bandwidth |
traffic |
select ip_subnet(`srcip`) as subnet, app_group_name(app) as app_group, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and nullifna(app) is not null group by subnet, app_group having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Application-Sessions |
Top applications by sessions |
traffic |
select ip_subnet(`srcip`) as subnet, app_group_name(app) as app_group, count(*) as sessions from $log where $filter and ( logflag&1>0 ) and nullifna(app) is not null group by subnet, app_group order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Website-Bandwidth |
Top websites and web category by bandwidth |
traffic |
select subnet, website, sum(bandwidth) as bandwidth from ###(select ip_subnet(`srcip`) as subnet, hostname as website, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by subnet, website order by bandwidth desc)### t group by subnet, website order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Website-Hits |
Top websites and web category by sessions |
webfilter |
select subnet, website, sum(hits) as hits from ###(select ip_subnet(`srcip`) as subnet, hostname as website, count(*) as hits from $log where $filter and hostname is not null group by subnet, website order by hits desc)### t group by subnet, website order by hits desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-with-Top10-User-by-Bandwidth |
Top users by bandwidth |
traffic |
select ip_subnet(`srcip`) as subnet, coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and srcip is not null group by subnet, user_src having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-with-Top10-User-by-Sessions |
Top users by sessions |
traffic |
select ip_subnet(`srcip`) as subnet, coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, count(*) as sessions from $log where $filter and ( logflag&1>0 ) group by subnet, user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
app-Top-20-Category-and-Applications-by-Bandwidth |
Top category and applications by bandwidth usage |
traffic |
select appcat, app, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) group by appcat, app having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
app-Top-20-Category-and-Applications-by-Session |
Top category and applications by session |
traffic |
select appcat, app, count(*) as sessions from $log where $filter and ( logflag&1>0 ) group by appcat, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
app-Top-500-Allowed-Applications-by-Bandwidth |
Top allowed applications by bandwidth usage |
traffic |
select from_itime(itime) as timestamp, coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, appcat, app, coalesce( root_domain(hostname), ipstr(dstip) ) as destination, sum( coalesce(`sentbyte`, 0)+ coalesce(`rcvdbyte`, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and action in ( & #039;accept', 'close', 'timeout') group by timestamp, user_src, appcat, app, destination order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
app-Top-500-Blocked-Applications-by-Session |
Top blocked applications by session |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, appcat, app, count(*) as sessions from $log where $filter and ( logflag&1>0 ) and action in ( & #039;deny', 'blocked', 'reset', 'dropped') group by user_src, appcat, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Detailed-Website-Browsing-Log |
Web detailed website browsing log |
traffic |
select from_dtime(dtime) as timestamp, catdesc, hostname as website, status, sum(bandwidth) as bandwidth from ###(select dtime, catdesc, hostname, cast(utmaction as text) as status, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by dtime, catdesc, hostname, utmaction order by dtime desc)### t group by dtime, catdesc, website, status order by dtime desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Hourly-Category-and-Website-Hits-Action |
Web hourly category and website hits action |
webfilter |
select hod, website, sum(hits) as hits from ###(select $hour_of_day as hod, (hostname || ' (' || coalesce(`catdesc`, 'Unknown') || ')') as website , count(*) as hits from $log where $filter and hostname is not null group by hod, website order by hod, hits desc)### t group by hod, website order by hod, hits desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-20-Category-and-Websites-by-Bandwidth |
Web top category and websites by bandwidth usage |
traffic |
select website, catdesc, sum(bandwidth) as bandwidth from ###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by website, catdesc order by bandwidth desc)### t group by website, catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-20-Category-and-Websites-by-Session |
Web top category and websites by session |
webfilter |
select website, catdesc, sum(sessions) as hits from ###(select hostname as website, catdesc, count(*) as sessions from $log where $filter and hostname is not null group by hostname, catdesc order by sessions desc)### t group by website, catdesc order by hits desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-500-Website-Sessions-by-Bandwidth |
Web top website sessions by bandwidth usage |
traffic |
select from_dtime(dtime) as timestamp, user_src, website, catdesc, cast( sum(dura)/ 60 as decimal(18, 2) ) as dura, sum(bandwidth) as bandwidth from ###(select dtime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname as website, catdesc, sum(coalesce(duration, 0)) as dura, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and hostname is not null and (logflag&1>0) and action in ('accept','close','timeout') group by dtime, user_src, website, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by dtime, user_src, website, catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-500-User-Visted-Websites-by-Bandwidth |
Web top user visted websites by bandwidth usage |
traffic |
select website, catdesc, sum(bandwidth) as bandwidth from ###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by hostname, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by website, catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-500-User-Visted-Websites-by-Session |
Web top user visted websites by session |
webfilter |
select website, catdesc, sum(sessions) as sessions from ###(select hostname as website, catdesc, count(*) as sessions from $log where $filter and hostname is not null group by hostname, catdesc order by sessions desc)### t where catdesc is not null group by website, catdesc order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Installed-Feature-Summary |
Installed Feature Summary |
fct-event |
select subtype, count(distinct fctuid) as totalnum from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### t where subtype is not null group by subtype order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Device-by-Operating-System |
Device by OS |
fct-event |
select os_short as os, count(distinct fctuid) as totalnum from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### t where os_short is not null group by os order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Installed-FortiClient-Version |
FortiClient Version |
fct-event |
select fctver as fctver_short, count(distinct fctuid) as totalnum from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### t where fctver is not null group by fctver order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Endpoint-Profile-Deployment |
Endpoint Profile Deployment |
fct-event |
select profile, count(distinct fctuid) as totalnum from ###(select uid as fctuid, coalesce(nullifna(usingpolicy), 'No Profile') as profile from $log where $filter group by uid, profile)### t group by profile order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Client-Summary |
Client Summary |
fct-event |
select hostname, deviceip, os_short as os, profile, fctver, from_itime( max(itime) ) as last_seen from ###(select hostname, deviceip, regexp_replace(os, '\\(build.*', '') as os_short, nullifna(usingpolicy) as profile, fctver, max(itime) as itime from $log where $filter and os is not null group by hostname, deviceip, os_short, profile, fctver order by itime desc)### t group by hostname, deviceip, os, profile, fctver order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Total-Threats-Found |
Total Threats Found |
fct-traffic |
select utmevent_s as utmevent, count(distinct threat) as totalnum from ###(select coalesce(nullifna(lower(utmevent)), 'unknown') as utmevent_s, threat from $log where $filter and threat is not null and utmaction='blocked' group by utmevent_s, threat)### t group by utmevent order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top10-AV-Threats-Detected |
Top AV Threats Detected |
fct-traffic |
select threat, sum(totalnum) as totalnum from ( ( select threat, sum(totalnum) as totalnum from ###(select threat, count(*) as totalnum from $log-fct-traffic where $filter and threat is not null and lower(utmevent)='antivirus' group by threat order by totalnum desc)### t group by threat) union all (select threat, sum(totalnum) as totalnum from ###(select virus as threat, count(*) as totalnum from $log-fct-event where $filter and virus is not null group by threat order by totalnum desc)### t group by threat)) t group by threat order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top10-Infected-Devices-with-Botnet |
Top Infected Devices with Botnet |
fct-traffic |
select hostname, count(*) as totalnum from $log where $filter and hostname is not null and lower(utmevent) in ( & #039;webfilter', 'appfirewall') and lower(threat) like '%botnet%' group by hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top10-Infected-Devices-with-Virus-Malware |
Top Infected Devices with Virus Malware |
fct-traffic |
select hostname, sum(totalnum) as totalnum from ( ( select hostname, sum(totalnum) as totalnum from ###(select hostname, count(*) as totalnum from $log-fct-traffic where $filter and hostname is not null and lower(utmevent) in ('antivirus', 'antimalware') group by hostname order by totalnum desc)### t group by hostname) union all (select hostname, sum(totalnum) as totalnum from ###(select hostname, count(*) as totalnum from $log-fct-event where $filter and hostname is not null and virus is not null group by hostname order by totalnum desc)### t group by hostname)) t group by hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-All-Antivirus-Antimalware-Detections |
All Antivirus and Antimalware Detections |
fct-traffic |
select threat, hostname, hostuser, utmaction, from_dtime( max(dtime) ) as last_seen from ( ( select threat, hostname, hostuser, utmaction, max(dtime) as dtime from ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime from $log-fct-traffic where $filter and lower(utmevent) in ('antivirus', 'antimalware') group by threat, hostname, hostuser, utmaction order by threat)### t group by threat, hostname, hostuser, utmaction) union all (select threat, hostname, hostuser, utmaction, max(dtime) as dtime from ###(select virus as threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, action as utmaction, max(dtime) as dtime from $log-fct-event where $filter and (logflag is null or logflag&8=0) and virus is not null group by threat, hostname, hostuser, utmaction order by threat)### t group by threat, hostname, hostuser, utmaction)) t group by threat, hostname, hostuser, utmaction order by threat
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Web-Filter-Violations |
Web Filter Violations |
fct-traffic |
select hostuser, hostname, string_agg( distinct remotename, & #039;,') as remotename, utmaction, sum(total) as totalnum, from_dtime(max(dtime)) as last_seen from ###(select remotename, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, count(*) as total, max(dtime) as dtime from $log where $filter and lower(utmevent)='webfilter' and utmaction='blocked' group by remotename, hostname, hostuser, utmaction order by total desc)### t group by hostuser, hostname, utmaction order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Application-Firewall |
Application Firewall |
fct-traffic |
select threat, hostname, hostuser, utmaction, from_dtime( max(dtime) ) as last_seen from ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime from $log where $filter and lower(utmevent)='appfirewall' and utmaction='blocked' group by threat, hostname, hostuser, utmaction order by dtime desc)### t1 left join app_mdata t2 on t1.threat=t2.name group by threat, risk, hostname, hostuser, utmaction order by risk desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Errors-and-Alerts |
Errors and Alerts |
fct-event |
select msg, hostname, hostuser, from_dtime( max(dtime) ) as last_seen from ###(select msg, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, max(dtime) as dtime from $log where $filter and level in ('error', 'alert') group by msg, hostname, hostuser order by dtime desc)### t group by msg, hostname, hostuser order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Threats-by-Top-Devices |
Threats by Top Devices |
fct-traffic |
select hostname, count(*) as totalnum from $log where $filter and hostname is not null and utmevent is not null and utmaction =& #039;blocked' group by hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Device-Vulnerabilities |
Vulnerabilities Detected by User/Device |
fct-netscan |
select vulnseverity, ( CASE vulnseverity WHEN & #039;Critical' THEN 5 WHEN 'High' THEN 4 WHEN 'Medium' THEN 3 WHEN 'Info' THEN 2 WHEN 'Low' THEN 1 ELSE 0 END) as severity_number, count(distinct vulnname) as vuln_num from ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null group by vulnseverity, vulnname, devid)### t group by vulnseverity order by severity_number desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Category-Type-Vulnerabilities |
Vulnerabilities Detected by Category Type |
fct-netscan |
select vulncat, count(distinct vulnname) as totalnum from ###(select vulncat, vulnname from $log where $filter and nullifna(vulncat) is not null and nullifna(vulnname) is not null group by vulncat, vulnname)### t group by vulncat order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Vulnerabilities-by-OS |
Forticlient Vulnerabilities by OS |
fct-netscan |
select os, count(distinct vulnname) as totalnum from ###(select os, vulnname from $log where $filter and nullifna(os) is not null and nullifna(vulnname) is not null group by os, vulnname)### t group by os order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Vulnerabilities-by-Risk-Level |
Number Vulnerability by Device and Risk Level |
fct-netscan |
select vulnseverity, ( case when vulnseverity =& #039;Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) as severity_number, count(distinct vulnname) as vuln_num, count(distinct devid) as dev_num from ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null group by vulnseverity, vulnname, devid)### t where nullifna(devid) is not null group by vulnseverity order by dev_num desc, severity_number desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Device-by-Risk-Level |
Number Vulnerability by Device and Risk Level |
fct-netscan |
select vulnseverity, ( case when vulnseverity =& #039;Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) as severity_number, count(distinct vulnname) as vuln_num, count(distinct devid) as dev_num from ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null group by vulnseverity, vulnname, devid)### t where nullifna(devid) is not null group by vulnseverity order by dev_num desc, severity_number desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Vulnerability-Trend |
Vulnerability Trend |
fct-netscan |
select $flex_timescale(timestamp) as hodex, count(distinct vulnname) as total_num from ###(select $flex_timestamp as timestamp, vulnname from $log where $filter and nullifna(vulnname) is not null group by timestamp, vulnname order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Details-by-Risk-Level-Device |
Vulnerability Details for Each Risk Level by Device |
fct-netscan |
select hostname, os, vulnseverity, count(distinct vulnname) as vuln_num, count(distinct products) as products, count(distinct cve_id) as cve_count from ###(select hostname, os, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and vulnseverity is not null and hostname is not null group by hostname, os, vulnname, vulnseverity, vulnid)### t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, os, vulnseverity order by vuln_num desc, hostname
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Details-by-Device-User |
Vulnerability Details by Device User |
fct-netscan |
select hostname, ( & #039;<div>' || vulnname || '</div>') as vulnname, vulnseverity, vulncat, string_agg(distinct products, ',') as products, string_agg(distinct cve_id, ',') as cve_list, ('<a href=' || String_agg(DISTINCT vendor_link, ',') || '>Remediation Info</a>') as vendor_link from ###(select hostname, vulnname, vulnseverity, vulncat, vulnid from $log where $filter and vulnname is not null and hostname is not null group by hostname, vulnname, vulnseverity, vulncat, vulnid)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, vulnname, vulnseverity, vulncat order by hostname
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Remediation-by-Device |
Remediate The Vulnerability Found on Device |
fct-netscan |
select hostname, ( & #039;<div>' || vulnname || '</div>') as vulnname, vulnseverity, string_agg(distinct vendor_link, ',') as vendor_link from ###(select hostname, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and hostname is not null group by hostname, vulnname, vulnseverity, vulnid)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, vulnname, vulnseverity order by vulnseverity, hostname
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Remediation-by-Vulnerability |
Remediation by Vulnerability |
fct-netscan |
select ( & #039;<b>' || vulnname || '</b><br/><br/>' || 'Description<br/><div style=word-break:normal>' || description || '</div><br/><br/>' || 'Affected Products<br/>' || products || '<br/><br/>' || 'Impact<br/>' || impact || '<br/><br/>' || 'Recommended Actions<br/>' || vendor_link || '<br/><br/><br/>') as remediation from ###(select devid, vulnname, vulnseverity, (case vulnseverity when 'low' then 1 when 'info' then 2 when 'medium' then 3 when 'high' then 4 when 'critical' then 5 else 0 end) as severity_level, vulnid from $log where $filter and vulnname is not null group by devid, vulnname, vulnseverity, severity_level, vulnid order by severity_level)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by remediation order by remediation
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Top-30-Targeted-High-Risk-Vulnerabilities |
Top 30 Targeted High Risk Vulnerabilities |
fct-netscan |
select t3.cve_id, score, string_agg( distinct products, & #039;,') as products, ('<a href=' || String_agg(vendor_link, ',') || '>Mitigation Infomation</a>') as vendor_link from ###(select vulnid from $log where $filter group by vulnid)### t1 inner join fct_mdata t2 on t2.vid=t1.vulnid::text inner join fct_cve_score t3 on strpos(t2.cve_id, t3.cve_id) > 0 group by t3.cve_id, score order by score desc, t3.cve_id
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Endpoints-by-FortiGate |
Endpoints by FortiGate |
fct-event |
select fgtserial, count(distinct fctuid) as totalnum from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### t where fgtserial is not null group by fgtserial order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top-Malware-Detections |
Top Infected Devices with Malware |
fct-traffic |
select hostname, fctuid, sum(totalnum) as totalnum from ( ( select hostname, fctuid, sum(totalnum) as totalnum from ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime, uid as fctuid, count(*) as totalnum from $log-fct-traffic where $filter and lower(utmevent) in ('antivirus', 'antimalware') group by threat, hostname, hostuser, utmaction, uid order by threat)### t group by hostname, fctuid) union all (select hostname, fctuid, sum(totalnum) as totalnum from ###(select virus as threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, action as utmaction, max(dtime) as dtime, uid as fctuid, count(*) as totalnum from $log-fct-event where $filter and (logflag is null or logflag&8=0) and virus is not null group by threat, hostname, hostuser, utmaction, uid order by threat)### t group by hostname, fctuid)) t group by hostname, fctuid order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top10-Malware-Detections |
Top 10 Infected Devices with Malware |
fct-traffic |
select threat, hostname, hostuser, utmaction, fctuid, sum(totalnum) as totalnum from ( ( select threat, hostname, hostuser, utmaction, fctuid, sum(totalnum) as totalnum from ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime, uid as fctuid, count(*) as totalnum from $log-fct-traffic where $filter and lower(utmevent) in ('antivirus', 'antimalware') group by threat, hostname, hostuser, utmaction, uid order by threat)### t group by threat, hostname, hostuser, utmaction, fctuid) union all (select threat, hostname, hostuser, utmaction, fctuid, sum(totalnum) as totalnum from ###(select virus as threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, action as utmaction, max(dtime) as dtime, uid as fctuid, count(*) as totalnum from $log-fct-event where $filter and (logflag is null or logflag&8=0) and virus is not null group by threat, hostname, hostuser, utmaction, uid order by threat)### t group by threat, hostname, hostuser, utmaction, fctuid)) t where utmaction != 'pass' group by threat, hostname, hostuser, utmaction, fctuid order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Devices-with-Botnet |
Infected Devices with Botnet |
fct-traffic |
select threat, hostname, coalesce( nullifna(`user`), & #039;Unknown') as hostuser, utmaction, uid as fctuid, count(*) as totalnum from $log where $filter and hostname is not null and lower(utmevent) in ('webfilter', 'appfirewall') and lower(threat) like '%botnet%' group by threat, hostname, hostuser, utmaction, fctuid order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Vulnerability-by-Hostname |
Vulnerability Details for Each Risk Level by Device |
fct-netscan |
select hostname, os, vulnseverity, count(distinct vulnname) as vuln_num, count(distinct products) as products, count(distinct cve_id) as cve_count from ###(select hostname, os, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and vulnseverity is not null and hostname is not null group by hostname, os, vulnname, vulnseverity, vulnid)### t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, os, vulnseverity order by vuln_num desc, hostname
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Users-With-Web-Violations |
Web Filter Violations |
fct-traffic |
select hostuser, hostname, string_agg( distinct remotename, & #039;,') as remotename, utmaction, sum(total) as totalnum, from_dtime(max(dtime)) as last_seen from ###(select remotename, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, count(*) as total, max(dtime) as dtime from $log where $filter and lower(utmevent)='webfilter' and utmaction='blocked' group by remotename, hostname, hostuser, utmaction order by total desc)### t group by hostuser, hostname, utmaction order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Compliance-by-FortiGate |
FortiClinet Compliance by FortiGate Enforcing |
fct-event |
select fgtserial, count(distinct fctuid) as totalnum from ( select fgtserial, fctuid, max(compliance_flag) as compliance_flag from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### tt group by fgtserial, fctuid) t where compliance_flag = 1 group by fgtserial order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Compliance-Status |
Number of FortiClinets by Compliance Status |
fct-event |
select ( case compliance_flag when 1 then & #039;Compliant' else 'Non-Compliant' end) as compliance, count(distinct fctuid) as totalnum from (select fctuid, max(compliance_flag) as compliance_flag from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### tt group by fctuid) t group by compliance order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Non-Compliant-Endpoints |
Non-compliant Endpoints |
fct-event |
select t1.fgtserial, t3.srcintf, t2.epname as hostname, t2.mac, & #039;Non-Compliant' as status from (select fgtserial, fctuid, max(compliance_flag) as compliance_flag from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### tt group by fgtserial, fctuid) t1 left join $ADOM_ENDPOINT t2 on t1.fctuid = t2.fctuid left join $ADOM_EPEU_DEVMAP t3 on t2.epid = t3.epid where compliance_flag = 0 group by t1.fctuid, t1.fgtserial, t3.srcintf, t2.epname, t2.mac
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Web-Hits |
Web Traffic Trend |
fct-traffic |
select $flex_timescale(timestamp) as hodex, sum(requests) as requests from ###(select $flex_timestamp as timestamp, count(*) as requests from $log where $filter and lower(utmevent)='webfilter' group by timestamp order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Top-Allowed-Web-Cat |
Top Visited Web Categories |
fct-traffic |
select category, sum(requests) as requests from ###(select fct_webcat(threat) as category, remotename as website, direction, utmaction, count(*) as requests from $log where $filter and threat is not null and lower(utmevent)='webfilter' group by category, website, direction, utmaction order by requests desc)### t where direction='outbound' and utmaction='passthrough' group by category order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Top-Allowed-Website |
Top Visited Websites |
fct-traffic |
select website, string_agg( distinct category, & #039;, ') as agg_category, sum(requests) as requests from ###(select fct_webcat(threat) as category, remotename as website, direction, utmaction, count(*) as requests from $log where $filter and threat is not null and lower(utmevent)='webfilter' group by category, website, direction, utmaction order by requests desc)### t where direction='outbound' and utmaction='passthrough' and website is not null group by website order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Top-Category-By-Website-Session |
Top Web Categories by Website Session |
fct-traffic |
select category, website, sum(requests) as requests from ###(select fct_webcat(threat) as category, remotename as website, direction, utmaction, count(*) as requests from $log where $filter and threat is not null and lower(utmevent)='webfilter' group by category, website, direction, utmaction order by requests desc)### t where nullifna(category) is not null group by category, website order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Top-Web-Users-By-Website |
Top Web Users by Website |
fct-traffic |
select coalesce( nullifna(`user`), ipstr(`srcip`) ) as user_src, remotename as website, count(*) as requests from $log where $filter and direction =& #039;outbound' and remotename is not null and utmaction='passthrough' and lower(utmevent)='webfilter' group by user_src, website order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
os-Detect-OS-Count |
Detected operation system count |
traffic |
select ( coalesce( osname, & #039;Unknown')) as os, count(*) as totalnum from $log where $filter and (logflag&1>0) group by os order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-App-By-Sessions-Table |
Drilldown top applications by session count |
traffic |
select appid, app, sum(sessions) as sessions from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-App-By-Sessions-Bar |
Drilldown top applications by session count |
traffic |
select appid, app, sum(sessions) as sessions from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-App-By-Bandwidth-Table |
Drilldown top applications by bandwidth usage |
traffic |
select appid, app, sum(bandwidth) as bandwidth from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-App-By-Bandwidth-Bar |
Drilldown top applications by bandwidth usage |
traffic |
select appid, app, sum(bandwidth) as bandwidth from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Destination-By-Sessions-Table |
Drilldown top destination by session count |
traffic |
select dstip, sum(sessions) as sessions from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and dstip is not null group by dstip order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Destination-By-Bandwidth-Table |
Drilldown top destination by bandwidth usage |
traffic |
select dstip, sum(bandwidth) as bandwidth from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and dstip is not null group by dstip having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-User-By-Sessions-Table |
Drilldown top user by session count |
traffic |
select user_src, sum(sessions) as sessions from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)