Dataset Reference List
The following tables list the datasets included with FortiAnalyzer. The tables contain the name, SQL query syntax, and log category for each dataset.
Dataset Name |
Description |
Log Category |
---|---|---|
Traffic-Bandwidth-Summary-Day-Of-Month |
Traffic bandwidth timeline |
traffic |
select $flex_timescale(timestamp) as hodex, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in from ###(select timestamp, sum(bandwidth) as bandwidth, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by timestamp desc/*SkipEND*/)base### base_query group by timestamp order by bandwidth desc)### t where $filter-drilldown group by hodex having sum(traffic_out+traffic_in)>0 order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Session-Summary-Day-Of-Month |
Number of session timeline |
traffic |
select $flex_timescale(timestamp) as hodex, sum(sessions) as sessions from ###(select timestamp, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by timestamp desc/*SkipEND*/)base### base_query group by timestamp order by sessions desc)### t where $filter-drilldown group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Users-By-Bandwidth |
Bandwidth application top users by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by user_src order by sessions desc, bandwidth desc)### t group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-App-By-Bandwidth |
Top applications by bandwidth usage |
traffic |
select app_group_name(app) as app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t group by app_group having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-User-Source-By-Sessions |
Top user source by session count |
traffic |
select user_src, sum(sessions) as sessions from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, count(*) as sessions from $log where $filter and (logflag&1>0) group by user_src order by sessions desc)### t group by user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-App-By-Sessions |
Top applications by session count |
traffic |
select app_group, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, appcat, service, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by app_group, appcat, service order by bandwidth desc)### t group by app_group order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Destination-Addresses-By-Sessions |
Top destinations by session count |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(dstip) ) as domain, count(*) as sessions from $log where $filter and ( logflag&1>0 ) group by domain order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Destination-Addresses-By-Bandwidth |
Top destinations by bandwidth usage |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(dstip) ) as domain, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(rcvdbyte, 0) ) as traffic_in, sum( coalesce(sentbyte, 0) ) as traffic_out from $log where $filter and ( logflag&1>0 ) and coalesce( nullifna( root_domain(hostname) ), ipstr(`dstip`) ) is not null group by domain having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
DHCP-Summary-By-Port |
Event top dhcp summary |
event |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; drop table if exists rpt_tmptbl_3; create temporary table rpt_tmptbl_1 as select devintf, mac from ###(select concat(interface, '.', devid) as devintf, mac from $log where $last3day_period $filter and logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by devintf, mac)### t group by devintf, mac; create temporary table rpt_tmptbl_2 as select devintf, mac from ###(select concat(interface, '.', devid) as devintf, mac from $log where $filter and logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by devintf, mac)### t group by devintf, mac; create temporary table rpt_tmptbl_3 as select distinct on (1) devintf, cast(used*100.0/total as decimal(18,2)) as percent_of_allocated_ip from ###(select distinct on (devintf) concat(interface, '.', devid) as devintf, used, total, itime from $log where $filter and logid_to_int(logid)=26003 and total>0 /*SkipSTART*/order by devintf, itime desc/*SkipEND*/)### t order by devintf, itime desc; select t1.devintf as interface, percent_of_allocated_ip, new_cli_count from rpt_tmptbl_3 t1 inner join (select devintf, count(mac) as new_cli_count from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.mac=rpt_tmptbl_1.mac) group by devintf) t2 on t1.devintf=t2.devintf order by interface, percent_of_allocated_ip desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Wifi-Client-By-Bandwidth |
Traffic top WiFi client by bandwidth usage |
traffic |
select user_src, srcssid, devtype_new, hostname_mac, sum(bandwidth) as bandwidth from ( select user_src, srcssid, get_devtype(srcswversion, osname, devtype) as devtype_new, hostname_mac, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by user_src, srcssid, devtype_new, hostname_mac having sum(bandwidth)>0 union all select user_src, ssid as srcssid, null as devtype_new, stamac as hostname_mac, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where user_src is not null group by user_src, ssid, devtype_new, stamac having sum(bandwidth)>0) t group by user_src, srcssid, devtype_new, hostname_mac order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Traffic-History-By-Active-User |
Traffic history by active user |
traffic |
select $flex_timescale(timestamp) as hodex, count( distinct(user_src) ) as total_user from ###(select timestamp, user_src, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by timestamp desc/*SkipEND*/)base### base_query group by timestamp, user_src order by sessions desc)### t where $filter-drilldown group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Allowed-Websites-By-Requests |
UTM top allowed web sites by request |
traffic |
select hostname, catdesc, count(*) as requests from $log where $filter and ( logflag&1>0 ) and utmevent in ( & #039;webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null and (utmaction not in ('block', 'blocked') or action!='deny') group by hostname, catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-50-Websites-By-Bandwidth |
Webfilter top allowed web sites by bandwidth usage |
webfilter |
select domain, string_agg( distinct catdesc, & #039;, ') as agg_catdesc, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and utmaction!='blocked' and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by domain, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by domain, catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Blocked-Websites |
UTM top blocked web sites by request |
traffic |
select hostname, count(*) as requests from $log where $filter and ( logflag&1>0 ) and utmevent in ( & #039;webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null and (utmaction in ('block', 'blocked') or action='deny') group by hostname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Web-Users-By-Request |
UTM top web users by request |
traffic |
select user_src, devtype_new, srcname, sum(requests) as requests from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, get_devtype(srcswversion, osname, devtype) as devtype_new, srcname, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log where $filter and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') group by user_src, devtype_new, srcname, action, utmaction order by requests desc)### t group by user_src, devtype_new, srcname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Allowed-WebSites-By-Bandwidth |
UTM top allowed websites by bandwidth usage |
traffic |
select appid, hostname, catdesc, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(rcvdbyte, 0) ) as traffic_in, sum( coalesce(sentbyte, 0) ) as traffic_out from $log where $filter and ( logflag&1>0 ) and utmevent in ( & #039;webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by appid, hostname, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Blocked-Web-Users |
UTM top blocked web users |
traffic |
select user_src, devtype_new, srcname, sum(requests) as requests from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, get_devtype(srcswversion, osname, devtype) as devtype_new, srcname, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log where $filter and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') group by user_src, devtype_new, srcname, action, utmaction order by requests desc)### t where (utmaction in ('block', 'blocked') or action='deny') group by user_src, devtype_new, srcname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-20-Web-Users-By-Bandwidth |
Webfilter top web users by bandwidth usage |
webfilter |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select dvid, f_user, srcip, ep_id, eu_id, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by dvid, f_user, srcip, ep_id, eu_id having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by dvid, f_user, srcip, ep_id, eu_id order by bandwidth desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Web-Users-By-Bandwidth |
UTM top web users by bandwidth usage |
traffic |
select user_src, devtype_new, srcname, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, get_devtype(srcswversion, osname, devtype) as devtype_new, srcname, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log where $filter and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') group by user_src, devtype_new, srcname, action, utmaction order by requests desc)### t group by user_src, devtype_new, srcname having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Video-Streaming-Websites-By-Bandwidth |
UTM top video streaming websites by bandwidth usage |
traffic |
select appid, hostname, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(rcvdbyte, 0) ) as traffic_in, sum( coalesce(sentbyte, 0) ) as traffic_out from $log where $filter and ( logflag&1>0 ) and catdesc in ( & #039;Streaming Media and Download') group by appid, hostname having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Email-Senders-By-Count |
Default top email senders by count |
traffic |
select user_src, sum(requests) as requests from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as requests from $log where $filter and (logflag&1>0) group by user_src, service order by requests desc)### t where service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group by user_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Email-Receivers-By-Count |
Default email top receivers by count |
traffic |
select user_src, sum(requests) as requests from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as requests from $log where $filter and (logflag&1>0) group by user_src, service order by requests desc)### t where service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group by user_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Email-Senders-By-Bandwidth |
Default email top senders by bandwidth usage |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and service in ( & #039;smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group by user_src having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Email-Receivers-By-Bandwidth |
Default email top receivers by bandwidth usage |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and service in ( & #039;pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group by user_src having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Malware-By-Name |
UTM top virus |
virus |
select virus, max(virusid_s) as virusid, ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, sum(totalnum) as totalnum from ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Virus-By-Name |
UTM top virus |
virus |
select virus, max(virusid_s) as virusid, ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, sum(totalnum) as totalnum from ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Virus-Victim |
UTM top virus user |
virus |
select user_src, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, eventtype, logver, virus, count(*) as totalnum from $log where $filter group by user_src, eventtype, logver, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where nullifna(virus) is not null group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Attack-Source |
UTM top attack source |
attack |
select user_src, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, eventtype, logver, count(*) as totalnum from $log where $filter group by user_src, eventtype, logver /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Attack-Victim |
UTM top attack dest |
attack |
select victim, count(*) as totalnum from ( select ( CASE WHEN direction =& #039;incoming' THEN srcip ELSE dstip END) as victim from $log where $filter) t where victim is not null group by victim order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Static-IPSEC-Tunnels-By-Bandwidth |
Top static IPsec tunnels by bandwidth usage |
event |
select vpn_name, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, tunnelid, vpn_name, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, tunnelip, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and nullifna(vpntunnel) is not null and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, vpn_name, tunnelid, tunnelip order by max_traffic desc)### t where (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_in+traffic_out)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-VPN-Tunnel-Users-By-Bandwidth |
Top SSL VPN tunnel users by bandwidth usage |
event |
select user_src, remip as remote_ip, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, user_src, tunnelid, min(s_time) as s_time, max(e_time) as e_time, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-tunnel' group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src, remote_ip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Dial-Up-IPSEC-Tunnels-By-Bandwidth |
Top dial up IPsec tunnels by bandwidth usage |
event |
select vpn_name, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, tunnelid, remip, vpn_name, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, tunnelip, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and nullifna(vpntunnel) is not null and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, vpn_name, tunnelid, tunnelip order by max_traffic desc)### t where not (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_out+traffic_in)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Dial-Up-IPSEC-Users-By-Bandwidth |
Top dial up IPsec users by bandwidth usage |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, remip, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src, remip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Dial-Up-IPSEC-Users-By-Duration |
Top dial up IPsec users by duration |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, from_dtime( min(s_time) ) as start_time, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_duration) else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-VPN-Web-Mode-Users-By-Bandwidth |
Top SSL VPN web mode users by bandwidth usage |
event |
select user_src, remip as remote_ip, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, user_src, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src, remote_ip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-VPN-Web-Mode-Users-By-Duration |
Top SSL VPN web mode users by duration |
event |
select user_src, remip as remote_ip, from_dtime( min(s_time) ) as start_time, sum(duration) as duration from ( select devid, vd, user_src, remip, tunnelid, min(s_time) as s_time, ( case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end ) as duration from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-web' group by devid, vd, user_src, remip, tunnelid) tt group by user_src, remote_ip order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-VPN-Users-By-Duration |
Top SSL VPN users by duration |
event |
select user_src, tunneltype, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, user_src, tunneltype, tunnelid, ( case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end ) as duration, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t group by devid, vd, remip, user_src, tunnelid, tunneltype) tt where bandwidth>0 group by user_src, tunneltype order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-User-Login-history |
VPN user login history |
event |
select $flex_timescale(timestamp) as hodex, sum(tunnelup) as total_num from ( select timestamp, devid, vd, remip, tunnelid, max(tunnelup) as tunnelup, max(traffic_in) as traffic_in, max(traffic_out) as traffic_out from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, max((case when action='tunnel-up' then 1 else 0 end)) as tunnelup, max(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as traffic_in from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null group by timestamp, devid, vd, remip, tunnelid /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timestamp, devid, vd, remip, tunnelid having max(traffic_in)+max(traffic_out)>0) t group by hodex order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Failed-Login-Atempts |
VPN failed logins |
event |
select f_user, tunneltype, sum(total_num) as total_num from ###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('ssl-login-fail', 'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user, tunneltype)### t group by f_user, tunneltype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Traffic-Usage-Trend-VPN-Summary |
VPN traffic usage trend |
event |
select hodex, sum(ssl_traffic_bandwidth) as ssl_bandwidth, sum(ipsec_traffic_bandwidth) as ipsec_bandwidth from ( select $flex_timescale(timestamp) as hodex, devid, vd, remip, tunnelid, ( case when t_type like & #039;ssl%' then (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) else 0 end) as ssl_traffic_bandwidth, (case when t_type like 'ipsec%' then (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) else 0 end) as ipsec_traffic_bandwidth, min(s_time) as s_time, max(e_time) as e_time from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up','tunnel-stats', 'tunnel-down', 'ssl-login-fail', 'ipsec-login-fail') group by timestamp, devid, vd, remip, t_type, tunnelid, action, f_user, tunneltype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where action in ('tunnel-up','tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by hodex, devid, t_type, vd, remip, tunnelid) tt group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-S2S-IPSEC-Tunnels-By-Bandwidth-and-Availability |
Top S2S IPsec tunnels by bandwidth usage and avail |
event |
select vpntunnel, tunneltype, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(bandwidth) as bandwidth, sum(uptime) as uptime from ( select vpntunnel, tunneltype, tunnelid, devid, vd, sum(sent_end - sent_beg) as traffic_out, sum(rcvd_end - rcvd_beg) as traffic_in, sum( sent_end - sent_beg + rcvd_end - rcvd_beg ) as bandwidth, sum(duration_end - duration_beg) as uptime from ###(select tunnelid, tunneltype, vpntunnel, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype like 'ipsec%' and (tunnelip is null or tunnelip='0.0.0.0') and nullifna(`user`) is null and tunnelid is not null and tunnelid!=0 group by tunnelid, tunneltype, vpntunnel, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by vpntunnel, tunneltype, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by vpntunnel, tunneltype order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Dialup-IPSEC-By-Bandwidth-and-Availability |
Top dialup IPsec users by bandwidth usage and avail |
event |
select user_src, remip, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(bandwidth) as bandwidth, sum(uptime) as uptime from ( select user_src, remip, tunnelid, devid, vd, sum(sent_end - sent_beg) as traffic_out, sum(rcvd_end - rcvd_beg) as traffic_in, sum( sent_end - sent_beg + rcvd_end - rcvd_beg ) as bandwidth, sum(duration_end - duration_beg) as uptime from ###(select tunnelid, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and tunnelid is not null and tunnelid!=0 group by tunnelid, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t group by user_src, remip, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by user_src, remip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-Tunnel-Mode-By-Bandwidth-and-Availability |
Top SSL tunnel users by bandwidth usage and avail |
event |
select user_src, remote_ip, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(bandwidth) as bandwidth, sum(uptime) as uptime from ( select user_src, remip as remote_ip, tunnelid, devid, vd, sum(sent_end - sent_beg) as traffic_out, sum(rcvd_end - rcvd_beg) as traffic_in, sum( sent_end - sent_beg + rcvd_end - rcvd_beg ) as bandwidth, sum(duration_end - duration_beg) as uptime from ###(select tunnelid, tunneltype, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by tunnelid, tunneltype, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t where tunneltype in ('ssl-tunnel', 'ssl') group by user_src, remote_ip, tunnelid, devid, vd order by bandwidth desc) t where bandwidth>0 group by user_src, remote_ip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-SSL-Web-Mode-By-Bandwidth-and-Availability |
Top SSL web users by bandwidth usage and avail |
event |
select user_src, remote_ip, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in, sum(bandwidth) as bandwidth, sum(uptime) as uptime from ( select user_src, remip as remote_ip, tunnelid, devid, vd, sum(sent_end - sent_beg) as traffic_out, sum(rcvd_end - rcvd_beg) as traffic_in, sum( sent_end - sent_beg + rcvd_end - rcvd_beg ) as bandwidth, sum(duration_end - duration_beg) as uptime from ###(select tunnelid, tunneltype, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and action='tunnel-stats' and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by tunnelid, tunneltype, user_src, remip, devid, vd /*SkipSTART*/order by tunnelid/*SkipEND*/)### t where tunneltype='ssl-web' group by user_src, remote_ip, tunnelid, devid, vd having sum(sent_end-sent_beg+rcvd_end-rcvd_beg)>0 order by bandwidth desc) t where bandwidth>0 group by user_src, remote_ip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Admin-Login-Summary |
Event admin login summary |
event |
select f_user, ui, sum(login) as total_num, sum(login_duration) as total_duration, sum(config_change) as total_change from ( select `user` as f_user, ui, ( case when logid_to_int(logid)= 32001 then 1 else 0 end ) as login, ( case when logid_to_int(logid)= 32003 then duration else 0 end ) as login_duration, ( case when logid_to_int(logid)= 32003 and state is not null then 1 else 0 end ) as config_change from $log where $filter and nullifna(`user`) is not null and logid_to_int(logid) in (32001, 32003) ) t group by f_user, ui having sum(login)+ sum(config_change)> 0 order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Admin-Login-Summary-By-Date |
Event admin login summary by date |
event |
select $flex_timescale(timestamp) as dom, sum(total_num) as total_num, sum(total_change) as total_change from ###(select timestamp, sum(login) as total_num, sum(config_change) as total_change from (select $flex_timestamp as timestamp, (case when logid_to_int(logid)=32001 then 1 else 0 end) as login, (case when logid_to_int(logid)=32003 and state is not null then 1 else 0 end) as config_change from $log where $filter and logid_to_int(logid) in (32001, 32003)) t group by timestamp having sum(login)+sum(config_change)>0 /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom
Dataset Name |
Description |
Log Category |
---|---|---|
Admin-Failed-Login-Summary |
Event admin failed login summary |
event |
select `user` as f_user, ui, count(status) as total_failed from $log where $filter and nullifna(`user`) is not null and logid_to_int(logid) = 32002 group by ui, f_user order by total_failed desc
Dataset Name |
Description |
Log Category |
---|---|---|
System-Summary-By-Severity |
Event system summary by severity |
event |
select severity_tmp as severity, sum(count) as total_num from ###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in ('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High' when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end) as severity_tmp, count(*) as count from $log where $filter and subtype='system' group by msg_desc, severity_tmp /*SkipSTART*/order by count desc/*SkipEND*/)### t group by severity order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
System-Summary-By-Date |
Event system summary by date |
event |
select $flex_timescale(timestamp) as dom, sum(critical) as critical, sum(high) as high, sum(medium) as medium from ###(select $flex_timestamp as timestamp, sum(case when level in ('critical', 'alert', 'emergency') then 1 else 0 end) as critical, sum(case when level = 'error' then 1 else 0 end) as high, sum(case when level = 'warning' then 1 else 0 end) as medium from $log where $filter and subtype='system' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom
Dataset Name |
Description |
Log Category |
---|---|---|
Important-System-Summary-By-Date |
Event system summary by date |
event |
select $flex_timescale(timestamp) as dom, sum(critical) as critical, sum(high) as high, sum(medium) as medium from ###(select $flex_timestamp as timestamp, sum(case when level in ('critical', 'alert', 'emergency') then 1 else 0 end) as critical, sum(case when level = 'error' then 1 else 0 end) as high, sum(case when level = 'warning' then 1 else 0 end) as medium from $log where $filter and subtype='system' group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by dom order by dom
Dataset Name |
Description |
Log Category |
---|---|---|
System-Critical-Severity-Events |
Event system critical severity events |
event |
select msg_desc as msg, severity_tmp as severity, sum(count) as counts from ###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in ('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High' when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end) as severity_tmp, count(*) as count from $log where $filter and subtype='system' group by msg_desc, severity_tmp /*SkipSTART*/order by count desc/*SkipEND*/)### t where severity_tmp='Critical' group by msg, severity_tmp order by counts desc
Dataset Name |
Description |
Log Category |
---|---|---|
System-High-Severity-Events |
Event system high severity events |
event |
select msg_desc as msg, severity_tmp as severity, sum(count) as counts from ###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in ('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High' when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end) as severity_tmp, count(*) as count from $log where $filter and subtype='system' group by msg_desc, severity_tmp /*SkipSTART*/order by count desc/*SkipEND*/)### t where severity_tmp='High' group by msg, severity_tmp order by counts desc
Dataset Name |
Description |
Log Category |
---|---|---|
System-Medium-Severity-Events |
Event system medium severity events |
event |
select msg_desc as msg, severity_tmp as severity, sum(count) as counts from ###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in ('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High' when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end) as severity_tmp, count(*) as count from $log where $filter and subtype='system' group by msg_desc, severity_tmp /*SkipSTART*/order by count desc/*SkipEND*/)### t where severity_tmp='Medium' group by msg, severity_tmp order by counts desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Traffic-Summary |
UTM drilldown traffic summary |
traffic |
select srcip, srcname from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, srcname, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) group by user_src, srcip, srcname order by bandwidth desc)### t where $filter-drilldown group by srcip, srcname
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-User-Destination |
UTM drilldown top user destination |
traffic |
select appid, app, dstip, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, appid, app, dstip, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and dstip is not null and nullifna(app) is not null group by user_src, appid, app, dstip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t where $filter-drilldown group by appid, app, dstip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Email-Senders-Summary |
UTM drilldown email senders summary |
traffic |
select sum(requests) as requests, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group by user_src, sender order by requests desc)### t where $filter-drilldown
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Email-Receivers-Summary |
UTM drilldown email receivers summary |
traffic |
select sum(requests) as requests, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and recipient is not null and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group by user_src, recipient order by requests desc)### t where $filter-drilldown
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Email-Recipients-By-Bandwidth |
UTM drilldown top email recipients |
traffic |
select recipient, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and recipient is not null and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group by user_src, recipient order by requests desc)### t where $filter-drilldown group by recipient having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Email-Senders-By-Bandwidth |
UTM drilldown top email senders |
traffic |
select sender, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group by user_src, sender order by requests desc)### t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Allowed-Websites-By-Bandwidth |
UTM drilldown top allowed web sites by bandwidth |
traffic |
select appid, hostname, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, appid, hostname, (case when utmaction in ('block', 'blocked') then 1 else 0 end) as blocked, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and hostname is not null group by user_src, appid, hostname, blocked order by bandwidth desc)### t where $filter-drilldown and blocked=0 group by appid, hostname order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Blocked-Websites-By-Request |
UTM drilldown top blocked web sites by request |
webfilter |
select appid, hostname, sum(requests) as requests from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, 0 as appid, hostname, (case when action='blocked' then 1 else 0 end) as blocked, count(*) as requests from $log where $filter and hostname is not null group by user_src, appid, hostname, blocked order by requests desc)### t where $filter-drilldown and blocked=1 group by appid, hostname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Virus-By-Name |
UTM drilldown top virus |
virus |
select virus, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by user_src, virus order by totalnum desc)### t where $filter-drilldown group by virus order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Attacks |
UTM drilldown top attacks by name |
attack |
select attack, sum(attack_count) as attack_count from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack order by attack_count desc)### t where $filter-drilldown group by attack order by attack_count desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-Vulnerability |
UTM drilldown top vulnerability by name |
netscan |
select vuln, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, vuln, count(*) as totalnum from $log where $filter and action='vuln-detection' and vuln is not null group by user_src, vuln order by totalnum desc)### t where $filter-drilldown group by vuln order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-App-By-Bandwidth |
UTM drilldown top applications by bandwidth usage |
traffic |
select appid, app, sum(bandwidth) as bandwidth from ###(select user_src, appid, app, appcat, apprisk, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by user_src, appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t where $filter-drilldown group by appid, app having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-drilldown-Top-App-By-Sessions |
UTM drilldown top applications by session count |
traffic |
select appid, app, sum(sessions) as sessions from ###(select user_src, appid, app, appcat, apprisk, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by user_src, appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t where $filter-drilldown group by appid, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top5-Users-By-Bandwidth |
UTM drilldown top users by bandwidth usage |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as dldn_user, count(*) as session, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(sentbyte, 0) ) as traffic_out, sum( coalesce(rcvdbyte, 0) ) as traffic_in from $log where $filter and ( logflag&1>0 ) group by dldn_user having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-App-By-Bandwidth-Sessions |
Top applications by bandwidth usage |
traffic |
select app_group_name(app) as app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t group by app_group having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Category-By-Bandwidth |
Application Risk Application Usage by Category |
traffic |
select appcat, app, sum(bandwidth) as bandwidth from ###(select app, appcat, user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by app, appcat, user_src /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by appcat, app order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Users-By-Bandwidth-Sessions |
Bandwidth application top users by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by user_src order by sessions desc, bandwidth desc)### t group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Traffic-By-Active-User-Number |
Bandwidth application traffic by active user number |
traffic |
select $flex_timescale(timestamp) as hodex, count(distinct user_src) as total_user from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log where $filter and (logflag&(1|32)>0) group by timestamp, user_src order by sessions desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Dest-By-Bandwidth-Sessions |
Bandwidth application top dest by bandwidth usage sessions |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(`dstip`) ) as dst, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by hostname, dstip order by sessions desc, bandwidth desc)### t group by dst order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Policies-By-Bandwidth-Sessions |
Top policies by bandwidth and sessions |
traffic |
select coalesce( pol.name, cast(policyid as text) ) as polid, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select policyid, poluuid, sum(coalesce(rcvddelta, rcvdbyte, 0) + coalesce(sentdelta, sentbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log where $filter and (logflag&(1|32)>0) group by policyid, poluuid order by bandwidth desc)### t1 left join $ADOMTBL_PLHD_POLINFO pol on t1.poluuid=pol.uuid group by polid order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Traffic-Statistics |
Bandwidth application traffic statistics |
traffic |
drop table if exists rpt_tmptbl_1; create temporary table rpt_tmptbl_1( total_sessions varchar(255), total_bandwidth varchar(255), ave_session varchar(255), ave_bandwidth varchar(255), active_date varchar(255), total_users varchar(255), total_app varchar(255), total_dest varchar(255) ); insert into rpt_tmptbl_1 ( total_sessions, total_bandwidth, ave_session, ave_bandwidth ) select format_numeric_no_decimal( sum(sessions) ) as total_sessions, bandwidth_unit( sum(bandwidth) ) as total_bandwidth, format_numeric_no_decimal( cast( sum(sessions)/ $days_num as decimal(18, 0) ) ) as ave_session, bandwidth_unit( cast( sum(bandwidth)/ $days_num as decimal(18, 0) ) ) as ave_bandwidth from ###(select appid, app, appcat, apprisk, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t; update rpt_tmptbl_1 set active_date=t1.dom from (select dom, sum(sessions) as sessions from ###(select $DAY_OF_MONTH as dom, count(*) as sessions from $log where $filter and (logflag&(1|32)>0) group by dom order by sessions desc)### t group by dom order by sessions desc limit 1) as t1; update rpt_tmptbl_1 set total_users=t2.totalnum from (select format_numeric_no_decimal(count(distinct(user_src))) as totalnum from ###(select user_src, sum(sessions) as count from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by user_src order by count desc)### t) as t2; update rpt_tmptbl_1 set total_app=t3.totalnum from (select format_numeric_no_decimal(count(distinct(app_grp))) as totalnum from ###(select app_group_name(app) as app_grp, sum(sessions) as count from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by app_grp order by count desc)### t) as t3; update rpt_tmptbl_1 set total_dest=t4.totalnum from (select format_numeric_no_decimal(count(distinct(dstip))) as totalnum from ###(select dstip, sum(sessions) as count from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where dstip is not null group by dstip order by count desc)### t ) as t4; select 'Total Sessions' as summary, total_sessions as stats from rpt_tmptbl_1 union all select 'Total Bytes Transferred' as summary, total_bandwidth as stats from rpt_tmptbl_1 union all select 'Most Active Date By Sessions' as summary, active_date as stats from rpt_tmptbl_1 union all select 'Total Users' as summary, total_users as stats from rpt_tmptbl_1 union all select 'Total Applications' as summary, total_app as stats from rpt_tmptbl_1 union all select 'Total Destinations' as summary, total_dest as stats from rpt_tmptbl_1 union all select 'Average Sessions Per Day' as summary, ave_session as stats from rpt_tmptbl_1 union all select 'Average Bytes Per Day' as summary, ave_bandwidth as stats from rpt_tmptbl_1
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Bandwidth-Usage-Summary |
Application Traffic Usage Timeline |
traffic |
select $flex_timescale(timestamp) as hodex, sum(traffic_out) as traffic_out, sum(traffic_in) as traffic_in from ###(select $flex_timestamp as timestamp, appid, app, appcat, apprisk, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, appid, app, appcat, apprisk /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown group by hodex having sum(bandwidth)>0 order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Sessions-Summary |
Number of session timeline |
traffic |
select $flex_timescale(timestamp) as hodex, sum(sessions) as sessions from ###(select timestamp, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by timestamp desc/*SkipEND*/)base### base_query group by timestamp order by sessions desc)### t where $filter-drilldown group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-App-Bandwidth-Usage |
Top Application by Bandwidth |
traffic |
select app, appcat, count(distinct user_src) as num_user, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select app, appcat, user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by app, appcat, user_src /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t where $filter-drilldown group by app, appcat having sum(bandwidth) > 0 order by bandwidth desc, sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-App-Category-By-Bandwidth |
Application Risk Application Usage by Category |
traffic |
select appcat, app, sum(bandwidth) as bandwidth from ###(select app, appcat, user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by app, appcat, user_src /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by appcat, app order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Active-User-Count-Timeline |
Bandwidth application traffic by active user number |
traffic |
select $flex_timescale(timestamp) as hodex, count(distinct user_src) as total_user from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log where $filter and (logflag&(1|32)>0) group by timestamp, user_src order by sessions desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Dest-By-Bandwidth |
Bandwidth application top dest by bandwidth usage sessions |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(`dstip`) ) as dst, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by hostname, dstip order by sessions desc, bandwidth desc)### t group by dst order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Dest-By-Session |
Bandwidth application top dest by bandwidth usage sessions |
traffic |
select coalesce( nullifna( root_domain(hostname) ), ipstr(`dstip`) ) as dst, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select hostname, dstip, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by hostname, dstip order by sessions desc, bandwidth desc)### t group by dst order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Bandwidth-Users |
Bandwidth application top users by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by user_src order by sessions desc, bandwidth desc)### t group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
bandwidth-app-Top-Session-Users |
Bandwidth application top users by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by user_src order by sessions desc, bandwidth desc)### t group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Score-Summary-For-All-Users-Devices |
Reputation score summary for all users devices |
traffic |
select $flex_timescale(timestamp) as hodex, sum(scores) as scores from ###(select $flex_timestamp as timestamp, sum(crscore%65536) as scores, count(*) as totalnum from $log where $filter and (logflag&1>0) and crscore is not null group by timestamp having sum(crscore%65536)>0 order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Number-Of-Incidents-For-All-Users-Devices |
Reputation number of incidents for all users devices |
traffic |
select $flex_timescale(timestamp) as hodex, sum(scores) as scores, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, sum(crscore%65536) as scores, count(*) as totalnum from $log where $filter and (logflag&1>0) and crscore is not null group by timestamp having sum(crscore%65536)>0 order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Users-By-Reputation-Scores |
Reputation top users by scores |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum(crscore % 65536) as scores from $log where $filter and ( logflag&1>0 ) and crscore is not null group by user_src having sum(crscore % 65536)> 0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Devices-By-Reputation-Scores |
Reputation top devices by scores |
traffic |
select max( get_devtype(srcswversion, osname, devtype) ) as devtype_new, coalesce( nullifna(`srcname`), nullifna(`srcmac`), ipstr(`srcip`) ) as dev_src, sum(crscore % 65536) as scores from $log where $filter and ( logflag&1>0 ) and crscore is not null group by dev_src having sum(crscore % 65536)> 0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Users-With-Increased-Scores |
Reputation top users with increased scores |
traffic |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select f_user, sum(sum_rp_score) as sum_rp_score from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and (logflag&1>0) and crscore is not null group by f_user having sum(crscore%65536)>0 order by sum_rp_score desc)### t group by f_user; create temporary table rpt_tmptbl_2 as select f_user, sum(sum_rp_score) as sum_rp_score from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from $log where $filter and (logflag&1>0) and crscore is not null group by f_user having sum(crscore%65536)>0 order by sum_rp_score desc)### t group by f_user; select t1.f_user, sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from rpt_tmptbl_1 as t1 inner join rpt_tmptbl_2 as t2 on t1.f_user=t2.f_user where t2.sum_rp_score > t1.sum_rp_score group by t1.f_user order by delta desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Devices-With-Increased-Scores |
Reputation top devices with increased scores |
traffic |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select f_device, devtype_new, sum(sum_rp_score) as sum_rp_score from ###(select coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device, get_devtype(srcswversion, osname, devtype) as devtype_new, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and (logflag&1>0) and crscore is not null group by f_device, devtype_new having sum(crscore%65536)>0 order by sum_rp_score desc)### t group by f_device, devtype_new; create temporary table rpt_tmptbl_2 as select f_device, devtype_new, sum(sum_rp_score) as sum_rp_score from ###(select coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device, get_devtype(srcswversion, osname, devtype) as devtype_new, sum(crscore%65536) as sum_rp_score from $log where $filter and (logflag&1>0) and crscore is not null group by f_device, devtype_new having sum(crscore%65536)>0 order by sum_rp_score desc)### t group by f_device, devtype_new; select t1.f_device, t1.devtype_new , sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from rpt_tmptbl_1 as t1 inner join rpt_tmptbl_2 as t2 on t1.f_device=t2.f_device and t1.devtype_new=t2.devtype_new where t2.sum_rp_score > t1.sum_rp_score group by t1.f_device, t1.devtype_new order by delta desc
Dataset Name |
Description |
Log Category |
---|---|---|
Attacks-By-Severity |
Threat attacks by severity |
attack |
select ( case when severity =& #039;critical' then 'Critical' when severity='high' then 'High' when severity='medium' then 'Medium' when severity='low' then 'Low' when severity='info' then 'Info' end) as severity, count(*) as totalnum from $log where $filter group by severity order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Attacks-Detected |
Threat top attacks detected |
attack |
select attack, attackid, cve, severity, sum(attack_count) as attack_count from ###(select attack, attackid, t1.severity, cve, (case when t1.severity = 'critical' then 1 when t1.severity = 'high' then 2 when t1.severity = 'medium' then 3 when t1.severity = 'low' then 4 else 5 end) as severity_level, count(*) as attack_count from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null group by attack, attackid, t1.severity, severity_level, cve /*SkipSTART*/order by severity_level, attack_count desc/*SkipEND*/)### t group by attack, attackid, severity, severity_level, cve order by severity_level, attack_count desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Attacks-Blocked |
Threat top attacks blocked |
attack |
select attack, count(*) as attack_count from $log where $filter and nullifna(attack) is not null and action not in ( & #039;detected', 'pass_session') group by attack order by attack_count desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Virus-Source |
Threat top virus source |
virus |
select source, hostname, sum(totalnum) as totalnum from ###(select source, ipstr(`victim`) as hostname, sum(totalnum) as totalnum from ( select (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by source, victim ) t group by source, hostname /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by source, hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Intrusion-in-Last-7-Days |
Threat intrusion timeline |
attack |
select $flex_timescale(timestamp) as hodex, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Virus-Time-Line |
Threat virus timeline |
virus |
select $flex_datetime(timestamp) as hodex, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Spyware-Victims |
Threat top spyware victims |
virus |
select user_src, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter group by user_src, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Riskware%' group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Spyware-by-Name |
Threat top spyware by name |
virus |
select virus, max(virusid_s) as virusid, sum(totalnum) as totalnum from ###(select filename, analyticscksum, service, fsaverdict, dtype, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by filename, analyticscksum, service, fsaverdict, dtype, user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Riskware%' group by virus order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Spyware-Source |
Threat top spyware source |
traffic |
select srcip, hostname, sum(totalnum) as totalnum from ###(select srcip, hostname, virus, count(*) as totalnum from $log where $filter and (logflag&1>0) group by srcip, hostname, virus order by totalnum desc)### t where virus like 'Riskware%' group by srcip, hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Spyware-Time-Line |
Threat spyware timeline |
virus |
select $flex_timescale(timestamp) as hodex, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, virus, count(*) as totalnum from $log where $filter group by timestamp, virus /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where virus like 'Riskware%' group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Adware-Victims |
Threat top adware victims |
virus |
select user_src, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as totalnum from $log where $filter group by user_src, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Adware%' group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Adware-by-Name |
Threat top adware by name |
virus |
select virus, max(virusid_s) as virusid, sum(totalnum) as totalnum from ###(select filename, analyticscksum, service, fsaverdict, dtype, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by filename, analyticscksum, service, fsaverdict, dtype, user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where virus like 'Adware%' group by virus order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Adware-Source |
Threat top adware source |
traffic |
select srcip, hostname, sum(totalnum) as totalnum from ###(select srcip, hostname, virus, count(*) as totalnum from $log where $filter and (logflag&1>0) group by srcip, hostname, virus order by totalnum desc)### t where virus like 'Adware%' group by srcip, hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Adware-Time-Line |
Threat adware timeline |
virus |
select $flex_timescale(timestamp) as hodex, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, virus, count(*) as totalnum from $log where $filter group by timestamp, virus /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where virus like 'Adware%' group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Intrusions-Timeline-By-Severity |
Threat intrusions timeline by severity |
attack |
select $flex_timescale(timestamp) as timescale, sum(critical) as critical, sum(high) as high, sum(medium) as medium, sum(low) as low, sum(info) as info from ###(select $flex_timestamp as timestamp, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity in ('notice', 'low') then 1 else 0 end) as low, sum(case when severity = 'info' or severity = 'debug' then 1 else 0 end) as info from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timescale order by timescale
Dataset Name |
Description |
Log Category |
---|---|---|
Important-Intrusions-Timeline-By-Severity |
Threat intrusions timeline by severity |
attack |
select $flex_timescale(timestamp) as timescale, sum(critical) as critical, sum(high) as high, sum(medium) as medium, sum(low) as low, sum(info) as info from ###(select $flex_timestamp as timestamp, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity in ('notice', 'low') then 1 else 0 end) as low, sum(case when severity = 'info' or severity = 'debug' then 1 else 0 end) as info from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timescale order by timescale
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Intrusions-By-Types |
Threat top intrusions by types |
attack |
select vuln_type, count(*) as totalnum from $log t1 left join ( select name, cve, vuln_type from ips_mdata ) t2 on t1.attack = t2.name where $filter and vuln_type is not null group by vuln_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Critical-Severity-Intrusions |
Threat critical severity intrusions |
attack |
select attack, attackid, cve, vuln_type, count(*) as totalnum from $log t1 left join ( select name, cve, vuln_type from ips_mdata ) t2 on t1.attack = t2.name where $filter and t1.severity = & #039;critical' and nullifna(attack) is not null group by attack, attackid, cve, vuln_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
High-Severity-Intrusions |
Threat high severity intrusions |
attack |
select attack, attackid, vuln_type, cve, count(*) as totalnum from $log t1 left join ( select name, cve, vuln_type from ips_mdata ) t2 on t1.attack = t2.name where $filter and t1.severity =& #039;high' and nullifna(attack) is not null group by attack, attackid, vuln_type, cve order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Medium-Severity-Intrusions |
Threat medium severity intrusions |
attack |
select attack, vuln_type, cve, count(*) as totalnum from $log t1 left join ( select name, cve, vuln_type from ips_mdata ) t2 on t1.attack = t2.name where $filter and t1.severity =& #039;medium' and nullifna(attack) is not null group by attack, vuln_type, cve order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Intrusion-Victims |
Threat top intrusion victims |
attack |
select victim, sum(cri_num) as critical, sum(high_num) as high, sum(med_num) as medium, sum(cri_num + high_num + med_num) as totalnum from ###(select (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, sum((case when severity='critical' then 1 else 0 end)) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case when severity='medium' then 1 else 0 end) as med_num from $log where $filter and severity in ('critical', 'high', 'medium') group by victim)### t group by victim order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Intrusion-Sources |
Threat top intrusion sources |
attack |
select source, sum(cri_num) as critical, sum(high_num) as high, sum(med_num) as medium, sum(cri_num + high_num + med_num) as totalnum from ###(select (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, sum(case when severity='critical' then 1 else 0 end) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case when severity='medium' then 1 else 0 end) as med_num from $log where $filter and severity in ('critical', 'high', 'medium') group by source)### t group by source order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Blocked-Intrusions |
Threat top blocked intrusions |
attack |
select attack, attackid, ( case when severity =& #039;critical' then 'Critical' when severity='high' then 'High' when severity='medium' then 'Medium' when severity='low' then 'Low' when severity='info' then 'Info' end) as severity_name, sum(totalnum) as totalnum, vuln_type, (case when severity='critical' then 0 when severity='high' then 1 when severity='medium' then 2 when severity='low' then 3 when severity='info' then 4 else 5 end) as severity_number from ###(select attack, attackid, t1.severity, count(*) as totalnum, vuln_type, action from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null group by attack, attackid, t1.severity, vuln_type, action order by totalnum desc)### t where action not in ('detected', 'pass_session') group by attack, attackid, severity, vuln_type order by severity_number, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Monitored-Intrusions |
Threat top monitored intrusions |
attack |
select attack, attackid, ( case when severity =& #039;critical' then 'Critical' when severity='high' then 'High' when severity='medium' then 'Medium' when severity='low' then 'Low' when severity='info' then 'Info' end) as severity_name, sum(totalnum) as totalnum, vuln_type, (case when severity='critical' then 0 when severity='high' then 1 when severity='medium' then 2 when severity='low' then 3 when severity='info' then 4 else 5 end) as severity_number from ###(select attack, attackid, t1.severity, count(*) as totalnum, vuln_type, action from $log t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where $filter and nullifna(attack) is not null group by attack, attackid, t1.severity, vuln_type, action order by totalnum desc)### t where action in ('detected', 'pass_session') group by attack, attackid, severity, vuln_type order by severity_number, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Attacks-Over-HTTP-HTTPs |
Threat attacks over HTTP HTTPs |
attack |
select attack, attackid, ( case when severity =& #039;critical' then 'Critical' when severity='high' then 'High' when severity='medium' then 'Medium' when severity='low' then 'Low' when severity='info' then 'Info' end) as severity, count(*) as totalnum, (case when severity='critical' then 0 when severity='high' then 1 when severity='medium' then 2 when severity='low' then 3 when severity='info' then 4 else 5 end) as severity_number from $log where $filter and severity in ('critical', 'high', 'medium') and upper(service) in ('HTTP', 'HTTPS') group by attack, attackid, severity, severity_number order by severity_number, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-AP-Detection-Summary-by-Status-OffWire |
Default access point detection summary by status off-wire |
event |
select ( case apstatus when 1 then & #039;rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, count(*) as totalnum from (select apstatus, bssid, ssid from ###(select apstatus, bssid, ssid, onwire, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid, onwire order by subtotal desc)### t where onwire='no' group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-AP-Detection-Summary-by-Status-OffWire_table |
Default access point detection summary by status off-wire |
event |
select ( case apstatus when 1 then & #039;rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, count(*) as totalnum from (select apstatus, bssid, ssid from ###(select apstatus, bssid, ssid, onwire, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid, onwire order by subtotal desc)### t where onwire='no' group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-AP-Detection-Summary-by-Status-OnWire |
Default access point detection summary by status on-wire |
event |
select ( case apstatus when 1 then & #039;rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, count(*) as totalnum from (select apstatus, bssid, ssid from ###(select apstatus, bssid, ssid, onwire, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid, onwire order by subtotal desc)### t where onwire='yes' group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-AP-Detection-Summary-by-Status-OnWire_table |
Default access point detection summary by status on-wire |
event |
select ( case apstatus when 1 then & #039;rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, count(*) as totalnum from (select apstatus, bssid, ssid from ###(select apstatus, bssid, ssid, onwire, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid, onwire order by subtotal desc)### t where onwire='yes' group by apstatus, bssid, ssid) t group by ap_full_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Managed-AP-Summary |
Default managed access point summary |
event |
select ( case when ( action like & #039;%join%' and logid_to_int(logid) in (43522, 43551)) then 'Authorized' else 'Unauthorized' end) as ap_status, count(*) as totalnum from $log where $filter and logid_to_int(logid) in (43522, 43551) group by ap_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Managed-AP-Summary_table |
Default managed access point summary |
event |
select ( case when ( action like & #039;%join%' and logid_to_int(logid) in (43522, 43551)) then 'Authorized' else 'Unauthorized' end) as ap_status, count(*) as totalnum from $log where $filter and logid_to_int(logid) in (43522, 43551) group by ap_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Unclassified-AP-Summary |
Default unclassified access point summary |
event |
select ( case onwire when & #039;no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end) as ap_status, count(*) as totalnum from ###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Unclassified-AP-Summary_table |
Default unclassified access point summary |
event |
select ( case onwire when & #039;no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end) as ap_status, count(*) as totalnum from ###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-selected-AP-Details-OffWire |
Default selected access point details off-wire |
event |
select ( case apstatus when 0 then & #039;unclassified' when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, from_dtime(min(first_seen)) as first_seen, from_dtime(max(last_seen)) as last_seen, detectionmethod, itime, onwire as on_wire from ###(select apstatus, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, min(dtime) as first_seen, max(dtime) as last_seen, detectionmethod, itime, onwire from $log where $filter and apstatus is not null and bssid is not null and logid_to_int(logid) in (43521, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by apstatus, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire order by itime desc)### t where onwire='no' group by ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire, apstatus order by itime desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-selected-AP-Details-OnWire |
Default selected access point details on-wire |
event |
select ( case apstatus when 0 then & #039;unclassified' when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed' else 'others' end) as ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, from_dtime(min(first_seen)) as first_seen, from_dtime(max(last_seen)) as last_seen, detectionmethod, itime, onwire as on_wire from ###(select apstatus, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, min(dtime) as first_seen, max(dtime) as last_seen, detectionmethod, itime, onwire from $log where $filter and apstatus is not null and bssid is not null and logid_to_int(logid) in (43521, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by apstatus, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire order by itime desc)### t where onwire='yes' group by ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire, apstatus order by itime desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Client-Details |
Event wireless client details |
event |
drop table if exists rpt_tmptbl_1; create temporary table rpt_tmptbl_1 as select ip, lmac, sn, ssid, channel, radioband, min(first) as first, max(last) as last from ###(select ip, lower(mac) as lmac, sn, ssid, channel, radioband, min(dtime) as first, max(dtime) as last from $log-event where $filter and ip is not null and mac is not null and sn is not null and ssid is not null group by ip, lmac, sn, ssid, channel, radioband order by ip)### t group by ip, lmac, sn, ssid, channel, radioband; select user_src, ip, lmac, sn, ssid, channel, radioband, from_dtime(first) as first_seen, from_dtime(last) as last_seen, cast(volume as decimal(18,2)) as bandwidth from (select * from rpt_tmptbl_1 inner join (select user_src, srcip, sum(volume) as volume from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as volume from $log-traffic where $filter-time and (logflag&1>0) and srcip is not null group by user_src, srcip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by volume desc)### t group by user_src, srcip order by user_src, srcip) t on rpt_tmptbl_1.ip = t.srcip) t order by volume desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Accepted-Offwire |
Event wireless accepted off-wire |
event |
select & #039;accepted' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'no' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen desc)### t where apstatus=2 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Accepted-Onwire |
Event wireless accepted on-wire |
event |
select & #039;accepted' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'yes' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal order by last_seen desc)### t where apstatus=2 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Rogue-Offwire |
Event wireless rogue off-wire |
event |
select & #039;rogue' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'no' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen desc)### t where apstatus=1 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Rogue-Onwire |
Event wireless rogue on-wire |
event |
select & #039;rogue' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'yes' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal order by last_seen desc)### t where apstatus=1 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Suppressed-Offwire |
Event wireless suppressed off-wire |
event |
select & #039;suppressed' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'no' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen desc)### t where apstatus=3 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Suppressed-Onwire |
Event wireless suppressed on-wire |
event |
select & #039;suppressed' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'yes' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal order by last_seen desc)### t where apstatus=3 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Unclassified-Offwire |
Event wireless unclassified off-wire |
event |
select & #039;unclassified' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'no' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen desc)### t where apstatus=0 and onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Wireless-Unclassified-Onwire |
Event wireless unclassified on-wire |
event |
select & #039;unclassified' as ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, from_dtime(max(last_seen)) as last_seen, detectionmethod, snclosest, 'yes' as on_wire from ###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal, max(dtime) as last_seen from $log where $filter and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, signal order by last_seen desc)### t where apstatus=0 and onwire='yes' group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Top-IPSEC-Vpn-Dial-Up-User-By-Bandwidth |
Default top IPsec VPN dial up user by bandwidth usage |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
default-Top-Sources-Of-SSL-VPN-Tunnels-By-Bandwidth |
Default top sources of SSL VPN tunnels by bandwidth usage |
event |
select remip as remote_ip, sum(bandwidth) as bandwidth from ( select devid, vd, remip, tunnelid, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up','tunnel-stats', 'tunnel-down', 'ssl-login-fail', 'ipsec-login-fail') group by timestamp, devid, vd, remip, t_type, tunnelid, action, f_user, tunneltype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where t_type like 'ssl%' and action in ('tunnel-up','tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, tunnelid) t group by remote_ip having sum(traffic_in+traffic_out)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Login-Connection-Count-by-Type |
VPN authenticated logins |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as f_user, t_type as tunneltype, from_dtime( min(s_time) ) as start_time, count(distinct tunnelid) as total_num, sum(duration) as duration from ( select string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, t_type, devid, vd, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then NULL else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out, count(distinct tunnelid) as total_num from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t group by t_type, devid, vd, remip, tunnelid) tt where bandwidth>0 group by f_user, tunneltype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Login-User-Count-by-Type |
VPN Login User Count by VPN Type |
event |
select type_agg, count(distinct f_user) as num_user from ( select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as f_user, string_agg( distinct t_type, & #039; ') as type_agg from (select string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, t_type, devid, vd, remip, tunnelid, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t group by t_type, devid, vd, remip, tunnelid) tt where bandwidth>0 group by f_user) ttt group by type_agg order by num_user desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Login-Total-Bandwidth-by-Type |
VPN Login Total Bandwidth by VPN Type |
event |
select t_type, sum(bandwidth) as total_bandwidth from ( select t_type, devid, vd, remip, tunnelid, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t group by t_type, devid, vd, remip, tunnelid) tt where bandwidth>0 group by t_type order by total_bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Login-Attempt-by-Type |
VPN Login Attempts by VPN Type |
event |
select ( case when action like & #039;%fail' then 'Failed' else 'Success' end) as type, sum(total_num) as total_num from ###(select coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('ssl-login-fail', 'ipsec-login-fail', 'tunnel-up', 'tunnel-stats', 'tunnel-down') group by f_user, tunneltype, action order by total_num desc)### t group by type order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Traffic-Usage-Trend |
VPN traffic usage trend |
event |
select hodex, sum(ssl_traffic_bandwidth) as ssl_bandwidth, sum(ipsec_traffic_bandwidth) as ipsec_bandwidth from ( select $flex_timescale(timestamp) as hodex, devid, vd, remip, tunnelid, ( case when t_type like & #039;ssl%' then (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) else 0 end) as ssl_traffic_bandwidth, (case when t_type like 'ipsec%' then (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) else 0 end) as ipsec_traffic_bandwidth, min(s_time) as s_time, max(e_time) as e_time from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up','tunnel-stats', 'tunnel-down', 'ssl-login-fail', 'ipsec-login-fail') group by timestamp, devid, vd, remip, t_type, tunnelid, action, f_user, tunneltype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where action in ('tunnel-up','tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by hodex, devid, t_type, vd, remip, tunnelid) tt group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Authenticated-Logins |
VPN authenticated logins |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as f_user, t_type as tunneltype, from_dtime( min(s_time) ) as start_time, count(distinct tunnelid) as total_num, sum(duration) as duration from ( select string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, t_type, devid, vd, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then NULL else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then NULL else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out, count(distinct tunnelid) as total_num from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t group by t_type, devid, vd, remip, tunnelid) tt where bandwidth>0 group by f_user, tunneltype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Failed-Login-Attempt-by-User |
VPN failed logins |
event |
select f_user, tunneltype, sum(total_num) as total_num from ###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('ssl-login-fail', 'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user, tunneltype)### t group by f_user, tunneltype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Failed-Login-Timeline |
VPN Failed Login Timeline |
event |
select $flex_timescale(timestamp) as hodex, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, devid, vd, remip, tunnelid, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, (case when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr(`remip`)) as f_user, tunneltype, action, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up','tunnel-stats', 'tunnel-down', 'ssl-login-fail', 'ipsec-login-fail') group by timestamp, devid, vd, remip, t_type, tunnelid, action, f_user, tunneltype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where action in ('ssl-login-fail', 'ipsec-login-fail') and f_user is not null group by hodex order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-Dial-Up-VPN-Users-By-Duration |
Top dial up VPN users by duration |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, t_type as tunneltype, from_dtime( min(s_time) ) as start_time, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, t_type, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_duration) else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, tunnelid, tunnelip, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, sum((case when action='tunnel-up' then 1 else 0 end)) as tunnelup from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null and tunnelid!=0 group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid, tunnelip order by max_traffic desc)### t where (t_type like 'ssl%' or (t_type like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0'))) group by devid, vd, remip, t_type, tunnelid) tt where bandwidth>0 group by user_src, tunneltype order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-SSL-VPN-Tunnel-Duration-By-Users |
Top SSL VPN Tunnel Duration by Users |
event |
select user_src, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, user_src, tunnelid, ( case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end ) as duration, ( case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_traffic_in)- min(min_traffic_in) end ) as traffic_in, ( case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_traffic_out)- min(min_traffic_out) end ) as traffic_out, ( case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)- min(min_traffic_out) end ) as bandwidth from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-tunnel' group by devid, vd, remip, user_src, tunnelid) tt where bandwidth>0 group by user_src order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-SSL-VPN-Tunnel-Users-By-Traffic-Directions |
Top SSL VPN Tunnel Users by Traffic Directions |
event |
select user_src, unnest(traffic_direction) as direction, unnest(traffic) as traffic from ( select user_src, sum(bandwidth) as bandwidth, array[ & #039;Received', 'Sent'] as traffic_direction, array[sum(traffic_in), sum(traffic_out)] as traffic from (select devid, vd, remip, user_src, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-tunnel' group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src) ttt order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-SSL-VPN-Web-Mode-Users-By-Duration |
Top SSL VPN web mode users by duration |
event |
select user_src, remip as remote_ip, from_dtime( min(s_time) ) as start_time, sum(duration) as duration from ( select devid, vd, user_src, remip, tunnelid, min(s_time) as s_time, ( case when min(s_time)= max(e_time) then max(max_duration) else max(max_duration)- min(min_duration) end ) as duration from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-web' group by devid, vd, user_src, remip, tunnelid) tt group by user_src, remote_ip order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-SSL-VPN-Web-Mode-Users-By-Traffic-Directions |
Top SSL VPN Web Mode Users by Traffic Directions |
event |
select user_src, unnest(traffic_direction) as direction, unnest(traffic) as traffic from ( select user_src, sum(bandwidth) as bandwidth, array[ & #039;Received', 'Sent'] as traffic_direction, array[sum(traffic_in), sum(traffic_out)] as traffic from (select devid, vd, user_src, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src, tunnelid, tunneltype, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by devid, vd, user_src, remip, tunnelid, tunneltype order by max_traffic desc)### t where tunneltype='ssl-web' group by devid, vd, user_src, remip, tunnelid) tt where bandwidth>0 group by user_src) ttt order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-IPsec-Vpn-Dial-Up-User-By-Bandwidth |
Default top IPsec VPN dial up user by bandwidth usage |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, from_dtime( min(s_time) ) as start_time, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, remip, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-Static-IPsec-Tunnels-By-Traffic-Directions |
Top Static IPsec Tunnels by Traffic Directions |
event |
select vpn_name, unnest(traffic_direction) as direction, unnest(traffic) as traffic from ( select vpn_name, sum(bandwidth) as bandwidth, array[ & #039;Received', 'Sent'] as traffic_direction, array[sum(traffic_in), sum(traffic_out)] as traffic from (select devid, vd, remip, tunnelid, vpn_name, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth from ###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, tunnelip, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and nullifna(vpntunnel) is not null and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, vpn_name, tunnelid, tunnelip order by max_traffic desc)### t where (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_in+traffic_out)>0) ttt order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-Dial-Up-IPsec-Users-By-Duration |
Top dial up IPsec users by duration |
event |
select coalesce( xauthuser_agg, user_agg, ipstr(`remip`) ) as user_src, from_dtime( min(s_time) ) as start_time, sum(duration) as duration, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ( select devid, vd, remip, string_agg( distinct xauthuser_agg, & #039; ') as xauthuser_agg, string_agg(distinct user_agg, ' ') as user_agg, tunnelid, min(s_time) as s_time, max(e_time) as e_time, (case when min(s_time)=max(e_time) then max(max_duration) else max(max_duration)-min(min_duration) end) as duration, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out from ###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or tunnelip='0.0.0.0') and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by max_traffic desc)### t group by devid, vd, remip, tunnelid) tt where bandwidth>0 group by user_src order by duration desc
Dataset Name |
Description |
Log Category |
---|---|---|
vpn-Top-Dial-Up-IPsec-Tunnels-By-Traffic-Directions |
Top Dial Up IPsec Tunnels by Traffic Directions |
event |
select vpn_name, unnest(traffic_direction) as direction, unnest(traffic) as traffic from ( select vpn_name, sum(bandwidth) as bandwidth, array[ & #039;Received', 'Sent'] as traffic_direction, array[sum(traffic_in), sum(traffic_out)] as traffic from (select devid, vd, tunnelid, remip, vpn_name, (case when min(s_time)=max(e_time) then max(max_traffic_in) else max(max_traffic_in)-min(min_traffic_in) end) as traffic_in, (case when min(s_time)=max(e_time) then max(max_traffic_out) else max(max_traffic_out)-min(min_traffic_out) end) as traffic_out, (case when min(s_time)=max(e_time) then max(max_traffic_in)+max(max_traffic_out) else max(max_traffic_in)-min(min_traffic_in)+max(max_traffic_out)-min(min_traffic_out) end) as bandwidth from ###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, tunnelip, max(coalesce(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in, max(coalesce(rcvdbyte, 0)+coalesce(sentbyte, 0)) as max_traffic, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as e_time from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and nullifna(vpntunnel) is not null and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null and tunnelid!=0 group by devid, vd, remip, vpn_name, tunnelid, tunnelip order by max_traffic desc)### t where not (tunnelip is null or tunnelip='0.0.0.0') group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name having sum(traffic_out+traffic_in)>0) ttt order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Web-Activity-Summary-By-Requests |
Webfilter web activity summary by requests |
webfilter |
select $flex_timescale(timestamp) as hodex, sum(allowed_request) as allowed_request, sum(blocked_request) as blocked_request from ###(select $flex_timestamp as timestamp, sum(case when action!='blocked' then 1 else 0 end) as allowed_request, sum(case when action='blocked' then 1 else 0 end) as blocked_request from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Browsing-Time-Summary |
Traffic browsing time summary |
traffic |
select $flex_timescale(timestamp) as hodex, cast( ebtr_value( ebtr_agg_flat(browsetime), null, $timespan )/ 60.0 as decimal(18, 2) ) as browsetime from ###(select $flex_timestamp as timestamp, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Web-Users-By-Blocked-Requests |
Webfilter top web users by blocked requests |
webfilter |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, sum(requests) as requests from ( select dvid, f_user, srcip, ep_id, eu_id, sum(requests) as requests from ###(select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, action, count(*) as requests from $log where $filter and coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) is not null group by dvid, f_user, srcip, ep_id, eu_id, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action='blocked' group by dvid, f_user, srcip, ep_id, eu_id order by requests desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Web-Users-By-Allowed-Requests |
Webfilter top web users by allowed requests |
webfilter |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, sum(requests) as requests from ( select dvid, f_user, srcip, ep_id, eu_id, sum(requests) as requests from ###(select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, action, count(*) as requests from $log where $filter and coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) is not null group by dvid, f_user, srcip, ep_id, eu_id, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action!='blocked' group by dvid, f_user, srcip, ep_id, eu_id order by requests desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Top-Web-Users-By-Browsing-Time |
Traffic top web users by browsing time |
traffic |
select user_src, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select user_src, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and $browse_time is not null group by user_src) t group by user_src /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by user_src order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Blocked-Web-Sites-By-Requests |
Webfilter top blocked web sites by requests |
webfilter |
select domain, catdesc, sum(requests) as requests from ###(select hostname as domain, catdesc, action, count(*) as requests from $log where $filter and hostname is not null and catdesc is not null group by domain, catdesc, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action='blocked' group by domain, catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Allowed-Web-Sites-By-Requests |
Webfilter top allowed web sites by requests |
webfilter |
select domain, string_agg( distinct catdesc, & #039;, ') as agg_catdesc, sum(requests) as requests from ###(select hostname as domain, catdesc, action, count(*) as requests from $log where $filter and hostname is not null and catdesc is not null group by domain, catdesc, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action!='blocked' group by domain order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Video-Streaming-Websites-By-Bandwidth |
Webfilter top video streaming websites by bandwidth usage |
webfilter |
select domain, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select coalesce(nullifna(root_domain(hostname)), 'other') as domain, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc in ('Streaming Media and Download') group by domain having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by domain order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Blocked-Web-Categories |
Webfilter top blocked web categories |
webfilter |
select catdesc, sum(requests) as requests from ###(select catdesc, action, count(*) as requests from $log-webfilter where $filter and catdesc is not null group by catdesc, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action='blocked' group by catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Allowed-Web-Categories |
Webfilter top allowed web categories |
webfilter |
select catdesc, sum(requests) as requests from ###(select catdesc, action, count(*) as requests from $log-webfilter where $filter and catdesc is not null group by catdesc, action /*SkipSTART*/order by requests desc/*SkipEND*/)### t where action!='blocked' group by catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Top-50-Sites-By-Browsing-Time |
Traffic top sites by browsing time |
traffic |
select hostname, string_agg( distinct catdesc, & #039;, ') as agg_catdesc, ebtr_value(ebtr_agg_flat(browsetime), null, $timespan) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Top-10-Categories-By-Browsing-Time |
Traffic top category by browsing time |
traffic |
select catdesc, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime, sum(bandwidth) as bandwidth from ###(select catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and catdesc is not null and $browse_time is not null group by catdesc) t group by catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by catdesc order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Top-Destination-Countries-By-Browsing-Time |
Traffic top destination countries by browsing time |
traffic |
select dstcountry, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
webfilter-Top-Search-Phrases |
Webfilter top search phrases |
webfilter |
select keyword, count(*) as requests from $log where $filter and keyword is not null group by keyword order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-10-Users-Browsing-Time |
Estimated browsing time |
traffic |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ( select dvid, f_user, srcip, ep_id, eu_id, ebtr_agg_flat(browsetime) as browsetime from ###(select dvid, f_user, srcip, ep_id, eu_id, ebtr_agg_flat(browsetime) as browsetime from (select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by dvid, f_user, srcip, ep_id, eu_id) t group by dvid, f_user, srcip, ep_id, eu_id order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by dvid, f_user, srcip, ep_id, eu_id order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
Estimated-Browsing-Time |
Estimated browsing time |
traffic |
select coalesce( f_user, euname, ipstr(`srcip`) ) as user_src, coalesce( epname, ipstr(`srcip`) ) as ep_src, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ( select dvid, f_user, srcip, ep_id, eu_id, ebtr_agg_flat(browsetime) as browsetime from ###(select dvid, f_user, srcip, ep_id, eu_id, ebtr_agg_flat(browsetime) as browsetime from (select dvid, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, srcip, (case when epid<1024 then null else epid end) as ep_id, (case when euid<1024 then null else euid end) as eu_id, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by dvid, f_user, srcip, ep_id, eu_id) t group by dvid, f_user, srcip, ep_id, eu_id order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by dvid, f_user, srcip, ep_id, eu_id order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc) t1 left join (select epid, euid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.ep_id=t2.epid and t1.eu_id=t2.euid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.ep_id=t3.epid and t2.epmac=t3.mac left join $ADOM_ENDUSER t4 on t1.eu_id=t4.euid group by user_src, ep_src order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-AP-By-Bandwidth |
Top access point by bandwidth usage |
traffic |
select ap_srcintf, sum(bandwidth) as bandwidth from ( select coalesce(ap, srcintf) as ap_srcintf, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by ap_srcintf having sum(bandwidth)>0 union all select ap as ap_srcintf, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by ap having sum(bandwidth)>0) t group by ap_srcintf order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-AP-By-Client |
Top access point by client |
traffic |
select ap_srcintf as srcintf, count(distinct srcmac) as totalnum from ( select coalesce(ap, srcintf) as ap_srcintf, srcmac from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null group by ap_srcintf, srcmac union all (select ap as ap_srcintf, stamac as srcmac from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where stamac is not null group by ap, stamac)) t group by srcintf order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-SSID-By-Bandwidth |
Top SSIDs by bandwidth usage |
traffic |
select srcssid, sum(bandwidth) as bandwidth from ( select srcssid, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcssid is not null group by srcssid having sum(bandwidth)>0 union all select ssid as srcssid, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by ssid having sum(bandwidth)>0) t group by srcssid order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-SSID-By-Client |
Top SSIDs by client |
traffic |
select srcssid, count(distinct srcmac) as totalnum from ( select srcssid, srcmac from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null group by srcssid, srcmac union all select ssid as srcssid, stamac as srcmac from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where stamac is not null group by ssid, stamac) t where srcssid is not null group by srcssid order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-App-By-Bandwidth |
Top WiFi applications by bandwidth usage |
traffic |
select appid, app, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and ( srcssid is not null or dstssid is not null ) and nullifna(app) is not null group by appid, app having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-Client-By-Bandwidth |
Top WiFi client by bandwidth usage |
traffic |
select client, sum(bandwidth) as bandwidth from ( select ( coalesce( hostname_mac, & #039;unknown') || ' (' || get_devtype(srcswversion, osname, devtype) || ', ' || coalesce(osname, '') || (case when srcswversion is null then '' else ' ' || srcswversion end) || ')') as client, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by client having sum(bandwidth)>0 union all select (coalesce(stamac, 'unknown')) as client, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by client having sum(bandwidth) > 0) t where client is not null group by client order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-OS-By-Bandwidth |
Top WiFi os by bandwidth usage |
traffic |
select ( coalesce( osname, & #039;unknown') || ' ' || coalesce(srcswversion, '')) as os, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by os having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-OS-By-WiFi-Client |
Top WiFi os by WiFi client |
traffic |
select ( coalesce( osname, & #039;unknown') || ' ' || coalesce(osversion, '')) as os, count(distinct srcmac) as totalnum from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null group by os order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-Device-By-Bandwidth |
Top WiFi device by bandwidth usage |
traffic |
select get_devtype(srcswversion, osname, devtype) as devtype_new, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where devtype is not null group by devtype_new having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-Device-By-Client |
Top WiFi device by client |
traffic |
select devtype_new, count(distinct srcmac) as totalnum from ( select get_devtype(srcswversion, osname, devtype) as devtype_new, srcmac from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null) t where devtype_new is not null group by devtype_new order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Overall-Traffic |
WiFi overall traffic |
traffic |
select sum(bandwidth) as bandwidth from ( select sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by srcssid union all select sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t) t
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Num-Distinct-Client |
WiFi num distinct client |
traffic |
select count(distinct srcmac) as totalnum from ( select srcmac from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null group by srcmac union all select stamac as srcmac from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where stamac is not null group by stamac) t
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Bandwidth-and-Sessions |
Top subnets by application bandwidth |
traffic |
select ip_subnet(`srcip`) as subnet, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(rcvdbyte, 0) ) as traffic_in, sum( coalesce(sentbyte, 0) ) as traffic_out, count(*) as sessions from $log where $filter and ( logflag&1>0 ) group by subnet having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Application-Bandwidth |
Top applications by bandwidth |
traffic |
select ip_subnet(`srcip`) as subnet, app_group_name(app) as app_group, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and nullifna(app) is not null group by subnet, app_group having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Application-Sessions |
Top applications by sessions |
traffic |
select ip_subnet(`srcip`) as subnet, app_group_name(app) as app_group, count(*) as sessions from $log where $filter and ( logflag&1>0 ) and nullifna(app) is not null group by subnet, app_group order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Website-Bandwidth |
Top websites and web category by bandwidth |
traffic |
select subnet, website, sum(bandwidth) as bandwidth from ###(select ip_subnet(`srcip`) as subnet, hostname as website, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by subnet, website order by bandwidth desc)### t group by subnet, website order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-by-Website-Hits |
Top websites and web category by sessions |
webfilter |
select subnet, website, sum(hits) as hits from ###(select ip_subnet(`srcip`) as subnet, hostname as website, count(*) as hits from $log where $filter and hostname is not null group by subnet, website order by hits desc)### t group by subnet, website order by hits desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-with-Top10-User-by-Bandwidth |
Top users by bandwidth |
traffic |
select ip_subnet(`srcip`) as subnet, coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and srcip is not null group by subnet, user_src having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top30-Subnets-with-Top10-User-by-Sessions |
Top users by sessions |
traffic |
select ip_subnet(`srcip`) as subnet, coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, count(*) as sessions from $log where $filter and ( logflag&1>0 ) group by subnet, user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
app-Top-20-Category-and-Applications-by-Bandwidth |
Top category and applications by bandwidth usage |
traffic |
select appcat, app, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) group by appcat, app having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
app-Top-20-Category-and-Applications-by-Session |
Top category and applications by session |
traffic |
select appcat, app, count(*) as sessions from $log where $filter and ( logflag&1>0 ) group by appcat, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
app-Top-500-Allowed-Applications-by-Bandwidth |
Top allowed applications by bandwidth usage |
traffic |
select from_itime(itime) as timestamp, coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, appcat, app, coalesce( root_domain(hostname), ipstr(dstip) ) as destination, sum( coalesce(`sentbyte`, 0)+ coalesce(`rcvdbyte`, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and action in ( & #039;accept', 'close', 'timeout') group by timestamp, user_src, appcat, app, destination order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
app-Top-500-Blocked-Applications-by-Session |
Top blocked applications by session |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, appcat, app, count(*) as sessions from $log where $filter and ( logflag&1>0 ) and action in ( & #039;deny', 'blocked', 'reset', 'dropped') group by user_src, appcat, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Detailed-Website-Browsing-Log |
Web detailed website browsing log |
traffic |
select from_dtime(dtime) as timestamp, catdesc, hostname as website, status, sum(bandwidth) as bandwidth from ###(select dtime, catdesc, hostname, cast(utmaction as text) as status, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by dtime, catdesc, hostname, utmaction order by dtime desc)### t group by dtime, catdesc, website, status order by dtime desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Hourly-Category-and-Website-Hits-Action |
Web hourly category and website hits action |
webfilter |
select hod, website, sum(hits) as hits from ###(select $hour_of_day as hod, (hostname || ' (' || coalesce(`catdesc`, 'Unknown') || ')') as website , count(*) as hits from $log where $filter and hostname is not null group by hod, website order by hod, hits desc)### t group by hod, website order by hod, hits desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-20-Category-and-Websites-by-Bandwidth |
Web top category and websites by bandwidth usage |
traffic |
select website, catdesc, sum(bandwidth) as bandwidth from ###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by website, catdesc order by bandwidth desc)### t group by website, catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-20-Category-and-Websites-by-Session |
Web top category and websites by session |
webfilter |
select website, catdesc, sum(sessions) as hits from ###(select hostname as website, catdesc, count(*) as sessions from $log where $filter and hostname is not null group by hostname, catdesc order by sessions desc)### t group by website, catdesc order by hits desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-500-Website-Sessions-by-Bandwidth |
Web top website sessions by bandwidth usage |
traffic |
select from_dtime(dtime) as timestamp, user_src, website, catdesc, cast( sum(dura)/ 60 as decimal(18, 2) ) as dura, sum(bandwidth) as bandwidth from ###(select dtime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname as website, catdesc, sum(coalesce(duration, 0)) as dura, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and hostname is not null and (logflag&1>0) and action in ('accept','close','timeout') group by dtime, user_src, website, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by dtime, user_src, website, catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-500-User-Visted-Websites-by-Bandwidth |
Web top user visted websites by bandwidth usage |
traffic |
select website, catdesc, sum(bandwidth) as bandwidth from ###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by hostname, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by website, catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Top-500-User-Visted-Websites-by-Session |
Web top user visted websites by session |
webfilter |
select website, catdesc, sum(sessions) as sessions from ###(select hostname as website, catdesc, count(*) as sessions from $log where $filter and hostname is not null group by hostname, catdesc order by sessions desc)### t where catdesc is not null group by website, catdesc order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Installed-Feature-Summary |
Installed Feature Summary |
fct-event |
select subtype, count(distinct fctuid) as totalnum from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### t where subtype is not null group by subtype order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Device-by-Operating-System |
Device by OS |
fct-event |
select os_short as os, count(distinct fctuid) as totalnum from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### t where os_short is not null group by os order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Installed-FortiClient-Version |
FortiClient Version |
fct-event |
select fctver as fctver_short, count(distinct fctuid) as totalnum from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### t where fctver is not null group by fctver order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Endpoint-Profile-Deployment |
Endpoint Profile Deployment |
fct-event |
select profile, count(distinct fctuid) as totalnum from ###(select uid as fctuid, coalesce(nullifna(usingpolicy), 'No Profile') as profile from $log where $filter group by uid, profile)### t group by profile order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Client-Summary |
Client Summary |
fct-event |
select hostname, deviceip, os_short as os, profile, fctver, from_itime( max(itime) ) as last_seen from ###(select hostname, deviceip, regexp_replace(os, '\\(build.*', '') as os_short, nullifna(usingpolicy) as profile, fctver, max(itime) as itime from $log where $filter and os is not null group by hostname, deviceip, os_short, profile, fctver order by itime desc)### t group by hostname, deviceip, os, profile, fctver order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Total-Threats-Found |
Total Threats Found |
fct-traffic |
select utmevent_s as utmevent, count(distinct threat) as totalnum from ###(select coalesce(nullifna(lower(utmevent)), 'unknown') as utmevent_s, threat from $log where $filter and threat is not null and utmaction='blocked' group by utmevent_s, threat)### t group by utmevent order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top10-AV-Threats-Detected |
Top AV Threats Detected |
fct-traffic |
select threat, sum(totalnum) as totalnum from ( ( select threat, sum(totalnum) as totalnum from ###(select threat, count(*) as totalnum from $log-fct-traffic where $filter and threat is not null and lower(utmevent)='antivirus' group by threat order by totalnum desc)### t group by threat) union all (select threat, sum(totalnum) as totalnum from ###(select virus as threat, count(*) as totalnum from $log-fct-event where $filter and virus is not null group by threat order by totalnum desc)### t group by threat)) t group by threat order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top10-Infected-Devices-with-Botnet |
Top Infected Devices with Botnet |
fct-traffic |
select hostname, count(*) as totalnum from $log where $filter and hostname is not null and lower(utmevent) in ( & #039;webfilter', 'appfirewall') and lower(threat) like '%botnet%' group by hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top10-Infected-Devices-with-Virus-Malware |
Top Infected Devices with Virus Malware |
fct-traffic |
select hostname, sum(totalnum) as totalnum from ( ( select hostname, sum(totalnum) as totalnum from ###(select hostname, count(*) as totalnum from $log-fct-traffic where $filter and hostname is not null and lower(utmevent) in ('antivirus', 'antimalware') group by hostname order by totalnum desc)### t group by hostname) union all (select hostname, sum(totalnum) as totalnum from ###(select hostname, count(*) as totalnum from $log-fct-event where $filter and hostname is not null and virus is not null group by hostname order by totalnum desc)### t group by hostname)) t group by hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-All-Antivirus-Antimalware-Detections |
All Antivirus and Antimalware Detections |
fct-traffic |
select threat, hostname, hostuser, utmaction, from_dtime( max(dtime) ) as last_seen from ( ( select threat, hostname, hostuser, utmaction, max(dtime) as dtime from ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime from $log-fct-traffic where $filter and lower(utmevent) in ('antivirus', 'antimalware') group by threat, hostname, hostuser, utmaction order by threat)### t group by threat, hostname, hostuser, utmaction) union all (select threat, hostname, hostuser, utmaction, max(dtime) as dtime from ###(select virus as threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, action as utmaction, max(dtime) as dtime from $log-fct-event where $filter and (logflag is null or logflag&8=0) and virus is not null group by threat, hostname, hostuser, utmaction order by threat)### t group by threat, hostname, hostuser, utmaction)) t group by threat, hostname, hostuser, utmaction order by threat
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Web-Filter-Violations |
Web Filter Violations |
fct-traffic |
select hostuser, hostname, string_agg( distinct remotename, & #039;,') as remotename, utmaction, sum(total) as totalnum, from_dtime(max(dtime)) as last_seen from ###(select remotename, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, count(*) as total, max(dtime) as dtime from $log where $filter and lower(utmevent)='webfilter' and utmaction='blocked' group by remotename, hostname, hostuser, utmaction order by total desc)### t group by hostuser, hostname, utmaction order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Application-Firewall |
Application Firewall |
fct-traffic |
select threat, hostname, hostuser, utmaction, from_dtime( max(dtime) ) as last_seen from ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime from $log where $filter and lower(utmevent)='appfirewall' and utmaction='blocked' group by threat, hostname, hostuser, utmaction order by dtime desc)### t1 left join app_mdata t2 on t1.threat=t2.name group by threat, risk, hostname, hostuser, utmaction order by risk desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Errors-and-Alerts |
Errors and Alerts |
fct-event |
select msg, hostname, hostuser, from_dtime( max(dtime) ) as last_seen from ###(select msg, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, max(dtime) as dtime from $log where $filter and level in ('error', 'alert') group by msg, hostname, hostuser order by dtime desc)### t group by msg, hostname, hostuser order by last_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Threats-by-Top-Devices |
Threats by Top Devices |
fct-traffic |
select hostname, count(*) as totalnum from $log where $filter and hostname is not null and utmevent is not null and utmaction =& #039;blocked' group by hostname order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Device-Vulnerabilities |
Vulnerabilities Detected by User/Device |
fct-netscan |
select vulnseverity, ( CASE vulnseverity WHEN & #039;Critical' THEN 5 WHEN 'High' THEN 4 WHEN 'Medium' THEN 3 WHEN 'Info' THEN 2 WHEN 'Low' THEN 1 ELSE 0 END) as severity_number, count(distinct vulnname) as vuln_num from ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null group by vulnseverity, vulnname, devid)### t group by vulnseverity order by severity_number desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Category-Type-Vulnerabilities |
Vulnerabilities Detected by Category Type |
fct-netscan |
select vulncat, count(distinct vulnname) as totalnum from ###(select vulncat, vulnname from $log where $filter and nullifna(vulncat) is not null and nullifna(vulnname) is not null group by vulncat, vulnname)### t group by vulncat order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Vulnerabilities-by-OS |
Forticlient Vulnerabilities by OS |
fct-netscan |
select os, count(distinct vulnname) as totalnum from ###(select os, vulnname from $log where $filter and nullifna(os) is not null and nullifna(vulnname) is not null group by os, vulnname)### t group by os order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Vulnerabilities-by-Risk-Level |
Number Vulnerability by Device and Risk Level |
fct-netscan |
select vulnseverity, ( case when vulnseverity =& #039;Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) as severity_number, count(distinct vulnname) as vuln_num, count(distinct devid) as dev_num from ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null group by vulnseverity, vulnname, devid)### t where nullifna(devid) is not null group by vulnseverity order by dev_num desc, severity_number desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Device-by-Risk-Level |
Number Vulnerability by Device and Risk Level |
fct-netscan |
select vulnseverity, ( case when vulnseverity =& #039;Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) as severity_number, count(distinct vulnname) as vuln_num, count(distinct devid) as dev_num from ###(select vulnseverity, devid, vulnname from $log where $filter and nullifna(vulnseverity) is not null and nullifna(vulnname) is not null group by vulnseverity, vulnname, devid)### t where nullifna(devid) is not null group by vulnseverity order by dev_num desc, severity_number desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Vulnerability-Trend |
Vulnerability Trend |
fct-netscan |
select $flex_timescale(timestamp) as hodex, count(distinct vulnname) as total_num from ###(select $flex_timestamp as timestamp, vulnname from $log where $filter and nullifna(vulnname) is not null group by timestamp, vulnname order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Details-by-Risk-Level-Device |
Vulnerability Details for Each Risk Level by Device |
fct-netscan |
select hostname, os, vulnseverity, count(distinct vulnname) as vuln_num, count(distinct products) as products, count(distinct cve_id) as cve_count from ###(select hostname, os, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and vulnseverity is not null and hostname is not null group by hostname, os, vulnname, vulnseverity, vulnid)### t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, os, vulnseverity order by vuln_num desc, hostname
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Details-by-Device-User |
Vulnerability Details by Device User |
fct-netscan |
select hostname, ( & #039;<div>' || vulnname || '</div>') as vulnname, vulnseverity, vulncat, string_agg(distinct products, ',') as products, string_agg(distinct cve_id, ',') as cve_list, ('<a href=' || String_agg(DISTINCT vendor_link, ',') || '>Remediation Info</a>') as vendor_link from ###(select hostname, vulnname, vulnseverity, vulncat, vulnid from $log where $filter and vulnname is not null and hostname is not null group by hostname, vulnname, vulnseverity, vulncat, vulnid)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, vulnname, vulnseverity, vulncat order by hostname
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Remediation-by-Device |
Remediate The Vulnerability Found on Device |
fct-netscan |
select hostname, ( & #039;<div>' || vulnname || '</div>') as vulnname, vulnseverity, string_agg(distinct vendor_link, ',') as vendor_link from ###(select hostname, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and hostname is not null group by hostname, vulnname, vulnseverity, vulnid)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, vulnname, vulnseverity order by vulnseverity, hostname
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Remediation-by-Vulnerability |
Remediation by Vulnerability |
fct-netscan |
select ( & #039;<b>' || vulnname || '</b><br/><br/>' || 'Description<br/><div style=word-break:normal>' || description || '</div><br/><br/>' || 'Affected Products<br/>' || products || '<br/><br/>' || 'Impact<br/>' || impact || '<br/><br/>' || 'Recommended Actions<br/>' || vendor_link || '<br/><br/><br/>') as remediation from ###(select devid, vulnname, vulnseverity, (case vulnseverity when 'low' then 1 when 'info' then 2 when 'medium' then 3 when 'high' then 4 when 'critical' then 5 else 0 end) as severity_level, vulnid from $log where $filter and vulnname is not null group by devid, vulnname, vulnseverity, severity_level, vulnid order by severity_level)### t1 inner join fct_mdata t2 on t1.vulnid=t2.vid::int group by remediation order by remediation
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Top-30-Targeted-High-Risk-Vulnerabilities |
Top 30 Targeted High Risk Vulnerabilities |
fct-netscan |
select t3.cve_id, score, string_agg( distinct products, & #039;,') as products, ('<a href=' || String_agg(vendor_link, ',') || '>Mitigation Infomation</a>') as vendor_link from ###(select vulnid from $log where $filter group by vulnid)### t1 inner join fct_mdata t2 on t2.vid=t1.vulnid::text inner join fct_cve_score t3 on strpos(t2.cve_id, t3.cve_id) > 0 group by t3.cve_id, score order by score desc, t3.cve_id
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Endpoints-by-FortiGate |
Endpoints by FortiGate |
fct-event |
select fgtserial, count(distinct fctuid) as totalnum from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### t where fgtserial is not null group by fgtserial order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top-Malware-Detections |
Top Infected Devices with Malware |
fct-traffic |
select hostname, fctuid, sum(totalnum) as totalnum from ( ( select hostname, fctuid, sum(totalnum) as totalnum from ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime, uid as fctuid, count(*) as totalnum from $log-fct-traffic where $filter and lower(utmevent) in ('antivirus', 'antimalware') group by threat, hostname, hostuser, utmaction, uid order by threat)### t group by hostname, fctuid) union all (select hostname, fctuid, sum(totalnum) as totalnum from ###(select virus as threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, action as utmaction, max(dtime) as dtime, uid as fctuid, count(*) as totalnum from $log-fct-event where $filter and (logflag is null or logflag&8=0) and virus is not null group by threat, hostname, hostuser, utmaction, uid order by threat)### t group by hostname, fctuid)) t group by hostname, fctuid order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Top10-Malware-Detections |
Top 10 Infected Devices with Malware |
fct-traffic |
select threat, hostname, hostuser, utmaction, fctuid, sum(totalnum) as totalnum from ( ( select threat, hostname, hostuser, utmaction, fctuid, sum(totalnum) as totalnum from ###(select threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, max(dtime) as dtime, uid as fctuid, count(*) as totalnum from $log-fct-traffic where $filter and lower(utmevent) in ('antivirus', 'antimalware') group by threat, hostname, hostuser, utmaction, uid order by threat)### t group by threat, hostname, hostuser, utmaction, fctuid) union all (select threat, hostname, hostuser, utmaction, fctuid, sum(totalnum) as totalnum from ###(select virus as threat, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, action as utmaction, max(dtime) as dtime, uid as fctuid, count(*) as totalnum from $log-fct-event where $filter and (logflag is null or logflag&8=0) and virus is not null group by threat, hostname, hostuser, utmaction, uid order by threat)### t group by threat, hostname, hostuser, utmaction, fctuid)) t where utmaction != 'pass' group by threat, hostname, hostuser, utmaction, fctuid order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Devices-with-Botnet |
Infected Devices with Botnet |
fct-traffic |
select threat, hostname, coalesce( nullifna(`user`), & #039;Unknown') as hostuser, utmaction, uid as fctuid, count(*) as totalnum from $log where $filter and hostname is not null and lower(utmevent) in ('webfilter', 'appfirewall') and lower(threat) like '%botnet%' group by threat, hostname, hostuser, utmaction, fctuid order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-vuln-Vulnerability-by-Hostname |
Vulnerability Details for Each Risk Level by Device |
fct-netscan |
select hostname, os, vulnseverity, count(distinct vulnname) as vuln_num, count(distinct products) as products, count(distinct cve_id) as cve_count from ###(select hostname, os, vulnname, vulnseverity, vulnid from $log where $filter and vulnname is not null and vulnseverity is not null and hostname is not null group by hostname, os, vulnname, vulnseverity, vulnid)### t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname, os, vulnseverity order by vuln_num desc, hostname
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Users-With-Web-Violations |
Web Filter Violations |
fct-traffic |
select hostuser, hostname, string_agg( distinct remotename, & #039;,') as remotename, utmaction, sum(total) as totalnum, from_dtime(max(dtime)) as last_seen from ###(select remotename, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction, count(*) as total, max(dtime) as dtime from $log where $filter and lower(utmevent)='webfilter' and utmaction='blocked' group by remotename, hostname, hostuser, utmaction order by total desc)### t group by hostuser, hostname, utmaction order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Compliance-by-FortiGate |
FortiClinet Compliance by FortiGate Enforcing |
fct-event |
select fgtserial, count(distinct fctuid) as totalnum from ( select fgtserial, fctuid, max(compliance_flag) as compliance_flag from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### tt group by fgtserial, fctuid) t where compliance_flag = 1 group by fgtserial order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Compliance-Status |
Number of FortiClinets by Compliance Status |
fct-event |
select ( case compliance_flag when 1 then & #039;Compliant' else 'Non-Compliant' end) as compliance, count(distinct fctuid) as totalnum from (select fctuid, max(compliance_flag) as compliance_flag from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### tt group by fctuid) t group by compliance order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Non-Compliant-Endpoints |
Non-compliant Endpoints |
fct-event |
select t1.fgtserial, t3.srcintf, t2.epname as hostname, t2.mac, & #039;Non-Compliant' as status from (select fgtserial, fctuid, max(compliance_flag) as compliance_flag from ###(select uid as fctuid, regexp_replace(os, '\\(build.*', '') as os_short, fctver, subtype, fgtserial, max(case when msg like 'Compliance rules%applied' then 1 else 0 end) as compliance_flag from $log where $filter and subtype != 'admin' group by uid, os_short, fctver, subtype, fgtserial order by compliance_flag desc)### tt group by fgtserial, fctuid) t1 left join $ADOM_ENDPOINT t2 on t1.fctuid = t2.fctuid left join $ADOM_EPEU_DEVMAP t3 on t2.epid = t3.epid where compliance_flag = 0 group by t1.fctuid, t1.fgtserial, t3.srcintf, t2.epname, t2.mac
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Web-Hits |
Web Traffic Trend |
fct-traffic |
select $flex_timescale(timestamp) as hodex, sum(requests) as requests from ###(select $flex_timestamp as timestamp, count(*) as requests from $log where $filter and lower(utmevent)='webfilter' group by timestamp order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Top-Allowed-Web-Cat |
Top Visited Web Categories |
fct-traffic |
select category, sum(requests) as requests from ###(select fct_webcat(threat) as category, remotename as website, direction, utmaction, count(*) as requests from $log where $filter and threat is not null and lower(utmevent)='webfilter' group by category, website, direction, utmaction order by requests desc)### t where direction='outbound' and utmaction='passthrough' group by category order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Top-Allowed-Website |
Top Visited Websites |
fct-traffic |
select website, string_agg( distinct category, & #039;, ') as agg_category, sum(requests) as requests from ###(select fct_webcat(threat) as category, remotename as website, direction, utmaction, count(*) as requests from $log where $filter and threat is not null and lower(utmevent)='webfilter' group by category, website, direction, utmaction order by requests desc)### t where direction='outbound' and utmaction='passthrough' and website is not null group by website order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Top-Category-By-Website-Session |
Top Web Categories by Website Session |
fct-traffic |
select category, website, sum(requests) as requests from ###(select fct_webcat(threat) as category, remotename as website, direction, utmaction, count(*) as requests from $log where $filter and threat is not null and lower(utmevent)='webfilter' group by category, website, direction, utmaction order by requests desc)### t where nullifna(category) is not null group by category, website order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
fct-Traffic-Top-Web-Users-By-Website |
Top Web Users by Website |
fct-traffic |
select coalesce( nullifna(`user`), ipstr(`srcip`) ) as user_src, remotename as website, count(*) as requests from $log where $filter and direction =& #039;outbound' and remotename is not null and utmaction='passthrough' and lower(utmevent)='webfilter' group by user_src, website order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
os-Detect-OS-Count |
Detected operation system count |
traffic |
select ( coalesce( osname, & #039;Unknown')) as os, count(*) as totalnum from $log where $filter and (logflag&1>0) group by os order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-App-By-Sessions-Table |
Drilldown top applications by session count |
traffic |
select appid, app, sum(sessions) as sessions from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-App-By-Sessions-Bar |
Drilldown top applications by session count |
traffic |
select appid, app, sum(sessions) as sessions from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-App-By-Bandwidth-Table |
Drilldown top applications by bandwidth usage |
traffic |
select appid, app, sum(bandwidth) as bandwidth from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-App-By-Bandwidth-Bar |
Drilldown top applications by bandwidth usage |
traffic |
select appid, app, sum(bandwidth) as bandwidth from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and nullifna(app) is not null group by appid, app having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Destination-By-Sessions-Table |
Drilldown top destination by session count |
traffic |
select dstip, sum(sessions) as sessions from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and dstip is not null group by dstip order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Destination-By-Bandwidth-Table |
Drilldown top destination by bandwidth usage |
traffic |
select dstip, sum(bandwidth) as bandwidth from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and dstip is not null group by dstip having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-User-By-Sessions-Table |
Drilldown top user by session count |
traffic |
select user_src, sum(sessions) as sessions from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-User-By-Sessions-Bar |
Drilldown top user by session count |
traffic |
select user_src, sum(sessions) as sessions from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-User-By-Bandwidth-Table |
Drilldown top user by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-User-By-Bandwidth-Bar |
Drilldown top user by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth from ###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) group by appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where $filter-drilldown and user_src is not null group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Web-User-By-Visit-Table |
Drilldown top web user by visit |
traffic |
select user_src, sum(requests) as visits from ( ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and user_src is not null group by user_src order by visits desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Web-User-By-Visit-Bar |
Drilldown top web user by visit |
traffic |
select user_src, sum(requests) as visits from ( ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and user_src is not null group by user_src order by visits desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Website-By-Request-Table |
Drilldown top website by request |
traffic |
select hostname, sum(requests) as visits from ( ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and hostname is not null group by hostname order by visits desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Website-By-Request-Bar |
Drilldown top website by request |
traffic |
select hostname, sum(requests) as visits from ( ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-traffic where $filter-exclude-var and (logflag&1>0) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is not null group by user_src, hostname order by requests desc)### union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and hostname is not null group by user_src, hostname order by requests desc)###) t where $filter-drilldown and hostname is not null group by hostname order by visits desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Email-Sender-By-Volume |
Drilldown top email sender by volume |
traffic |
select sender, sum(bandwidth) as volume from ( ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by volume desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Email-Send-Recipient-By-Volume |
Drilldown top email send recipient by volume |
traffic |
select recipient, sum(bandwidth) as volume from ( ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient having sum(bandwidth)>0 order by volume desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Email-Sender-By-Count |
Drilldown top email sender by count |
traffic |
select sender, sum(requests) as requests from ( ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Email-Send-Recipient-By-Count |
Drilldown top email send recipient by count |
traffic |
select recipient, sum(requests) as requests from ( ###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-var and (logflag&1>0) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-email-log', 'spamfilter') group by sender, recipient order by requests desc)### union all ###(select `from` as sender, `to` as recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`, `to` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Email-Recipient-By-Volume |
Drilldown top email receiver by volume |
traffic |
select recipient, sum(bandwidth) as volume from ( ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient having sum(bandwidth)>0 order by volume desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Email-Receive-Sender-By-Volume |
Drilldown top email receive sender by volume |
traffic |
select sender, sum(bandwidth) as volume from ( ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender having sum(bandwidth)>0 order by volume desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Email-Recipient-By-Count |
Drilldown top email receiver by count |
traffic |
select recipient, sum(requests) as requests from ( ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and recipient is not null group by recipient order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Email-Receive-Sender-By-Count |
Drilldown top email receive sender by count |
traffic |
select sender, sum(requests) as requests from ( ###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and (logflag&1>0) and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recipient, sender order by requests desc)### union all ###(select `to` as recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`, `from` order by requests desc)###) t where $filter-drilldown and sender is not null group by sender order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Attack-Destination |
Drilldown top attack dest |
attack |
select victim, sum(totalnum) as totalnum from ###(select (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as totalnum from $log where $filter-exclude-var group by source, victim order by totalnum desc)### t where $filter-drilldown and victim is not null group by victim order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Attack-Source |
Drilldown top attack source |
attack |
select source, sum(totalnum) as totalnum from ###(select (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as totalnum from $log where $filter-exclude-var group by source, victim order by totalnum desc)### t where $filter-drilldown and source is not null group by source order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Attack-List |
Drilldown top attack list |
attack |
select from_itime(itime) as timestamp, attack, source, victim from ###(select itime, attack, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim from $log where $filter-exclude-var order by itime desc)### t where $filter-drilldown order by timestamp desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Top-Virus |
UTM top virus |
virus |
select virus, max(virusid_s) as virusid, ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, sum(totalnum) as totalnum from ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
drilldown-Virus-Detail |
Drilldown virus detail |
virus |
select from_itime(itime) as timestamp, virus, user_src, victim, hostname, recipient from ###(select itime, virus, coalesce(nullifna(`user`), ipstr((CASE WHEN direction='incoming' THEN dstip ELSE srcip END))) as user_src, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, cast(' ' as char) as hostname, cast(' ' as char) as recipient from $log where $filter and nullifna(virus) is not null order by itime desc)### t where $filter-drilldown order by timestamp desc
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Top-Blocked-Web-Sites-By-Requests |
User drilldown top blocked web sites by requests |
webfilter |
select hostname, sum(requests) as requests from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, hostname, catdesc, action, count(*) as requests from $log where $filter group by usersrc, euid, hostname, catdesc, action order by requests desc)### t where $filter-drilldown and action='blocked' and hostname is not null group by hostname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Top-Allowed-Web-Sites-By-Requests |
User drilldown top allowed web sites by requests |
webfilter |
select hostname, sum(requests) as requests from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, hostname, catdesc, action, count(*) as requests from $log where $filter group by usersrc, euid, hostname, catdesc, action order by requests desc)### t where $filter-drilldown and action!='blocked' and hostname is not null group by hostname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Top-Blocked-Web-Categories |
User drilldown top blocked web categories |
webfilter |
select catdesc, sum(requests) as requests from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as requests from $log where $filter and catdesc is not null group by user_src, catdesc, action order by requests desc)### t where $filter-drilldown and action='blocked' group by catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Top-Allowed-Web-Categories |
User drilldown top allowed web categories |
webfilter |
select catdesc, sum(requests) as requests from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as requests from $log where $filter and catdesc is not null group by user_src, catdesc, action order by requests desc)### t where $filter-drilldown and action!='blocked' group by catdesc order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Top-Attacks |
User drilldown top attacks by name |
attack |
select attack, sum(attack_count) as attack_count from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, (case when severity in ('critical', 'high') then 1 else 0 end) as high_severity, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack, high_severity order by attack_count desc)### t where $filter-drilldown group by attack order by attack_count desc
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Top-Attacks-High-Severity |
User drilldown top attacks high severity |
attack |
select attack, sum(attack_count) as attack_count from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, (case when severity in ('critical', 'high') then 1 else 0 end) as high_severity, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack, high_severity order by attack_count desc)### t where $filter-drilldown and high_severity=1 group by attack order by attack_count desc
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Top-Virus-By-Name |
User drilldown top virus |
virus |
select virus, max(virusid_s) as virusid, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by user_src, virus, virusid_s order by totalnum desc)### t where $filter-drilldown group by virus order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Top-Virus-Receivers-Over-Email |
User drilldown top virus receivers over email |
virus |
select receiver, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `to` as receiver, count(*) as totalnum from $log where $filter and subtype='infected' and (service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') or service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp')) and nullifna(virus) is not null group by user_src, receiver order by totalnum desc)### t where $filter-drilldown group by receiver order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Count-Spam-Activity-by-Hour-of-Day |
User drilldown count spam activity by hour of day |
emailfilter |
select $hour_of_day(timestamp) as hourstamp, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `from` as mf_sender, `to` as mf_receiver, action, eventtype, count(*) as totalnum from $log where $filter group by timestamp, user_src, mf_sender, mf_receiver, action, eventtype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and mf_receiver is not null and action in ('detected', 'blocked') group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
user-drilldown-Top-Spam-Sources |
User drilldown top spam sources |
emailfilter |
select mf_sender, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `from` as mf_sender, `to` as mf_receiver, action, eventtype, count(*) as totalnum from $log where $filter group by timestamp, user_src, mf_sender, mf_receiver, action, eventtype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and mf_sender is not null and action in ('detected', 'blocked') group by mf_sender order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-Usage-CPU |
Event usage CPU |
event |
select $hour_of_day(timestamp) as hourstamp, cast( sum(total_cpu)/ sum(count) as decimal(6, 2) ) as cpu_avg_usage from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
event-Usage-Memory |
Event usage memory |
event |
select $hour_of_day(timestamp) as hourstamp, cast( sum(total_mem)/ sum(count) as decimal(6, 2) ) as mem_avg_usage from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
event-Usage-Sessions |
Event usage sessions |
event |
select $hour_of_day(timestamp) as hourstamp, cast( sum(totalsession)/ sum(count) as decimal(10, 2) ) as sess_avg_usage from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
event-Usage-CPU-Sessions |
Event usage CPU sessions |
event |
select $hour_of_day(timestamp) as hourstamp, cast( sum(totalsession)/ sum(count) as decimal(10, 2) ) as sess_avg_usage, cast( sum(total_cpu)/ sum(count) as decimal(6, 2) ) as cpu_avg_usage from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Users-By-Bandwidth |
Top users by bandwidth usage |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, srcip, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, sum( coalesce(rcvdbyte, 0) ) as traffic_in, sum( coalesce(sentbyte, 0) ) as traffic_out from $log where $filter and ( logflag&1>0 ) and srcip is not null group by user_src, srcip having sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) )> 0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-User-Source-By-Sessions |
Application risk top user source by session count |
traffic |
select srcip, coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, count(*) as sessions from $log where $filter and ( logflag&1>0 ) and srcip is not null group by srcip, user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Users-By-Reputation-Scores-Bar |
Application risk reputation top users by scores |
traffic |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum(crscore % 65536) as scores from $log where $filter and ( logflag&1>0 ) and crscore is not null group by user_src having sum(crscore % 65536)> 0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Devices-By-Reputation-Scores |
Application risk reputation top devices by scores |
traffic |
select max( get_devtype(srcswversion, osname, devtype) ) as devtype_new, coalesce( nullifna(`srcname`), nullifna(`srcmac`), ipstr(`srcip`) ) as dev_src, sum(crscore % 65536) as scores from $log where $filter and ( logflag&1>0 ) and crscore is not null group by dev_src having sum(crscore % 65536)> 0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Application-Usage-By-Category-With-Pie |
Application Risk Application Usage by Category |
traffic |
select appcat, app, sum(bandwidth) as bandwidth from ###(select app, appcat, user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by app, appcat, user_src /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by appcat, app order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-App-Usage-by-Category |
Application Risk Application Usage by Category |
traffic |
select appcat, app, sum(bandwidth) as bandwidth from ###(select app, appcat, user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by app, appcat, user_src /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by appcat, app order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-20-Categories-By-Bandwidth |
Webfilter categories by bandwidth usage |
webfilter |
select catdesc, sum(bandwidth) as bandwidth from ###(select catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc is not null group by catdesc /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Key-Applications-Crossing-The-Network |
Application risk application activity |
traffic |
select app_group, appcat, sum(bandwidth) as bandwidth, sum(sessions) as num_session from ###(select app_group_name(app) as app_group, appcat, service, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by app_group, appcat, service order by bandwidth desc)### t group by app_group, appcat order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Applications-Running-Over-HTTP |
Application risk applications running over HTTP |
traffic |
select app_group, service, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, appcat, service, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by app_group, appcat, service order by bandwidth desc)### t where service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by app_group, service having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Web-Sites-Visited-By-Network-Users-Pie-Cha |
Application risk web browsing summary category |
traffic |
select catdesc, sum(num_sess) as num_sess, sum(bandwidth) as bandwidth from ###(select catdesc, count(*) as num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc is not null group by catdesc order by num_sess desc)### t group by catdesc order by num_sess desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Web-Sites-Visited-By-Network-Users |
Application risk web browsing summary category |
traffic |
select catdesc, sum(num_sess) as num_sess, sum(bandwidth) as bandwidth from ###(select catdesc, count(*) as num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) and catdesc is not null group by catdesc order by num_sess desc)### t group by catdesc order by num_sess desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Web-Browsing-Hostname-Category |
Application risk web browsing activity hostname category |
webfilter |
select catdesc, domain, sum(visits) as visits from ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, count(*) as visits from $log where $filter and catdesc is not null group by domain, catdesc order by visits desc)### t group by catdesc, domain order by visits desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Destination-Countries-By-Browsing-Time |
Traffic top destination countries by browsing time |
traffic |
select dstcountry, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by dstcountry order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Traffic-Top-Hostnames-By-Browsing-Time |
Traffic top domains by browsing time |
traffic |
select hostname, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select hostname, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname) t group by hostname /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Threat-Vectors-Crossing-The-Network |
Application risk top threat vectors |
attack |
select severity, sum(totalnum) as totalnum from ###(select attack, severity, ref, count(*) as totalnum from $log where $filter and nullifna(attack) is not null group by attack, severity, ref order by totalnum desc)### t group by severity order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Critical-Threat-Vectors-Crossing-The-Network |
Application risk top critical threat vectors |
attack |
select attack, severity, ref, sum(totalnum) as totalnum from ###(select attack, severity, ref, count(*) as totalnum from $log where $filter and nullifna(attack) is not null group by attack, severity, ref order by totalnum desc)### t where severity='critical' group by attack, severity, ref order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-High-Threat-Vectors-Crossing-The-Network |
Application risk top high threat vectors |
attack |
select attack, severity, ref, sum(totalnum) as totalnum from ###(select attack, severity, ref, count(*) as totalnum from $log where $filter and nullifna(attack) is not null group by attack, severity, ref order by totalnum desc)### t where severity='high' group by attack, severity, ref order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Medium-Threat-Vectors-Crossing-The-Network |
Application risk top medium threat vectors |
attack |
select attack, severity, ref, sum(totalnum) as totalnum from ###(select attack, severity, ref, count(*) as totalnum from $log where $filter and nullifna(attack) is not null group by attack, severity, ref order by totalnum desc)### t where severity='medium' group by attack, severity, ref order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Low-Threat-Vectors-Crossing-The-Network |
Application risk top low threat vectors |
attack |
select attack, severity, ref, sum(totalnum) as totalnum from ###(select attack, severity, ref, count(*) as totalnum from $log where $filter and nullifna(attack) is not null group by attack, severity, ref order by totalnum desc)### t where severity='low' group by attack, severity, ref order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Info-Threat-Vectors-Crossing-The-Network |
Application risk top info threat vectors |
attack |
select attack, severity, ref, sum(totalnum) as totalnum from ###(select attack, severity, ref, count(*) as totalnum from $log where $filter and nullifna(attack) is not null group by attack, severity, ref order by totalnum desc)### t where severity='info' group by attack, severity, ref order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Virus-By-Name |
UTM top virus |
virus |
select virus, max(virusid_s) as virusid, ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, sum(totalnum) as totalnum from ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Top-Virus-Victim |
UTM top virus user |
virus |
select user_src, sum(totalnum) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, eventtype, logver, virus, count(*) as totalnum from $log where $filter group by user_src, eventtype, logver, virus /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where nullifna(virus) is not null group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Data-Loss-Prevention-Type-Events |
Application risk DLP UTM event |
dlp |
select subtype : :text as utmsubtype, count(*) as number from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and subtype is not null group by subtype order by number desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Vulnerability-Discovered |
Application risk vulnerability discovered |
netscan |
select vuln, vulnref as ref, vulncat, severity, count(*) as totalnum from $log where $filter and vuln is not null group by vuln, vulnref, vulncat, severity order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Malware-Discovered |
Application risk virus discovered |
virus |
select dom, sum(totalnum) as totalnum from ###(select $DAY_OF_MONTH as dom, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by dom order by totalnum desc)### t group by dom order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Breakdown-Of-Risk-Applications |
Application risk breakdown of risk applications |
traffic |
select unnest( string_to_array( behavior, & #039;,')) as d_behavior, count(*) as number from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and (logflag&1>0) group by d_behavior order by number desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-Number-Of-Applications-By-Risk-Behavior |
Application risk number of applications by risk behavior |
traffic |
select risk as d_risk, unnest( string_to_array( behavior, & #039;,')) as f_behavior, count(*) as number from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and (logflag&1>0) group by risk, f_behavior order by risk desc, number desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Risk-High-Risk-Application |
Application risk high risk application |
traffic |
select risk as d_risk, behavior as d_behavior, t2.id, t2.name, t2.app_cat, t2.technology, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth, count(*) as sessions from $log t1 inner join app_mdata t2 on t1.appid = t2.id where $filter and ( logflag&1>0 ) and behavior is not null group by t2.id order by risk desc, sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Breakdown-Of-High-Risk-Application |
Severe and high risk applications |
traffic |
select appcat, count(distinct app) as total_num from ###(select appid, app, appcat, apprisk, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t where $filter-drilldown and nullifna(appcat) is not null and apprisk in ('critical', 'high') group by appcat order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-High-Risk-Application-Behavioral |
Application Behavioral Characteristics |
traffic |
select behavior, round( sum(total_num)* 100 / sum( sum(total_num) ) over (), 2 ) as percentage from ( ###(select timestamp, (case when lower(appcat)='botnet' then 'malicious' when lower(appcat)='remote.access' then 'tunneling' when lower(appcat) in ('storage.backup', 'video/audio') then 'bandwidth-consuming' when lower(appcat)='p2p' then 'peer-to-peer' when lower(appcat)='proxy' then 'proxy' end) as behavior, sum(sessions) as total_num from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by timestamp desc/*SkipEND*/)base### t where lower(appcat) in ('botnet', 'remote.access', 'storage.backup', 'video/audio', 'p2p', 'proxy') and apprisk in ('critical', 'high') group by timestamp, behavior order by total_num desc)### union all ###(select $flex_timestamp as timestamp, 'malicious' as behavior, count(*) as total_num from $log-attack where $filter and (logflag&16>0) and severity in ('critical', 'high') group by timestamp, behavior order by total_num desc)###) t where $filter-drilldown group by behavior order by percentage desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Key-Application-Crossing-The-Network |
Key Application Crossing The Network |
traffic |
select risk as d_risk, count(distinct user_src) as users, id, name, app_cat, technology, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by app, user_src order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name group by id, app, app_cat, technology, risk order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Risk-Application-Usage-By-Category-With-Pie |
Application Risk Application Usage by Category |
traffic |
select appcat, app, sum(bandwidth) as bandwidth from ###(select app, appcat, user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by app, appcat, user_src /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by appcat, app order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Risk-Application-Usage-By-Category-Pie |
Application Risk Application Usage by Category |
traffic |
select appcat, app, sum(bandwidth) as bandwidth from ###(select app, appcat, user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by app, appcat, user_src /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by appcat, app order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
App-Usage-Timeline |
Application Category with Most Average Bandwidth Used |
traffic |
select $flex_timestamp(timestamp) as hodex, sum(bandwidth) as bandwidth from ###(select timestamp, app, appcat, user_src, hostname, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by timestamp, app, appcat, user_src, hostname /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Category-Breakdown-By-Bandwidth |
Category breakdown of all applications, sorted by bandwidth |
traffic |
select appcat, count(distinct app) as app_num, count(distinct user_src) as user_num, sum(bandwidth) as bandwidth, sum(sessions) as num_session from ###(select app, appcat, user_src, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where nullifna(appcat) is not null and appcat not in ('Not.Scanned', 'unscanned', 'unknown') group by app, appcat, user_src order by bandwidth desc)### t where $filter-drilldown group by appcat order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Common-Virus-Botnet-Spyware |
Common virus disvocered, the botnet communictions and the spyware/adware |
traffic |
select virus_s as virus, ( case when lower(appcat)=& #039;botnet' then 'Botnet C&C' else (case when virus_s like 'Riskware%' then 'Spyware' when virus_s like 'Adware%' then 'Adware' else 'Virus' end) end) as malware_type, appid, app, count(distinct dstip) as victims, count(distinct srcip) as source, sum(total_num) as total_num from (###(select app as virus_s, appcat, appid, app, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and lower(appcat)='botnet' group by virus_s, appcat, appid, dstip, srcip, app order by total_num desc)### union all ###(select unnest(string_to_array(virus, ',')) as virus_s, appcat, appid, app, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and virus is not null group by virus_s, appcat, appid, dstip, srcip, app order by total_num desc)### union all ###(select attack as virus_s, 'botnet' as appcat, 0 as appid, attack as app, dstip, srcip, count(*) as total_num from $log-attack where $filter and (logflag&16>0) group by virus_s, appcat, appid, dstip, srcip, app order by total_num desc)###) t group by virus, appid, app, malware_type order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Zero-Day-Detected-On-Network |
Zero-day malware detected on the network |
traffic |
select virus_s, appid, app, count(distinct dstip) as victims, count(distinct srcip) as source, sum(total_num) as total_num from ###(select unnest(string_to_array(virus, ',')) as virus_s, appid, app, dstip, srcip, count(*) as total_num from $log where $filter and (logflag&1>0) and virus like '%PossibleThreat.SB%' group by virus_s, dstip, srcip, appid, app order by total_num desc)### t where virus_s like '%PossibleThreat.SB%' group by virus_s, appid, app order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Files-Analyzed-By-FortiCloud-Sandbox |
Files analyzed by FortiCloud Sandbox |
virus |
select $DAY_OF_MONTH as dom, count(*) as total_num from $log where $filter and nullifna(filename) is not null and logid_to_int(logid)= 9233 group by dom order by dom
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-File-Transferred-By-Application |
File transferred by applications on the network |
app-ctrl |
select appid, app, filename, cloudaction, max(filesize) as filesize from $log where $filter and filesize is not null and clouduser is not null and filename is not null group by cloudaction, appid, app, filename order by filesize desc
Dataset Name |
Description |
Log Category |
---|---|---|
appctrl-Top-Blocked-SCCP-Callers |
Appctrl top blocked SCCP callers |
app-ctrl |
select caller, sum(totalnum) as totalnum from ###(select srcname as caller, app, count(*) as totalnum from $log where $filter and srcname is not null and lower(appcat)='voip' and action='block' group by caller, app order by totalnum desc)### t where app='sccp' group by caller order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
appctrl-Top-Blocked-SIP-Callers |
Appctrl top blocked SIP callers |
app-ctrl |
select caller, sum(totalnum) as totalnum from ###(select srcname as caller, app, count(*) as totalnum from $log where $filter and srcname is not null and lower(appcat)='voip' and action='block' group by caller, app order by totalnum desc)### t where app='sip' group by caller order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-degree-security-Application-Visiblity-and-Control-Summary |
Application Visibolity and Control Summary |
app-ctrl |
select appcat, count(distinct app) as total_num from ###(select appcat, app from $log where $filter and app is not null and appcat is not null group by appcat, app)### t group by appcat order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-degree-security-Threats-Detection-and-Prevention-Summary |
Threat Prevention |
app-ctrl |
select threat_name, count(distinct threats) as total_num from ( ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, app as threats, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by app order by total_num desc)### union all ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, virus as threats, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by virus order by total_num desc)### union all ###(select cast('Malicious & Phishing Sites' as char(32)) as threat_name, hostname as threats, count(*) as total_num from $log-webfilter where $filter and cat in (26, 61) group by hostname order by total_num desc)### union all ###(select cast('Critical & High Intrusion Attacks' as char(32)) as threat_name, attack as threats, count(*) as total_num from $log-attack where $filter and severity in ('critical', 'high') group by attack order by total_num desc)###) t group by threat_name order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-degree-security-Data-Exfiltration-Detection-and-Prevention-Summary |
Data Exfiltration Summary |
dlp |
select data_loss, count(*) as total_num from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and data_loss is not null group by data_loss order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-degree-security-Endpoint-Protection-Summary |
Endpoint Protection |
fct-traffic |
select blocked_event, count(*) as total_num from ( select ( case utmevent when & #039;antivirus' then 'Malware Deteced and Blocked' when 'appfirewall' then 'Risk Application Blocked' when 'webfilter' then (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'Web Sites Violation Blocked' else 'Non User Initiated Web Visits' end) else NULL end) as blocked_event from $log where $filter and utmaction in ('blocked', 'quarantined')) t where blocked_event is not null group by blocked_event order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top20-High-Risk-Application-In-Use |
High risk application in use |
traffic |
select d_risk, count(distinct f_user) as users, name, app_cat, technology, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select risk as d_risk, coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as f_user, t2.name, t2.app_cat, t2.technology, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and risk>='4' and (logflag&1>0) group by f_user, t2.name, t2.app_cat, t2.technology, risk)### t group by d_risk, name, app_cat, technology order by d_risk desc, sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-High-Risk-Application-By-Category |
High risk application by category |
traffic |
select app_cat, count(distinct app) as total_num from ###(select app_cat, app from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and risk>='4' and (logflag&1>0) group by app_cat, app)### t group by app_cat order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top10-Application-Categories-By-Bandwidth |
Application Risk Application Usage by Category |
traffic |
select appcat, app, sum(bandwidth) as bandwidth from ###(select app, appcat, user_src, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by app, appcat, user_src /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by appcat, app order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Security-Category-Breakdown-By-Bandwidth |
Category breakdown of all applications, sorted by bandwidth |
traffic |
select appcat, count(distinct app) as app_num, count(distinct user_src) as user_num, sum(bandwidth) as bandwidth, sum(sessions) as num_session from ###(select app, appcat, user_src, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where nullifna(appcat) is not null and appcat not in ('Not.Scanned', 'unscanned', 'unknown') group by app, appcat, user_src order by bandwidth desc)### t where $filter-drilldown group by appcat order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top25-Web-Applications-By-Bandwidth |
Top Web Applications by Bandwidth |
traffic |
select risk as d_risk, t2.name, t2.app_cat, t2.technology, count(distinct f_user) as users, sum(bandwidth) as bandwidth, sum(num_session) as sessions from ###(select appid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log where $filter and (logflag&1>0) and nullifna(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by appid, f_user order by bandwidth desc)### t1 inner join app_mdata t2 on t1.appid=t2.id group by d_risk, t2.name, t2.app_cat, t2.technology order by d_risk desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Security-Top25-Web-Categories-Visited |
Top 25 Web Categories Visited |
traffic |
select catdesc, count(distinct f_user) as user_num, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top25-Malware-Virus-Botnet-Spyware |
Malware: viruses, Bots, Spyware/Adware |
traffic |
select virus_s as virus, ( case when lower(appcat)=& #039;botnet' then 'Botnet C&C' else (case when virus_s like 'Riskware%' then 'Spyware' when virus_s like 'Adware%' then 'Adware' else 'Virus' end) end) as malware_type, count(distinct dstip) as victims, count(distinct srcip) as source, sum(total_num) as total_num from (###(select app as virus_s, appcat, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and lower(appcat)='botnet' group by virus_s, appcat, dstip, srcip order by total_num desc)### union all ###(select unnest(string_to_array(virus, ',')) as virus_s, appcat, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and virus is not null group by virus_s, appcat, dstip, srcip order by total_num desc)### union all ###(select attack as virus_s, 'null' as appcat, dstip, srcip, count(*) as total_num from $log-attack where $filter and (logflag&16>0) group by virus_s, appcat, dstip, srcip order by total_num desc)###) t group by virus, malware_type order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top10-Malware-Virus-Spyware |
Malware: viruses, Spyware/Adware |
virus |
select virus, max(virusid_s) as virusid, malware_type, count(distinct victim) as victims, count(distinct source) as source, sum(total_num) as total_num from ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, (case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, count(*) as total_num from $log where $filter and nullifna(virus) is not null group by virus, virusid_s, source, victim order by total_num desc)### t group by virus, malware_type order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top10-Malware-Botnet |
Malware: Botnet |
appctrl |
select app, appid, malware_type, count(distinct victim) as victims, count(distinct source) as source, sum(total_num) as total_num from ( ###(select app, appid, cast('Botnet C&C' as char(32)) as malware_type,(CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' and nullifna(app) is not null group by app, appid, malware_type, source, victim order by total_num desc)### union all ###(select attack, 0 as appid, cast('Botnet C&C' as char(32)) as malware_type, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-attack where $filter and (logflag&16>0) group by attack, appid, malware_type, source, victim order by total_num desc)###) t group by app, appid, malware_type order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top10-Victims-of-Malware |
Victims of Malware |
virus |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, virus as malware, count(*) as total_num from $log where $filter and virus is not null group by user_src, malware order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top10-Victims-of-Phishing-Site |
Victims of Phishing Site |
webfilter |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, url as phishing_site, count(*) as total_num from $log where $filter and cat in (26, 61) group by user_src, phishing_site order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top25-Malicious-Phishing-Sites |
Malicious Phishing Site |
webfilter |
select phishing_site, count(distinct dstip) as victims, count(distinct srcip) as source, sum(total) as total_num from ###(select url as phishing_site, dstip, srcip, count(*) as total from $log where $filter and cat in (26, 61) group by phishing_site, dstip, srcip order by total desc)### t group by phishing_site order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Application-Vulnerability |
Application vulnerabilities discovered |
attack |
select attack, attackid, vuln_type, cve, severity_number, count( distinct ( CASE WHEN direction =& #039;incoming' THEN srcip ELSE dstip END)) as victims, count(distinct (CASE WHEN direction='incoming' THEN dstip ELSE srcip END)) as sources, sum(totalnum) as totalnum from ###(select attack, attackid, (case when severity='critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, direction, dstip, srcip, count(*) as totalnum from $log where $filter and nullifna(attack) is not null and severity is not null group by attack, attackid, severity, direction, dstip, srcip order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Files-Analyzed-By-FortiCloud-Sandbox |
Files analyzed by FortiCloud Sandbox |
virus |
select $day_of_week as dow, count(*) as total_num from $log where $filter and nullifna(filename) is not null and logid_to_int(logid)= 9233 group by dow order by dow
Dataset Name |
Description |
Log Category |
---|---|---|
Security-Zero-Day-Detected-On-Network |
Zero-day malware detected on the network |
traffic |
select virus_s, app, count(distinct dstip) as victims, count(distinct srcip) as source, sum(total_num) as total_num from ###(select unnest(string_to_array(virus, ',')) as virus_s, app, dstip, srcip, count(*) as total_num from $log where $filter and (logflag&1>0) and virus like '%PossibleThreat.SB%' group by virus_s, dstip, srcip, app)### t group by virus_s, app order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Data-Loss-Incidents-By-Severity |
Data loss incidents summary by severity |
dlp |
select initcap(severity : :text) as s_severity, count(*) as total_num from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and severity is not null group by s_severity order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Data-Loss-Files-By-Service |
Data Lass Files By Service |
dlp |
select filename, ( case direction when & #039;incoming' then 'Download' when 'outgoing' then 'Upload' end) as action, max(filesize) as filesize, service from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and filesize is not null group by filename, direction, service order by filesize desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Endpoint-Security-Events-Summary |
Endpoint Security Events summary |
fct-traffic |
select ( case utmevent when & #039;antivirus' then 'Malware incidents' when 'webfilter' then 'Malicious/phishing websites' when 'appfirewall' then 'Risk applications' when 'dlp' then 'Data loss incidents' when 'netscan' then 'Vulnerability detected' else 'Others' end) as events, count(*) as total_num from $log where $filter and utmevent is not null group by events order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top-Endpoing-Running-High-Risk-Application |
Endpoints Running High Risk Application |
fct-traffic |
select coalesce( nullifna(`user`), ipstr(`srcip`), & #039;Unknown') as f_user, coalesce(nullifna(hostname), 'Unknown') as host_name, threat as app, t2.app_cat as appcat, risk as d_risk from $log t1 inner join app_mdata t2 on t1.threat=t2.name where $filter and utmevent='appfirewall' and risk>='4' group by f_user, host_name, t1.threat, t2.app_cat, t2.risk order by risk desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top-Endpoints-Infected-With-Malware |
Endpoints Infected With Malware |
fct-event |
select coalesce( nullifna(`user`), ipstr(`deviceip`), & #039;Unknown') as f_user, coalesce(nullifna(hostname), 'Unknown') as host_name, virus, file from $log where $filter and subtype='av' and virus is not null group by f_user, host_name, virus, file
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top-Endpoints-With-Web-Violateions |
Endpoints With Web Violations |
fct-traffic |
select f_user, host_name, remotename, sum(total_num) as total_num from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as f_user, coalesce(nullifna(hostname), 'Unknown') as host_name, remotename, count(*) as total_num from $log where $filter and utmevent='webfilter' and remotename is not null and utmaction='blocked' group by f_user, host_name, remotename order by total_num desc)### t group by f_user, host_name, remotename order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Top-Endpoints-With-Data-Loss-Incidents |
Endpoints With Data Loss Incidents |
fct-event |
select f_user, host_name, msg, sum(total_num) as total_num from ###(select coalesce(nullifna(`user`), ipstr(`deviceip`), 'Unknown') as f_user, coalesce(nullifna(hostname), 'Unknown') as host_name, msg, count(*) as total_num from $log where $filter and subtype='dlp' group by f_user, host_name, msg order by total_num desc)### t group by f_user, host_name, msg order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
content-Count-Total-SCCP-Call-Registrations-by-Hour-of-Day |
Content count total SCCP call registrations by hour of day |
content |
select hourstamp, count(totalnum) as totalnum from ###(select $hour_of_day as hourstamp, proto, kind, status, sum(duration) as sccp_usage, count(*) as totalnum from $log-content where $filter group by hourstamp, proto, kind, status order by totalnum desc)### t where proto='sccp' and kind='register' group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
content-Count-Total-SCCP-Calls-Duration-by-Hour-of-Day |
Content count total SCCP calls duration by hour of day |
content |
select hourstamp, sum(sccp_usage) as sccp_usage from ###(select $hour_of_day as hourstamp, proto, kind, status, sum(duration) as sccp_usage, count(*) as totalnum from $log-content where $filter group by hourstamp, proto, kind, status order by totalnum desc)### t where proto='sccp' and kind='call-info' and status='end' group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
content-Count-Total-SCCP-Calls-per-Status |
Content count total SCCP calls per status |
content |
select status, count(totalnum) as totalnum from ###(select $hour_of_day as hourstamp, proto, kind, status, sum(duration) as sccp_usage, count(*) as totalnum from $log-content where $filter group by hourstamp, proto, kind, status order by totalnum desc)### t where proto='sccp' and kind='call-info' group by status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
content-Count-Total-SIP-Call-Registrations-by-Hour-of-Day |
Content count total SIP call registrations by hour of day |
content |
select hourstamp, count(totalnum) as totalnum from ###(select $hour_of_day as hourstamp, proto, kind, status, sum(duration) as sccp_usage, count(*) as totalnum from $log-content where $filter group by hourstamp, proto, kind, status order by totalnum desc)### t where proto='sip' and kind='register' group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
content-Count-Total-SIP-Calls-per-Status |
Content count total SIP calls per status |
content |
select status, count(totalnum) as totalnum from ###(select $hour_of_day as hourstamp, proto, kind, status, sum(duration) as sccp_usage, count(*) as totalnum from $log-content where $filter group by hourstamp, proto, kind, status order by totalnum desc)### t where proto='sip' and kind='call' group by status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
content-Dist-Total-SIP-Calls-by-Duration |
Content dist total SIP calls by duration |
content |
select ( case when duration<60 then & #039;LESS_ONE_MIN' when duration < 600 then 'LESS_TEN_MIN' when duration < 3600 then 'LESS_ONE_HOUR' when duration >= 3600 then 'MORE_ONE_HOUR' else 'unknown' end) as f_duration, count(*) as totalnum from $log where $filter and proto='sip' and kind='call' and status='end' group by f_duration order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Botnet-Activity-By-Sources |
Botnet activity by sources |
traffic |
select app, user_src, sum(events) as events from ( ( select app, user_src, sum(totalnum) as events from ###(select app, appcat, apprisk, srcip, dstip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log-traffic where $filter and (logflag&1>0) and appcat='Botnet' and nullifna(app) is not null group by app, appcat, apprisk, srcip, dstip, user_src order by totalnum desc)### t group by app, user_src order by events desc) union all (select attack, user_src, sum(totalnum) as events from ###(select attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, $flex_timestamp as timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip, count(*) as totalnum from $log-attack where $filter and (logflag&16>0) group by attack, user_src, timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip order by timestamp desc)### t group by attack, user_src order by events desc)) t group by app, user_src order by events desc
Dataset Name |
Description |
Log Category |
---|---|---|
Botnet-Infected-Hosts |
Botnet infected hosts |
traffic |
select user_src, devtype_new, host_mac, sum(events) as events from ( ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, get_devtype(srcswversion, osname, devtype) as devtype_new, coalesce(srcname, srcmac) as host_mac, count(*) as events from $log-traffic where $filter and (logflag&1>0) and appcat='Botnet' group by user_src, devtype_new, host_mac order by events desc)### union all ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, 'Unknown' as devtype_new, hostname as host_mac, count(*) as events from $log-attack where $filter and (logflag&16>0) group by user_src, devtype_new, host_mac order by events desc)###) t group by user_src, devtype_new, host_mac order by events desc
Dataset Name |
Description |
Log Category |
---|---|---|
Detected-Botnet |
Detected botnet |
traffic |
select app, sum(events) as events from ( ( select app, sum(totalnum) as events from ###(select app, appcat, apprisk, srcip, dstip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log-traffic where $filter and (logflag&1>0) and appcat='Botnet' and nullifna(app) is not null group by app, appcat, apprisk, srcip, dstip, user_src order by totalnum desc)### t group by app order by events desc) union all (select attack, sum(totalnum) as events from ###(select attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, $flex_timestamp as timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip, count(*) as totalnum from $log-attack where $filter and (logflag&16>0) group by attack, user_src, timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip order by timestamp desc)### t group by attack order by events desc)) t group by app order by events desc
Dataset Name |
Description |
Log Category |
---|---|---|
Botnet-Sources |
Botnet sources |
traffic |
select dstip, domain, sum(events) as events from ( ( select dstip, domain, sum(events) as events from ###(select dstip, root_domain(hostname) as domain, count(*) as events from $log-traffic where $filter and (logflag&1>0) and appcat='Botnet' and dstip is not null group by dstip, domain order by events desc)### t group by dstip, domain) union all (select dstip, root_domain(hostname) as domain, sum(totalnum) as events from ###(select attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, $flex_timestamp as timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip, count(*) as totalnum from $log-attack where $filter and (logflag&16>0) group by attack, user_src, timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip order by timestamp desc)### t group by dstip, domain)) t group by dstip, domain order by events desc
Dataset Name |
Description |
Log Category |
---|---|---|
Botnet-Victims |
Botnet victims |
traffic |
select user_src, sum(events) as events from ( ( select user_src, sum(totalnum) as events from ###(select app, appcat, apprisk, srcip, dstip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log-traffic where $filter and (logflag&1>0) and appcat='Botnet' and nullifna(app) is not null group by app, appcat, apprisk, srcip, dstip, user_src order by totalnum desc)### t group by user_src) union all (select user_src, sum(totalnum) as events from ###(select attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, $flex_timestamp as timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip, count(*) as totalnum from $log-attack where $filter and (logflag&16>0) group by attack, user_src, timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip order by timestamp desc)### t group by user_src)) t group by user_src order by events desc
Dataset Name |
Description |
Log Category |
---|---|---|
Botnet-Timeline |
Botnet timeline |
traffic |
select $flex_datetime(timestamp) as hodex, sum(events) as events from ( ###(select $flex_timestamp as timestamp, count(*) as events from $log-traffic where $filter and (logflag&1>0) and appcat='Botnet' group by timestamp order by timestamp desc)### union all ###(select $flex_timestamp as timestamp, count(*) as events from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp order by timestamp)### union all ###(select $flex_timestamp as timestamp, count(*) as events from $log-attack where $filter and (logflag&16>0) group by timestamp order by timestamp)###) t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Application-Session-History |
Application session history |
traffic |
select $flex_timescale(timestamp) as hodex, sum(counter) as counter from ###(select $flex_timestamp as timestamp, count(*) as counter from $log where $filter and (logflag&1>0) group by timestamp order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Application-Usage-List |
Detailed application usage |
traffic |
select appid, app, appcat, ( case when ( utmaction in ( & #039;block', 'blocked') or action='deny') then 'Blocked' else 'Allowed' end) as custaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth,count(*) as num_session from $log where $filter and (logflag&1>0) and nullifna(app) is not null and policyid != 0 group by appid,app, appcat,custaction order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
PCI-DSS-Compliance-Summary |
PCI DSS Compliance Summary |
event |
select status, num_reason as requirements, cast( num_reason * 100.0 /( sum(num_reason) over() ) as decimal(18, 2) ) as percent from ( select ( case when fail_count>0 then & #039;Non-Compliant' else 'Compliant' end) as status, count(distinct reason) as num_reason from (select ftnt_pci_id, (sum(fail_count) over (partition by ftnt_pci_id)) as fail_count, reason from ###(select ftnt_pci_id, (case when result='fail' then 1 else 0 end) as fail_count, reason from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, result, reason)### t) t group by status) t order by status
Dataset Name |
Description |
Log Category |
---|---|---|
PCI-DSS-Non-Compliant-Requirements-By-Severity |
PCI DSS Non-Compliant Requirements by Severity |
event |
with query as ( select * from ( select ftnt_pci_id, severity, ( sum(fail_count) over (partition by ftnt_pci_id) ) as fail_count, reason from ###(select ftnt_pci_id, t2.severity, (case when result='fail' then 1 else 0 end) as fail_count, reason from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, t2.severity, result, reason order by fail_count desc)### t) t where fail_count>0) select t.severity, count(distinct t.reason) as requirements from (select distinct on (1) reason, severity from query order by reason, (case lower(severity) when 'high' then 4 when 'critical' then 3 when 'medium' then 2 when 'low' then 1 else 0 end) desc) t group by t.severity order by requirements desc
Dataset Name |
Description |
Log Category |
---|---|---|
PCI-DSS-Compliant-Requirements-By-Severity |
PCI DSS Compliant Requirements by Severity |
event |
with query as ( select * from ( select ftnt_pci_id, severity, ( sum(fail_count) over (partition by ftnt_pci_id) ) as fail_count, reason from ###(select ftnt_pci_id, t2.severity, (case when result='fail' then 1 else 0 end) as fail_count, reason from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, t2.severity, result, reason order by fail_count desc)### t) t where fail_count=0) select t.severity, count(distinct t.reason) as requirements from (select distinct on (1) reason, severity from query order by reason, (case lower(severity) when 'high' then 4 when 'critical' then 3 when 'medium' then 2 when 'low' then 1 else 0 end) desc) t group by t.severity order by requirements desc
Dataset Name |
Description |
Log Category |
---|---|---|
PCI-DSS-Fortinet-Security-Best-Practice-Summary |
PCI DSS Fortinet Security Best Practice Summary |
event |
select status, num_reason as practices, cast( num_reason * 100.0 /( sum(num_reason) over() ) as decimal(18, 2) ) as percent from ( select ( case when result =& #039;fail' then 'Failed' else 'Passed' end) as status, count(distinct reason) as num_reason from ###(select result, reason from $log where $filter and subtype='compliance-check' and result in ('fail','pass') group by result, reason)### t group by status) t order by status desc
Dataset Name |
Description |
Log Category |
---|---|---|
PCI-DSS-Failed-Fortinet-Security-Best-Practices-By-Severity |
PCI DSS Failed Fortinet Security Best Practices by Severity |
event |
select status, num_reason as practices, cast( num_reason * 100.0 /( sum(num_reason) over() ) as decimal(18, 2) ) as percent from ( select initcap(status) as status, count(distinct reason) as num_reason from ###(select status, reason, result from $log where $filter and subtype='compliance-check' group by status, reason, result)### t where result='fail' group by status) t order by status
Dataset Name |
Description |
Log Category |
---|---|---|
PCI-DSS-Passed-Fortinet-Security-Best-Practices-By-Severity |
PCI DSS Passed Fortinet Security Best Practices by Severity |
event |
select status, num_reason as practices, cast( num_reason * 100.0 /( sum(num_reason) over() ) as decimal(18, 2) ) as percent from ( select initcap(status) as status, count(distinct reason) as num_reason from ###(select status, reason, result from $log where $filter and subtype='compliance-check' group by status, reason, result)### t where result='pass' group by status) t order by status
Dataset Name |
Description |
Log Category |
---|---|---|
PCI-DSS-Requirements-Compliance-Details |
PCI DSS Requirements Compliance Details |
event |
select ftnt_pci_id, left( string_agg( distinct ftnt_id, & #039;,'), 120) as practice, (case when sum(fail_count)>0 then 'Non-Compliant' else 'Compliant' end) as compliance, pci_requirement from ###(select ftnt_pci_id, ftnt_id, (case when result='fail' then 1 else 0 end) as fail_count, pci_requirement from $log t1 inner join pci_dss_mdata t2 on t1.reason=t2.ftnt_id where $filter and subtype='compliance-check' group by ftnt_pci_id, ftnt_id, result, pci_requirement)### t group by ftnt_pci_id, pci_requirement order by ftnt_pci_id
Dataset Name |
Description |
Log Category |
---|---|---|
PCI-DSS-Fortinet-Security-Best-Practice-Details |
PCI DSS Fortinet Security Best Practice Details |
event |
select reason as ftnt_id, msg, initcap(status) as status, module from $log where $filter and subtype =& #039;compliance-check' group by reason, status, module, msg order by ftnt_id
Dataset Name |
Description |
Log Category |
---|---|---|
DLP-Email-Activity-Details |
Email DLP Violations Summary |
dlp |
select from_itime(itime) as timestamp, sender, receiver, regexp_replace( filename, & #039;.*/', '') as filename, filesize, profile, action, direction from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and (service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') or service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp')) order by timestamp desc
Dataset Name |
Description |
Log Category |
---|---|---|
Email-DLP-Chart |
Email DLP Activity Summary |
dlp |
select profile, count(*) as total_num from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and (service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') or service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp')) group by profile order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
DLP-Web-Activity-Details |
Web DLP Violations Summary |
dlp |
select from_itime(itime) as timestamp, srcip, dstip, hostname, profile, filename, filesize, action, direction from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and lower(service) in ('http', 'https') order by timestamp desc
Dataset Name |
Description |
Log Category |
---|---|---|
Web-DLP-Chart |
Web DLP Activity Summary |
dlp |
select profile, count(*) as total_num from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and lower(service) in ('http', 'https') group by profile order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
DLP-FTP-Activity-Details |
Web DLP Violations Summary |
dlp |
select from_itime(itime) as timestamp, srcip, dstip, filename, profile, filesize, action, direction from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and lower(service) in ('ftp', 'ftps') order by timestamp desc
Dataset Name |
Description |
Log Category |
---|---|---|
FTP-DLP-Chart |
FTP DLP Activity Summary |
dlp |
select profile, count(*) as total_num from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and lower(service) in ('ftp', 'ftps') group by profile order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
top-users-by-browsetime |
Top Users by website browsetime |
traffic |
select user_src, domain, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ###(select user_src, domain, ebtr_agg_flat(browsetime) as browsetime from (select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and $browse_time is not null group by user_src, domain) t group by user_src, domain order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc)### t group by user_src, domain order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-usage-by-hour-authenticated |
Wifi Usage by Hour - Authenticated |
event |
select hod, count(distinct stamac) as totalnum from ###(select $HOUR_OF_DAY as hod, stamac from $log where $filter and subtype='wireless' and action='client-authentication' group by hod, stamac)### t group by hod order by hod
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-usage-authenticated-timeline |
Wifi Usage Timeline - Authenticated |
event |
select $flex_timescale(timestamp) as hodex, count(distinct stamac) as totalnum from ###(select $flex_timestamp as timestamp, stamac from $log where $filter and subtype='wireless' and action='client-authentication' group by timestamp, stamac order by timestamp desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
app-top-user-by-bandwidth |
Top 10 Applications Bandwidth by User Drilldown |
traffic |
select app, coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, sum( coalesce(`sentbyte`, 0)+ coalesce(`rcvdbyte`, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and nullifna(app) is not null group by app, user_src order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
app-top-user-by-session |
Top 10 Application Sessions by User Drilldown |
traffic |
select app, coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, count(*) as sessions from $log where $filter and ( logflag&1>0 ) and nullifna(app) is not null group by app, user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
traffic-Interface-Bandwidth-Usage |
Interface Bandwidth Usage |
traffic |
with qry as ( select dom as dom_s, devid as devid_s, vd as vd_s, srcintf, dstintf, total_sent, total_rcvd from ###(select $DAY_OF_MONTH as dom, devid, vd, srcintf, dstintf, sum(coalesce(sentbyte, 0)) as total_sent, sum(coalesce(rcvdbyte, 0)) as total_rcvd, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as total from $log where $filter and (logflag&1>0) and nullifna(srcintf) is not null and nullifna(dstintf) is not null group by dom, devid, vd, srcintf, dstintf having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by total desc)### t) select dom, unnest(array['download', 'upload']) as type, unnest(array[sum(download), sum(upload)]) as bandwidth from (select coalesce(t1.dom_s, t2.dom_s) as dom, coalesce(t1.devid_s, t2.devid_s) as devid, coalesce(t1.vd_s, t2.vd_s) as vd, coalesce(t1.srcintf, t2.dstintf) as intf, sum(coalesce(t1.total_sent, 0)+coalesce(t2.total_rcvd, 0)) as download, sum(coalesce(t2.total_sent, 0)+coalesce(t1.total_rcvd, 0)) as upload from qry t1 full join qry t2 on t1.dom_s=t2.dom_s and t1.srcintf=t2.dstintf group by dom, devid, vd, intf) t where $filter-drilldown group by dom order by dom
Dataset Name |
Description |
Log Category |
---|---|---|
CTAP-Threat-Detected-Timeline |
Threat Detected Timeline |
app-ctrl |
select $flex_timestamp(timestamp) as hodex, type, sum(totalnum) as totalnum from ( ( select timestamp, & #039;IPS Attacks' as type, sum(total_num) as totalnum from ###(select $flex_timestamp as timestamp, attack, (case when (logflag&16>0) then 1 else 0 end) as botnet_flag, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by timestamp, attack, botnet_flag, source, victim, service order by total_num desc)### t group by timestamp, type order by totalnum desc) union all (select timestamp, 'Malware/Botnets' as type, count(distinct malware) as totalnum from ((select timestamp, app as malware from ###(select $flex_timestamp as timestamp, app, appcat, appid, apprisk, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-app-ctrl where $filter and nullifna(app) is not null group by timestamp, app, appcat, appid, apprisk, source, victim order by total_num desc)### t where lower(appcat)='botnet') union all (select timestamp, virus as malware from ###(select $flex_timestamp as timestamp, virus, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by timestamp, virus, source, victim, service order by total_num desc)### t) union all (select timestamp, attack as malware from ###(select $flex_timestamp as timestamp, attack, (case when (logflag&16>0) then 1 else 0 end) as botnet_flag, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by timestamp, attack, botnet_flag, source, victim, service order by total_num desc)### t where botnet_flag>0)) t group by timestamp, type order by totalnum desc) union all (select timestamp, 'High-Risk Applications' as type, count(distinct app) as totalnum from ###(select $flex_timestamp as timestamp, app, appcat, appid, apprisk, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-app-ctrl where $filter and nullifna(app) is not null group by timestamp, app, appcat, appid, apprisk, source, victim order by total_num desc)### t where apprisk in ('critical', 'high') group by timestamp, type order by totalnum desc) union all (select timestamp, 'Malicious Websites' as type, count(distinct hostname) as totalnum from ###(select $flex_timestamp as timestamp, hostname, count(*) as total_num from $log-webfilter where $filter and hostname is not null and catdesc='Malicious Websites' group by timestamp, hostname order by total_num desc)### t group by timestamp, type order by totalnum desc)) t group by hodex, type order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-SB-Files-Needing-Inspection-vs-Others |
Files Needing Inspection vs Others |
virus |
select ( case when suffix in ( & #039;bat','cmd','exe','jar','msi','vbs','7z','zip','gzip','lzw','tar','rar','cab','doc','docx','xls','xlsx','ppt','pptx','pdf','swf','lnk','js') then 'Higher Risk File Types' else 'Excluded Files' end) as files, sum(total_num) as total_num from ###(select filename, file_name_ext(filename) as suffix, fsaverdict, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log where $filter and dtype='fortisandbox' and nullifna(filename) is not null group by filename, suffix, fsaverdict, source, victim, service order by total_num desc)### t group by files order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-SB-Files-Needing-Inspection-vs-Others-Donut |
Files Needing Inspection vs Others |
virus |
select ( case when suffix in ( & #039;bat','cmd','exe','jar','msi','vbs','7z','zip','gzip','lzw','tar','rar','cab','doc','docx','xls','xlsx','ppt','pptx','pdf','swf','lnk','js') then 'Higher Risk File Types' else 'Excluded Files' end) as files, sum(total_num) as total_num from ###(select filename, file_name_ext(filename) as suffix, fsaverdict, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log where $filter and dtype='fortisandbox' and nullifna(filename) is not null group by filename, suffix, fsaverdict, source, victim, service order by total_num desc)### t group by files order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-SB-Breakdown-of-File-Types |
Breakdown of File Types |
virus |
select ( case when suffix in ( & #039;exe','msi','upx','vbs','bat','cmd','dll','ps1','jar') then 'Executable Files' when suffix in ('pdf') then 'Adobe PDF' when suffix in ('swf') then 'Adobe Flash' when suffix in ('doc','docx','rtf','dotx','docm','dotm','dot') then 'Microsoft Word' when suffix in ('xls','xlsx','xltx','xlsm','xlsb','xlam','xlt') then 'Microsoft Excel' when suffix in ('ppsx','ppt','pptx','potx','sldx','pptm','ppsm','potm','ppam','sldm','pps','pot') then 'Microsoft PowerPoint' when suffix in ('msg') then 'Microsoft Outlook' when suffix in ('htm','js','url','lnk') then 'Web Files' when suffix in ('cab','tgz','z','7z','tar','lzh','kgb','rar','zip','gz','xz','bz2') then 'Archive Files' when suffix in ('apk') then 'Android Files' else 'Others' end) as filetype, sum(total_num) as total_num from ###(select filename, file_name_ext(filename) as suffix, fsaverdict, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log where $filter and dtype='fortisandbox' and nullifna(filename) is not null group by filename, suffix, fsaverdict, source, victim, service order by total_num desc)### t group by filetype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-SB-Top-Sandbox-Malicious-Exes |
virus |
select ( case fsaverdict when & #039;malicious' then 5 when 'high risk' then 4 when 'medium risk' then 3 when 'low risk' then 2 else 1 end) as risk, filename, service, count(*) as total_num from ###(select filename, file_name_ext(filename) as suffix, fsaverdict, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log where $filter and dtype='fortisandbox' and nullifna(filename) is not null group by filename, suffix, fsaverdict, source, victim, service order by total_num desc)### t where suffix='exe' and fsaverdict not in ('clean','submission failed') group by filename, risk, service order by risk desc, total_num desc, filename
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-SB-Sources-of-Sandbox-Discovered-Malware |
Sources of Sandbox Discovered Malware |
virus |
select source, sum(total_num) as total_num from ###(select filename, file_name_ext(filename) as suffix, fsaverdict, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log where $filter and dtype='fortisandbox' and nullifna(filename) is not null group by filename, suffix, fsaverdict, source, victim, service order by total_num desc)### t where fsaverdict not in ('clean','submission failed') group by source order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-SB-Sources-of-Sandbox-Discovered-Malware-Bubble |
Sources of Sandbox Discovered Malware |
virus |
select source, sum(total_num) as total_num from ###(select filename, file_name_ext(filename) as suffix, fsaverdict, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log where $filter and dtype='fortisandbox' and nullifna(filename) is not null group by filename, suffix, fsaverdict, source, victim, service order by total_num desc)### t where fsaverdict not in ('clean','submission failed') group by source order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Total-Recommended-Actions-by-Count |
Total Recommended Actions Detected |
traffic |
select action, sum(totalnum) as totalnum from ( ( select & #039;Application Vulnerbility Atacks' as action, count(distinct attack) as totalnum from ###(select $flex_timestamp as timestamp, attack, (case when (logflag&16>0) then 1 else 0 end) as botnet_flag, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by timestamp, attack, botnet_flag, source, victim, service order by total_num desc)### t) union all (select 'Malware Detected' as action, count(distinct virus) as totalnum from ###(select $flex_timestamp as timestamp, virus, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by timestamp, virus, source, victim, service order by total_num desc)### t) union all (select 'Botnet Infections' as action, count(distinct app) as totalnum from ((select distinct app from ###(select app, appcat, apprisk, srcip, dstip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log-traffic where $filter and (logflag&1>0) and appcat='Botnet' and nullifna(app) is not null group by app, appcat, apprisk, srcip, dstip, user_src order by totalnum desc)### t where apprisk in ('critical', 'high') group by app) union all (select distinct attack as app from ###(select attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, $flex_timestamp as timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip, count(*) as totalnum from $log-attack where $filter and (logflag&16>0) group by attack, user_src, timestamp, hostname, severity, crlevel, eventtype, service, dstip, srcip order by timestamp desc)### t group by attack)) t) union all (select 'Malicious Website' as action, count(distinct hostname) as totalnum from ###(select $flex_timestamp as timestamp, hostname, count(*) as total_num from $log-webfilter where $filter and hostname is not null and catdesc='Malicious Websites' group by timestamp, hostname order by total_num desc)### t) union all (select 'Phishing Websites' as action, count(distinct hostname) as totalnum from ###(select hostname from $log-webfilter where $filter and hostname is not null and catdesc='Phishing' group by hostname)### t) union all (select 'Proxy Applications' as action, count(distinct app) as totalnum from ###(select $flex_timestamp as timestamp, app, appcat, appid, apprisk, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-app-ctrl where $filter and nullifna(app) is not null group by timestamp, app, appcat, appid, apprisk, source, victim order by total_num desc)### t where lower(appcat)='proxy') union all (select 'Remote Access Applications' as action, count(distinct app) as totalnum from ###(select $flex_timestamp as timestamp, app, appcat, appid, apprisk, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-app-ctrl where $filter and nullifna(app) is not null group by timestamp, app, appcat, appid, apprisk, source, victim order by total_num desc)### t where lower(appcat)='remote.access') union all (select 'P2P and Filesharing Applications' as action, count(distinct app) as totalnum from ###(select timestamp, app, appcat, user_src, hostname, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by timestamp, app, appcat, user_src, hostname /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t where appcat in ('P2P', 'Storage.Backup', 'File.Sharing'))) t group by action
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-apprisk-ctrl-High-Risk-Application |
Application risk high risk application |
traffic |
select risk as d_risk, count(distinct user_src) as users, id, name, app_cat, technology, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by app, user_src, action, utmaction order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' group by id, name, app_cat, technology, risk order by d_risk desc, sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-apprisk-ctrl-Application-Vulnerability |
Application vulnerabilities discovered |
attack |
select attack, attackid, vuln_type, cve, severity_number, count( distinct ( CASE WHEN direction =& #039;incoming' THEN srcip ELSE dstip END)) as victims, count(distinct (CASE WHEN direction='incoming' THEN dstip ELSE srcip END)) as sources, sum(totalnum) as totalnum from ###(select attack, attackid, (case when severity='critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, direction, dstip, srcip, count(*) as totalnum from $log where $filter and nullifna(attack) is not null and severity is not null group by attack, attackid, severity, direction, dstip, srcip order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-apprisk-ctrl-Top-Common-Virus-Botnet-Spyware |
Common Virus Botnet Spyware |
app-ctrl |
select malware as virus, ( case when lower(appcat)=& #039;botnet' then 'Botnet C&C' else (case when malware like 'Riskware%' then 'Spyware' when malware like 'Adware%' then 'Adware' else 'Virus' end) end) as malware_type, appid, app, count(distinct victim) as victims, count(distinct source) as source, sum(total_num) as total_num from ((select app as malware, appcat, appid, app, source, victim, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, app, appcat, appid, apprisk, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-app-ctrl where $filter and nullifna(app) is not null group by timestamp, app, appcat, appid, apprisk, source, victim order by total_num desc)### t where lower(appcat)='botnet' group by malware, appcat, appid, app, victim, source, app order by total_num desc) union all (select virus as malware, 'null' as appcat, 0 as appid, service as app, source, victim, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, virus, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by timestamp, virus, source, victim, service order by total_num desc)### t group by malware, appcat, app, appid, victim, source order by total_num desc) union all (select attack as malware, 'null' as appcat, 0 as appid, service as app, source, victim, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, attack, (case when (logflag&16>0) then 1 else 0 end) as botnet_flag, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by timestamp, attack, botnet_flag, source, victim, service order by total_num desc)### t where botnet_flag>0 group by malware, appcat, app, appid, victim, source order by total_num desc)) t group by malware, malware_type, app, appid order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
CTAP-Malware-Botnet-Spyware-Timeline |
Common Virus Botnet Spyware |
app-ctrl |
select $flex_timestamp(timestamp) as hodex, ( case when lower(appcat)=& #039;botnet' then 'Botnet' else (case when malware like 'Riskware%' or malware like 'Adware%' then 'Spyware/Adware' else 'Malware' end) end) as malware_type, sum(total_num) as total_num from ((select timestamp, appcat, app as malware, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, app, appcat, appid, apprisk, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-app-ctrl where $filter and nullifna(app) is not null group by timestamp, app, appcat, appid, apprisk, source, victim order by total_num desc)### t where lower(appcat)='botnet' group by timestamp, appcat, malware order by total_num desc) union all (select timestamp, 'null' as appcat, virus as malware, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, virus, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by timestamp, virus, source, victim, service order by total_num desc)### t group by timestamp, appcat, malware order by total_num desc) union all (select timestamp, 'null' as appcat, attack as malware, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, attack, (case when (logflag&16>0) then 1 else 0 end) as botnet_flag, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, service, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by timestamp, attack, botnet_flag, source, victim, service order by total_num desc)### t where botnet_flag>0 group by timestamp, appcat, malware order by total_num desc)) t group by hodex, malware_type order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-App-Risk-Reputation-Top-Devices-By-Scores |
Reputation Top Devices By-Scores |
traffic |
select coalesce( nullifna(`srcname`), ipstr(`srcip`), nullifna(`srcmac`) ) as dev_src, sum(crscore % 65536) as scores from $log where $filter and ( logflag&1>0 ) and crscore is not null group by dev_src having sum(crscore % 65536)> 0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-App-Risk-Reputation-Top-Devices-By-Scores-Bubble |
Reputation Top Devices By-Scores |
traffic |
select coalesce( nullifna(`srcname`), ipstr(`srcip`), nullifna(`srcmac`) ) as dev_src, sum(crscore % 65536) as scores from $log where $filter and ( logflag&1>0 ) and crscore is not null group by dev_src having sum(crscore % 65536)> 0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-HTTP-SSL-Traffic-Ratio |
HTTP SSL Traffic Ratio |
traffic |
select ( case when service in ( & #039;80/tcp', 'HTTP', 'http') then 'HTTP' else 'HTTPS' end) as service, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and nullifna(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by service having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-HTTP-SSL-Traffic-Ratio-Donut |
HTTP SSL Traffic Ratio |
traffic |
select ( case when service in ( & #039;80/tcp', 'HTTP', 'http') then 'HTTP' else 'HTTPS' end) as service, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) and nullifna(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by service having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Source-Countries |
Top Source Countries |
traffic |
select srccountry, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and nullifna(srccountry) is not null and srccountry <> & #039;Reserved' group by srccountry having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc, srccountry
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Source-Countries-Bubble |
Top Source Countries |
traffic |
select srccountry, sum( coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0) ) as bandwidth from $log where $filter and ( logflag&1>0 ) and nullifna(srccountry) is not null and srccountry <> & #039;Reserved' group by srccountry having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc, srccountry
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-SaaS-Apps |
CTAP SaaS Apps |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where behavior like '%Cloud%' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-SaaS-Apps-Donut |
CTAP SaaS Apps |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where behavior like '%Cloud%' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-IaaS-Apps |
CTAP IaaS Apps |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Cloud.IT' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-IaaS-Apps-Donut |
CTAP IaaS Apps |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Cloud.IT' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-RAS-Apps |
CTAP RAS Apps |
traffic |
select name as app_group, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Remote.Access' group by name order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-RAS-Apps-Donut |
CTAP RAS Apps |
traffic |
select name as app_group, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Remote.Access' group by name order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Proxy-Apps |
CTAP Proxy Apps |
traffic |
select name as app_group, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Proxy' group by name order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Proxy-Apps-Donut |
CTAP Proxy Apps |
traffic |
select name as app_group, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Proxy' group by name order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-SocialMedia-App-By-Bandwidth |
Top SocialMedia Applications by Bandwidth Usage |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Social.Media' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-SocialMedia-App-By-Bandwidth-Bubble |
Top SocialMedia Applications by Bandwidth Usage |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Social.Media' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Streaming-App-By-Bandwidth |
Top Streaming applications by bandwidth usage |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Video/Audio' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Streaming-App-By-Bandwidth-Bubble |
Top Streaming applications by bandwidth usage |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Video/Audio' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Game-App-By-Bandwidth |
Top Game applications by bandwidth usage |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Game' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Game-App-By-Bandwidth-Bubble |
Top Game applications by bandwidth usage |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Game' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-P2P-App-By-Bandwidth |
Top P2P applications by bandwidth usage |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='P2P' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-P2P-App-By-Bandwidth-Bubble |
Top P2P applications by bandwidth usage |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select app_group_name(app) as app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null group by app_group having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='P2P' group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-apprisk-ctrl-Top-Web-Categories-Visited |
Top 25 Web Categories Visited |
traffic |
select catdesc, count(distinct f_user) as user_num, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
apprisk-ctrl-Top-Web-Categories-Visited-by-Bandwidth |
Top 25 Web Categories Visited |
traffic |
select catdesc, sum(bandwidth) as bandwidth from ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
apprisk-ctrl-Top-Web-Categories-Visited |
Top 25 Web Categories Visited |
traffic |
select catdesc, count(distinct f_user) as user_num, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-App-Risk-Applications-Running-Over-HTTP |
Application risk applications running over HTTP |
traffic |
select app_group, service, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select app_group_name(app) as app_group, appcat, service, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by app_group, appcat, service order by bandwidth desc)### t where service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by app_group, service having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-App-Risk-Web-Browsing-Activity-Hostname-Category |
Application risk web browsing activity hostname category |
webfilter |
select catdesc, domain, sum(visits) as visits from ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, count(*) as visits from $log where $filter and catdesc is not null group by domain, catdesc order by visits desc)### t group by catdesc, domain order by visits desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Web-Domain-and-Category-by-Visits |
Application risk web browsing activity hostname category |
webfilter |
select catdesc, domain, sum(visits) as visits from ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, count(*) as visits from $log where $filter and catdesc is not null group by domain, catdesc order by visits desc)### t group by catdesc, domain order by visits desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Sites-By-Browsing-Time |
Traffic top sites by browsing time |
traffic |
select hostname, string_agg( distinct catdesc, & #039;, ') as agg_catdesc, ebtr_value(ebtr_agg_flat(browsetime), null, $timespan) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by hostname order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Sites-and-Category-by-Browsing-Time |
Traffic Top Sites and Category by Browsing Time |
traffic |
select catdesc, hostname, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ###(select hostname, catdesc, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select hostname, catdesc, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and hostname is not null and $browse_time is not null group by hostname, catdesc) t group by hostname, catdesc /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t group by catdesc, hostname order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Average-Bandwidth-Hour |
Average Bandwidth Hour |
traffic |
select hourstamp, sum(bandwidth)/ count(distinct daystamp) as bandwidth from ###(select to_char(from_dtime(dtime), 'HH24:00') as hourstamp, to_char(from_dtime(dtime), 'DD Mon') as daystamp, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) group by hourstamp, daystamp having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by hourstamp)### t group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Bandwidth-Hosts |
Top Bandwidth Hosts |
traffic |
select hostname, sum(bandwidth) as bandwidth from ###(select timestamp, app, appcat, user_src, hostname, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by timestamp, app, appcat, user_src, hostname /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t where hostname is not null group by hostname order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
ctap-Top-Bandwidth-Hosts-Bubble |
Top Bandwidth Hosts |
traffic |
select hostname, sum(bandwidth) as bandwidth from ###(select timestamp, app, appcat, user_src, hostname, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by timestamp, app, appcat, user_src, hostname /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t where hostname is not null group by hostname order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Application-Discovered |
All Applications Discovered on the Network |
traffic |
select ( case is_saas when 1 then & #039;SaaS Apps' else 'Other Apps' end) as app_type, count(distinct app_s) as total_num from ###(select app_s, (case when saas_s>=10 then 1 else 0 end) as is_saas from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t group by app_s, is_saas order by is_saas desc)### t group by is_saas order by is_saas
Dataset Name |
Description |
Log Category |
---|---|---|
saas-SaaS-Application-by-Category |
Number of SaaS Applications by Category |
traffic |
select ( case saas_cat when 0 then & #039;Sanctioned' else 'Unsanctioned' end) as saas_cat_str, count(distinct app_s) as num_saas_app from ###(select app_s, saas_s%10 as saas_cat, sum(sentbyte+rcvdbyte) as bandwidth, count(*) as total_app from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat order by bandwidth desc)### t where saas_cat in (0, 1) group by saas_cat order by saas_cat
Dataset Name |
Description |
Log Category |
---|---|---|
saas-SaaS-Application-by-Bandwidth |
Number of SaaS Applications by Bandwidth |
traffic |
select ( case saas_cat when 0 then & #039;Sanctioned' else 'Tolerated' end) as saas_cat_str, sum(bandwidth) as bandwidth from ###(select app_s, saas_s%10 as saas_cat, sum(sentbyte+rcvdbyte) as bandwidth, count(*) as total_app from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat order by bandwidth desc)### t where saas_cat in (0, 2) group by saas_cat order by saas_cat
Dataset Name |
Description |
Log Category |
---|---|---|
saas-SaaS-Application-by-Session |
Number of SaaS Applications by Session |
traffic |
select ( case saas_cat when 0 then & #039;Sanctioned' else 'Tolerated' end) as saas_cat_str, sum(total_app) as total_app from ###(select app_s, saas_s%10 as saas_cat, sum(sentbyte+rcvdbyte) as bandwidth, count(*) as total_app from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat order by bandwidth desc)### t where saas_cat in (0, 2) group by saas_cat order by saas_cat
Dataset Name |
Description |
Log Category |
---|---|---|
saas-SaaS-App-Users-vs-Others |
Number of Users of SaaS Apps vs Others |
traffic |
select ( case is_saas when 0 then & #039;Other Apps' else 'SaaS Apps' end) as app_type, count(distinct saasuser) as total_user from ###(select saasuser, saas_s/10 as is_saas from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t group by saasuser, is_saas)### t group by app_type
Dataset Name |
Description |
Log Category |
---|---|---|
saas-SaaS-App-Users |
Number of Users of SaaS Apps |
traffic |
select ( case saas_cat when 0 then & #039;Sanctioned' when 1 then 'Unsanctioned' else 'Others' end) as app_type, count(distinct saasuser) as total_user from ###(select saasuser, saas_s%10 as saas_cat from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t where saas_s>=10 group by saasuser, saas_cat)### t group by saas_cat order by saas_cat
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Top-SaaS-User-by-Bandwidth-Session |
Top SaaS Users by Bandwidth and Session |
traffic |
select saasuser, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions, sum(session_block) as session_block, ( sum(sessions)- sum(session_block) ) as session_pass, count(distinct app_s) as total_app from ###(select saasuser, app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by saasuser, app_s order by bandwidth desc)### t group by saasuser order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Top-Category-by-SaaS-Application-Usage |
Top Categories by SaaS Application Usage |
traffic |
select app_cat, ( case saas_cat when 0 then & #039;Sanctioned' else 'Unsactioned' end) as saas_cat_str, count(distinct app_s) as total_app from ###(select app_s, saas_s%10 as saas_cat from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat)### t1 inner join app_mdata t2 on t1.app_s=t2.name where saas_cat in (0, 1) group by app_cat, saas_cat order by total_app desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Top-SaaS-Category-by-Number-of-User |
Top SaaS Categories by Number of Users |
traffic |
select app_cat, ( case saas_cat when 0 then & #039;Sanctioned' else 'Unsactioned' end) as saas_cat_str, count(distinct saasuser) as total_user from ###(select app_s, saas_s%10 as saas_cat, saasuser from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat, saasuser order by saas_cat desc)### t1 inner join app_mdata t2 on t1.app_s=t2.name where saas_cat in (0, 1) group by app_cat, saas_cat order by total_user desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Top-User-by-Number-of-SaaS-Application |
Top Users by Number of SaaS Applications |
traffic |
select saasuser, ( case saas_cat when 0 then & #039;Sanctioned' else 'Unsactioned' end) as saas_cat_str, count(distinct app_s) as total_app from ###(select app_s, saas_s%10 as saas_cat, saasuser from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser from $log where $filter and apps is not null) t where saas_s>=10 group by app_s, saas_cat, saasuser order by saas_cat desc)### t where saas_cat in (0, 1) group by saasuser, saas_cat order by total_app desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Top-SaaS-Application-by-Bandwidth-Session |
Top SaaS Applications by Sessions and Bandwidth |
traffic |
select t2.id as app_id, app_s, app_cat, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions, sum(session_block) as session_block, ( sum(sessions)- sum(session_block) ) as session_pass from ###(select app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_s)### t1 inner join app_mdata t2 on t1.app_s=t2.name group by app_id, app_s, app_cat order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Top-Tolerated-SaaS-Application-by-Bandwidth |
Top Tolerated SaaS Applications by Bandwidth |
traffic |
select app_s, sum(sentbyte + rcvdbyte) as bandwidth from ( select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte from $log where $filter and apps is not null ) t where saas_s = 12 group by app_s order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-drilldown-Top-Tolerated-SaaS-Application |
Top Tolerated SaaS Applications |
traffic |
select app_s, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions, sum(session_block) as session_block, ( sum(sessions)- sum(session_block) ) as session_pass from ###(select saasuser, app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s=12 group by saasuser, app_s order by bandwidth desc)### t where $filter-drilldown group by app_s order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Top-User-by-Tolerated-SaaS-Application-Drilldown |
Top Users by Tolerated SaaS Applications |
traffic |
select saasuser, count(distinct app_s) as total_app from ###(select saasuser, app_s, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s=12 group by saasuser, app_s order by bandwidth desc)### t group by saasuser order by total_app desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-drilldown-Top-File-Sharing-SaaS-Application-Detail |
Top File Sharing SaaS Applications Detail |
traffic |
select saasuser, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions, sum(session_block) as session_block, ( sum(sessions)- sum(session_block) ) as session_pass from ###(select app_group_name(app_s) as app_group, saasuser, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_group, saasuser order by bandwidth desc)### t where $filter-drilldown group by saasuser order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Top-File-Sharing-SaaS-Application |
Top File Sharing Applications |
traffic |
select t2.id as appid, ( case t2.risk when & #039;5' then 'Critical' when '4' then 'High' when '3' then 'Medium' when '2' then 'Info' else 'Low' end) as risk, app_group, bandwidth, traffic_in, traffic_out, sessions, session_block, session_pass, total_user from (select app_group, count(distinct saasuser) as total_user, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions, sum(session_block) as session_block, (sum(sessions)-sum(session_block)) as session_pass from ###(select app_group_name(app_s) as app_group, saasuser, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_group, saasuser order by bandwidth desc)### t group by app_group) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where t2.app_cat='Storage.Backup' order by total_user desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
saas-Top-File-Sharing-SaaS-Application-Drilldown |
Top File Sharing Applications |
traffic |
select t2.id as appid, ( case t2.risk when & #039;5' then 'Critical' when '4' then 'High' when '3' then 'Medium' when '2' then 'Info' else 'Low' end) as risk, app_group, bandwidth, traffic_in, traffic_out, sessions, session_block, session_pass, total_user from (select app_group, count(distinct saasuser) as total_user, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions, sum(session_block) as session_block, (sum(sessions)-sum(session_block)) as session_pass from ###(select app_group_name(app_s) as app_group, saasuser, sum(sentbyte+rcvdbyte) as bandwidth, sum(rcvdbyte) as traffic_in, sum(sentbyte) as traffic_out, count(*) as sessions, sum(is_blocked) as session_block from (select coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser, unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(sentbyte, 0) as sentbyte, coalesce(rcvdbyte, 0) as rcvdbyte, (CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END) as is_blocked from $log where $filter and apps is not null) t where saas_s>=10 group by app_group, saasuser order by bandwidth desc)### t group by app_group) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where t2.app_cat='Storage.Backup' order by total_user desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Device-By-Location |
Device by Location |
traffic |
select & #039;All'::text as country, count(distinct devid) as device_count from ###(select devid from $log where $filter group by devid)### t
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Network-Endpoint-Devices |
Endpoint Devices on Network |
select category, total_num from ( select & #039;Seen Devices' as category, 1 as idx, count(distinct epname) as total_num from (select epname, map_dev.devid, map_dev.vd, max(lastseen) as itime from $ADOM_ENDPOINT t inner join $ADOM_EPEU_DEVMAP map_dev on t.epid=map_dev.epid where $filter-drilldown and epname is not null group by epname, map_dev.devid, map_dev.vd) t where $filter and $filter-drilldown union all select 'New Devices' as category, 2 as idx, count(distinct epname) as total_num from (select epname, map_dev.devid, map_dev.vd, min(firstseen) as itime from $ADOM_ENDPOINT t inner join $ADOM_EPEU_DEVMAP map_dev on t.epid=map_dev.epid where epname is not null group by epname, map_dev.devid, map_dev.vd) t where $filter and $filter-drilldown union all select 'Unseen Devices' as category, 3 as idx, count(distinct t1.epname) as total_num from $ADOM_ENDPOINT t1 where not exists (select 1 from (select epname, map_dev.devid, map_dev.vd, max(lastseen) as itime from $ADOM_ENDPOINT t inner join $ADOM_EPEU_DEVMAP map_dev on t.epid=map_dev.epid where epname is not null group by epname, map_dev.devid, map_dev.vd) t2 where $filter and $filter-drilldown and t1.epname=t2.epname)) t order by idx
Dataset Name |
Description |
Log Category |
---|---|---|
aware-New-Endpoint-Devices |
New Endpoint Devices |
drop table if exists devmap_tmp; create temporary table devmap_tmp as ( select epid, max(euid) as max_euid from $ADOM_EPEU_DEVMAP where $filter - drilldown and euid >= 1024 group by epid ); select timestamp, epname as hostname, max(osname) as osname, max(devtype) as devtype, max(srcip) as srcip, string_agg( distinct epname, & #039;,') as user_agg from (select from_itime(itime) as timestamp, osname, epname, epdevtype as devtype, epip as srcip, epid from (select max(osname) as osname, max(epname) as epname, max(epdevtype) as epdevtype, max(epip) as epip, t.epid, map_dev.devid, map_dev.vd, min(firstseen) as itime from $ADOM_ENDPOINT t inner join $ADOM_EPEU_DEVMAP map_dev on t.epid=map_dev.epid where epname is not null group by epname, t.epid, map_dev.devid, map_dev.vd) t where $filter and $filter-drilldown) t1 inner join devmap_tmp on devmap_tmp.epid=t1.epid inner join $ADOM_ENDUSER as teu on devmap_tmp.max_euid=teu.euid group by timestamp, hostname order by timestamp desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-New-Endpoint-Devices-Trend |
New Endpoint Devices Trend |
select $flex_timescale(itime) as hodex, count(distinct epname) as total_num from ( select epname, map_dev.devid, map_dev.vd, min(firstseen) as itime from $ADOM_ENDPOINT t inner join $ADOM_EPEU_DEVMAP map_dev on t.epid = map_dev.epid where $filter - drilldown and epname is not null group by epname, map_dev.devid, map_dev.vd ) t where $filter and $filter - drilldown group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Endpoint-Operating-Systems |
Top Endpoint Operating Systems |
fct-traffic |
select os1 as os, count(distinct hostname) as total_num from ###(select split_part(os, ',', 1) as os1, hostname from $log where $filter and nullifna(os) is not null group by os1, hostname)### t group by os order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Endpoint-Applications-Windows |
Top Endpoint Applications Windows |
fct-traffic |
select srcname1 as srcname, count(distinct hostname) as total_num from ###(select split_part(srcname, '.', 1) as srcname1, hostname from $log where $filter and nullifna(srcname) is not null and lower(os) like '%windows%' group by srcname, hostname)### t group by srcname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Endpoint-Applications-Mac |
Top Endpoint Applications Mac |
fct-traffic |
select srcname1 as srcname, count(distinct hostname) as total_num from ###(select split_part(srcname, '.', 1) as srcname1, hostname from $log where $filter and nullifna(srcname) is not null and lower(os) like '%mac os%' group by srcname, hostname)### t group by srcname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-SaaS-Application-by-Number-of-Users |
Top SaaS Applications by Number of Users |
traffic |
select app_group, count(distinct saasuser) as total_user from ###(select app_group_name(app_s) as app_group, saasuser from (select unnest(apps) as app_s, unnest(saasinfo) as saas_s, coalesce(nullifna(`user`), nullifna(`clouduser`), nullifna(`unauthuser`), srcname, ipstr(`srcip`)) as saasuser from $log where $filter and (logflag&1>0) and apps is not null) t where saas_s>=10 group by app_group, saasuser)### t group by app_group order by total_user desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Summary-Of-Changes |
Summary of Changes |
event |
select regexp_replace( msg, & #039;[^ ]*$','') as msg_trim, count(*) as total_num from $log where $filter and logid_to_int(logid)=44547 group by msg_trim order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Change-Details |
Change Details |
event |
select $calendar_time as timestamp, `user`, ui, msg from $log where $filter and logid_to_int(logid)= 44547 order by timestamp desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Vulnerabilities-By-Severity |
Vulnerabilities by Security |
fct-netscan |
select vulnseverity, count(distinct vulnname) as vuln_num from ###(select vulnseverity, vulnname from $log where $filter and nullifna(vulnname) is not null and nullifna(vulnseverity) is not null group by vulnseverity, vulnname)### t group by vulnseverity order by vuln_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Vulnerabilities-Trend |
Vulnerabilities Trend |
fct-netscan |
select $flex_timescale(timestamp) as timescale, sum(critical) as critical, sum(high) as high, sum(medium) as medium, sum(low) as low from ###(select $flex_timestamp as timestamp, sum(case when lower(vulnseverity) = 'critical' then 1 else 0 end) as critical, sum(case when lower(vulnseverity) = 'high' then 1 else 0 end) as high, sum(case when lower(vulnseverity) = 'medium' then 1 else 0 end) as medium, sum(case when lower(vulnseverity) = 'notice' then 1 else 0 end) as Low from $log where $filter group by timestamp order by timestamp desc)### t group by timescale order by timescale
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Critical-Vulnerabilities |
Top Critical Vulnerabilities |
fct-netscan |
select vulnname, vulnseverity, vulncat, count(distinct hostname) as total_num from ###(select hostname, vulnname, vulnseverity, vulncat, count(*) as total_num from $log where $filter and nullifna(vulnname) is not null and vulnseverity='Critical' group by hostname, vulnname, vulnseverity, vulncat order by total_num desc)### t group by vulnname, vulnseverity, vulncat order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Vulnerabilities-Last-Period |
Top Vulnerabilities Last Period |
fct-netscan |
select vulnname, vulnseverity, sev_num, vulncat, count(distinct hostname) as total_num from ###(select hostname, vulnname, vulnseverity, (CASE vulnseverity WHEN 'Critical' THEN 5 WHEN 'High' THEN 4 WHEN 'Medium' THEN 3 WHEN 'Info' THEN 2 WHEN 'Low' THEN 1 ELSE 0 END) as sev_num, vulncat, count(*) as total_num from $log where $pre_period $filter and nullifna(vulnname) is not null group by hostname, vulnname, vulnseverity, vulncat order by sev_num desc, total_num desc)### t group by vulnname, vulnseverity, sev_num, vulncat order by sev_num desc, total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-New-Vulnerabilities |
Top New Vulnerabilities |
fct-netscan |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select vulnid, vulnname, vulnseverity, vulncat, hostname from ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $pre_period $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)### t group by vulnid, vulnname, vulnseverity, vulncat, hostname; create temporary table rpt_tmptbl_2 as select vulnid, vulnname, vulnseverity, vulncat, hostname from ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)### t group by vulnid, vulnname, vulnseverity, vulncat, hostname; select vulnname, (case when vulnseverity='Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) as sev, vulnseverity, vulncat, count(distinct hostname) as host_num, cve_id from rpt_tmptbl_2 t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int where not exists (select 1 from rpt_tmptbl_1 where t1.vulnid=rpt_tmptbl_1.vulnid) group by vulnname, sev, vulnseverity, vulncat, cve_id order by sev desc, host_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-User-With-Critical-Vulnerabilities |
Top Users with Critical Vulnerabilities |
fct-netscan |
select hostname, `user` as user_src, vulnname, vulncat, count(*) as total_num from $log where $filter and nullifna(`user`) is not null and vulnseverity =& #039;Critical' group by hostname, user_src, vulnname, vulncat order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Ingress-Data-Flow-By-Zone |
Ingress Data Flow By Zone |
traffic |
select app, tag, sum(rcvdbyte) as rcvdbyte from ###(select dvid, app, dstintf, sum(coalesce(rcvdbyte, 0)) as rcvdbyte from $log where $filter group by dvid, app, dstintf having sum(coalesce(rcvdbyte, 0)) > 0 order by rcvdbyte desc)### tt1 inner join (select dvid, intfname, unnest(tags) as tag from intfinfo) tt2 on tt1.dvid=tt2.dvid and tt1.dstintf=tt2.intfname group by app, tag order by rcvdbyte desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Egress-Data-Flow-By-Zone |
Egress Data Flow By Zone |
traffic |
select app, tag, sum(sentbyte) as sentbyte from ###(select dvid, app, srcintf, sum(coalesce(sentbyte, 0)) as sentbyte from $log where $filter group by dvid, app, srcintf having sum(coalesce(sentbyte, 0)) > 0 order by sentbyte desc)### tt1 inner join (select dvid, intfname, unnest(tags) as tag from intfinfo) tt2 on tt1.dvid=tt2.dvid and tt1.srcintf=tt2.intfname group by app, tag order by sentbyte desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Device-Attack-Targets |
Top Device Attack Targets |
fct-netscan |
select hostname, count(*) as total_num from $log where $filter and nullifna(hostname) is not null and nullifna(vulnname) is not null group by hostname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Attack-Targets |
Top Attack Targets |
fct-netscan |
select hostname, srcip, os, vuln_num, ( CASE sevid WHEN 5 THEN & #039;Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END) as vulnseverity, sevid as severity_num, left(cve_agg, 512) as cve_agg from (select hostname, max(srcip) as srcip, string_agg(distinct os1, '/') as os, count(distinct vulnname) as vuln_num, max((CASE vulnseverity WHEN 'Critical' THEN 5 WHEN 'High' THEN 4 WHEN 'Medium' THEN 3 WHEN 'Info' THEN 2 WHEN 'Low' THEN 1 ELSE 0 END)) as sevid, string_agg(distinct cve_id, ',') as cve_agg from ###(select hostname, max(deviceip) as srcip, split_part(os, ',', 1) as os1, vulnname, vulnseverity, vulnid from $log where $filter and nullifna(vulnname) is not null and nullifna(vulnseverity) is not null group by hostname, os1, vulnname, vulnseverity, vulnid)### t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int group by hostname) t order by severity_num desc, vuln_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Threats-By-Severity |
Threats by Severity |
attack |
select initcap(sev) as severity, sum(total_num) as total_num from ( ###(select crlevel::text as sev, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null and crlevel is not null group by sev order by total_num desc)### union all ###(select severity::text as sev, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by sev order by total_num desc)### union all ###(select apprisk::text as sev, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' and apprisk is not null group by sev order by total_num desc)###) t group by severity order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Threats-Type-By-Severity |
Threats Type by Severity |
virus |
select threat_type, sum(critical) as critical, sum(high) as high, sum(medium) as medium, sum(low) as low from ( ###(select (case when eventtype='botnet' then 'Botnets' else 'Malware' end) as threat_type, sum(case when crlevel = 'critical' then 1 else 0 end) as critical, sum(case when crlevel = 'high' then 1 else 0 end) as high, sum(case when crlevel = 'medium' then 1 else 0 end) as medium, sum(case when crlevel = 'low' then 1 else 0 end) as low from $log-virus where $filter and nullifna(virus) is not null group by threat_type)### union all ###(select 'Intrusions' as threat_type, sum(case when severity = 'critical' then 1 else 0 end) as critical, sum(case when severity = 'high' then 1 else 0 end) as high, sum(case when severity = 'medium' then 1 else 0 end) as medium, sum(case when severity = 'low' then 1 else 0 end) as low from $log-attack where $filter and nullifna(attack) is not null group by threat_type)### union all ###(select 'Botnets' as threat_type, sum(case when apprisk = 'critical' then 1 else 0 end) as critical, sum(case when apprisk = 'high' then 1 else 0 end) as high, sum(case when apprisk = 'medium' then 1 else 0 end) as medium, sum(case when apprisk = 'low' then 1 else 0 end) as low from $log-app-ctrl where $filter and lower(appcat)='botnet' group by threat_type)###) t group by threat_type
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Threats-By-Day |
Threats by Day |
virus |
select daystamp, sum(total_num) as total_num from ( ###(select $day_of_week as daystamp, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by daystamp)###) t group by daystamp order by daystamp
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Threats-By-Day-Radar |
Threats by Day |
virus |
select daystamp, sum(total_num) as total_num from ( ###(select $day_of_week as daystamp, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-attack where $filter and nullifna(attack) is not null group by daystamp)### union all ###(select $day_of_week as daystamp, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by daystamp)###) t group by daystamp order by daystamp
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Count-Of-Malware-Events |
Count of Malware Events |
virus |
select virus, count(*) as total_num from $log where $filter and nullifna(virus) is not null group by virus order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Malware-By-Count |
Top Malware by Count |
app-ctrl |
select virus, malware_type, risk_level, count(distinct victim) as victim, count(distinct source) as source, sum(total_num) as total_num from ( ###(select app as virus, 'Botnet C&C' as malware_type, apprisk::text as risk_level, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' and apprisk is not null group by app, malware_type, apprisk, victim, source order by total_num desc)### union all ###(select virus, (case when eventtype='botnet' then 'Botnet C&C' else 'Virus' end) as malware_type, crlevel::text as risk_level, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null and crlevel is not null group by virus, malware_type, crlevel, victim, source order by total_num desc)### union all ###(select attack as virus, (case when eventtype='botnet' then 'Botnet C&C' else 'Virus' end) as malware_type, crlevel::text as risk_level, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as total_num from $log-attack where $filter and (logflag&16>0) and crlevel is not null group by virus, malware_type, crlevel, victim, source order by total_num desc)###) t group by virus, malware_type, risk_level order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Failed-Login-Attempts |
Top Failed Login Attempts |
event |
select `user` as f_user, ui, dstip, count(status) as total_failed from $log where $filter and nullifna(`user`) is not null and logid_to_int(logid) = 32002 group by ui, f_user, dstip order by total_failed desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Failed-Authentication-Attempts |
VPN failed logins |
event |
select f_user, tunneltype, sum(total_num) as total_num from ###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as total_num from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%') and action in ('ssl-login-fail', 'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user, tunneltype)### t group by f_user, tunneltype order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Top-Denied-Connections |
Top Denied Connections |
traffic |
select coalesce( nullifna(`user`), ipstr(`srcip`) ) as user_src, service || & #039;(' || ipstr(srcip) || ')' as interface, dstip, count(*) as total_num from $log where $filter and (logflag&1>0) and action = 'deny' group by user_src, interface, dstip order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Failed-Compliance-Checked-By-Device |
Failed Compliance Checked by Device |
event |
select devid, & #039;Failed' as results, count(distinct reason) as total_num from ###(select devid, reason from $log where $filter and subtype='compliance-check' and result='fail' group by devid, reason)### t group by devid, results order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Ioc-Blacklist-Summary |
IOC Blacklist Summary |
app-ctrl |
drop table if exists tmp_ep_eu_map; create temporary table tmp_ep_eu_map as ( select epid, euid from $ADOM_EPEU_DEVMAP where euid >= 1024 ); select coalesce( nullifna(epname), nullifna( ipstr(`srcip`) ), & #039;Unknown') as epname, user_agg, sevid, (CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END) as severity, threats, bl_count as total_bl from (select th1.epid, srcip, sevid, bl_count, threats from (select epid, srcip, max(verdict)+1 as sevid, sum(bl_count) as bl_count from ((select epid, srcip, day_st as itime, bl_count, verdict, unnest(dvid) as dvid_s from $ADOMTBL_PLHD_IOC_VERDICT where bl_count>0) union all (select epid, srcip, day_st as itime, bl_count, verdict, unnest(dvid) as dvid_s from $ADOMTBL_PLHD_INTERIM_IOC_VERDICT where bl_count>0)) tvdt inner join devtable_ext td on td.dvid = tvdt.dvid_s where $filter and $filter-drilldown and $dev_filter group by epid, srcip) th1 inner join (select epid, string_agg(name, ',') as threats from (select * from (select epid, thid from ((select epid, thid, itime, unnest(dvid) as dvid_s from (select epid, unnest(threatid) as thid, day_st as itime, dvid from $ADOMTBL_PLHD_IOC_VERDICT where bl_count>0) ta1) union all (select epid, thid, itime, unnest(dvid) as dvid_s from (select epid, unnest(threatid) as thid, day_st as itime, dvid from $ADOMTBL_PLHD_INTERIM_IOC_VERDICT where bl_count>0) ta2)) t inner join devtable_ext td on td.dvid = t.dvid_s where $filter and $filter-drilldown and $dev_filter group by epid, thid) thr inner join td_threat_name_mdata tm on tm.id=thr.thid) t group by epid) th2 on th1.epid=th2.epid) t1 left join (select epid, string_agg(distinct euname, ',') as user_agg from tmp_ep_eu_map tpu inner join $ADOM_ENDUSER as teu on tpu.euid=teu.euid group by epid) t2 on t2.epid=t1.epid inner join $ADOM_ENDPOINT as tep on tep.epid=t1.epid order by total_bl desc, sevid desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Ioc-Potential-Breach-By-Day |
IOC Potential Breach by Day |
app-ctrl |
select number, day_st as itime from ( select count(epid) as number, to_char( from_itime(itime), & #039;Day') as day_st from (select epid, day_st as itime, unnest(dvid) as dvid_s from $ADOMTBL_PLHD_INTERIM_IOC_VERDICT where $filter-drilldown and cs_count>0 union all (select epid, day_st as itime, unnest(dvid) as dvid_s from $ADOMTBL_PLHD_IOC_VERDICT where $filter-drilldown and cs_count>0)) t inner join devtable_ext td on td.dvid = t.dvid_s where $filter and $filter-drilldown group by day_st) tt order by itime
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Ioc-Potential-Breach-By-Day-Bar |
IOC Potential Breach by Day |
app-ctrl |
select number, day_st as itime from ( select count(epid) as number, to_char( from_itime(itime), & #039;Day') as day_st from (select epid, day_st as itime, unnest(dvid) as dvid_s from $ADOMTBL_PLHD_INTERIM_IOC_VERDICT where $filter-drilldown and cs_count>0 union all (select epid, day_st as itime, unnest(dvid) as dvid_s from $ADOMTBL_PLHD_IOC_VERDICT where $filter-drilldown and cs_count>0)) t inner join devtable_ext td on td.dvid = t.dvid_s where $filter and $filter-drilldown group by day_st) tt order by itime
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Ioc-Suspicion-Summary |
IOC Suspicion Summary |
app-ctrl |
select coalesce( nullifna(epname), nullifna( ipstr(`srcip`) ), & #039;Unknown') as epname, cs_count as total_cs, cs_score as max_cs, verdict as max_verdict, threats from (select th1.epid, srcip, itime, cs_count, verdict, cs_score, threats from (select epid, srcip, min(itime) as itime, sum(cs_count) as cs_count, max(verdict) as verdict, max(cs_score) as cs_score from ((select epid, srcip, day_st as itime, cs_count, verdict, cs_score, unnest(dvid) as dvid_s from $ADOMTBL_PLHD_IOC_VERDICT where $filter-drilldown and bl_count=0 and cs_count>0) union all (select epid, srcip, day_st as itime, cs_count, verdict, cs_score, unnest(dvid) as dvid_s from $ADOMTBL_PLHD_INTERIM_IOC_VERDICT where $filter-drilldown and bl_count=0 and cs_count>0)) tvdt inner join devtable_ext td on td.dvid = tvdt.dvid_s where $filter and $filter-drilldown group by epid, srcip) th1 inner join (select epid, string_agg(name, ',') as threats from (select * from (select epid, thid from ((select epid, thid, itime, unnest(dvid) as dvid_s from (select epid, unnest(threatid) as thid, day_st as itime, dvid from $ADOMTBL_PLHD_IOC_VERDICT where bl_count=0 and cs_count>0) ta1) union all (select epid, thid, itime, unnest(dvid) as dvid_s from (select epid, unnest(threatid) as thid, day_st as itime, dvid from $ADOMTBL_PLHD_INTERIM_IOC_VERDICT where bl_count=0 and cs_count>0) ta2)) tt1 inner join devtable_ext td on td.dvid = tt1.dvid_s where $filter and $filter-drilldown group by epid, thid) thr inner join td_threat_name_mdata tm on tm.id=thr.thid) tt2 group by epid) th2 on th1.epid=th2.epid) t inner join $ADOM_ENDPOINT as tep on tep.epid=t.epid order by max_verdict desc, max_cs desc, total_cs desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Botnet-IP |
Top Source IP Affected by Botnet |
virus |
select f_user, source, string_agg( distinct `virus`, & #039;,') as virus_agg, count(distinct ipstr(`victim`)) as dstip_cnt, max(action) as action, sum(total_num) as total_num, min(from_itime(first_seen)) as first_seen, max(from_itime(last_seen)) as last_seen from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, virus, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, max(action) as action, count(*) as total_num, min(itime) as first_seen, max(itime) as last_seen from $log where $filter and logid in ('0202009248', '0202009249') and virus is not null group by f_user, virus, source, victim order by total_num desc)### t group by source, f_user order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Botnet-Domain |
New Botnet Domains |
dns |
select botnet, count(distinct `qname`) as qname_cnt, count( distinct ipstr(`dstip`) ) as dnssvr_cnt, sum(total_num) as total_num, min( from_itime(first_seen) ) as first_seen, max( from_itime(last_seen) ) as last_seen from ###(select coalesce(`botnetdomain`, ipstr(`botnetip`)) as botnet, qname, dstip, count(*) as total_num, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen from $log where $filter and logid in ('1501054601', '1501054600') group by botnet, qname, dstip order by total_num desc)### t group by botnet order by first_seen desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-High-Risk-URL-Category |
Category of High Risk URLs |
webfilter |
select catdesc, string_agg( distinct hostname, & #039;,') as hostname_agg, max(action) as action, sum(total_num) as total_num, min(from_itime(first_seen)) as first_seen, max(from_itime(last_seen)) as last_seen from ###(select catdesc, hostname, max(action) as action, count(*) as total_num, min(itime) as first_seen, max(itime) as last_seen from $log where $filter and cat in (26, 61, 86, 88, 90, 91, 93) group by catdesc, hostname order by total_num desc)### t group by catdesc order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
aware-Malicious-Files |
Type of Malicious Files from AV and Sandbox |
virus |
select virus, left(url_agg, 1000) as url_agg, left(filename_agg, 1000) as filename_agg, quarskip, action, from_sandbox, total_num, first_seen, last_seen from ( select virus, string_agg( distinct url, & #039;<br/>') as url_agg, string_agg(distinct filename, '<br/>') as filename_agg, max(quarskip) as quarskip, max(action) as action, max(from_sandbox) as from_sandbox, sum(total_num) as total_num, min(from_itime(first_seen)) as first_seen, max(from_itime(last_seen)) as last_seen from ###(select virus, url, filename, max(quarskip) as quarskip, max(action) as action, (case when logid in ('0211009234', '0211009235') then 1 else 0 end) as from_sandbox, count(*) as total_num, min(itime) as first_seen, max(itime) as last_seen from $log where $filter and virus is not null and logid in ('0211009234', '0201009235', '0211008192', '0211008193', '0211008194', '0211008195') group by virus, url, filename, from_sandbox order by total_num desc)### t group by virus) t order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-New-Users |
New users |
fct-traffic |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select f_user, min(start_time) as start_time from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as f_user, min(dtime) as start_time from $log where $pre_period $filter group by f_user order by start_time desc)### t group by f_user; create temporary table rpt_tmptbl_2 as select f_user, min(start_time) as start_time from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as f_user, min(dtime) as start_time from $log where $filter group by f_user order by start_time desc)### t group by f_user; select f_user, from_dtime(min(start_time)) as start_time from rpt_tmptbl_2 where f_user is not null and not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.f_user=rpt_tmptbl_1.f_user) group by f_user order by start_time desc
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-New-Devices |
New devices |
fct-traffic |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select hostname, os, srcip, fctver from ###(select hostname, os, srcip, fctver from $log where $pre_period $filter and hostname is not null group by hostname, os, srcip, fctver order by hostname)### t group by hostname, os, srcip, fctver; create temporary table rpt_tmptbl_2 as select hostname, os, srcip, fctver from ###(select hostname, os, srcip, fctver from $log where $filter and hostname is not null group by hostname, os, srcip, fctver order by hostname)### t group by hostname, os, srcip, fctver; select hostname, max(fctos_to_devtype(os)) as devtype, string_agg(distinct os, '/') as os_agg, string_agg(distinct ipstr(srcip), '/') as srcip_agg, string_agg(distinct fctver, '/') as fctver_agg from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.hostname=rpt_tmptbl_1.hostname) group by hostname order by hostname
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-New-Software-Installed |
New software installed |
fct-traffic |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select srcproduct, hostname from ###(select srcproduct, hostname from $log where $pre_period $filter and nullifna(srcproduct) is not null group by srcproduct, hostname order by srcproduct)### t group by srcproduct, hostname; create temporary table rpt_tmptbl_2 as select srcproduct, hostname from ###(select srcproduct, hostname from $log where $filter and nullifna(srcproduct) is not null group by srcproduct, hostname order by srcproduct)### t group by srcproduct, hostname; select srcproduct, string_agg(distinct hostname, ',') as host_agg from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.srcproduct=rpt_tmptbl_1.srcproduct) group by srcproduct order by srcproduct
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-New-Security-Threats |
New security threats |
virus |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select threat_name, cat_id, source from ( ###(select app as threat_name, 1 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-app-ctrl where $pre_period $filter and nullifna(app) is not null and lower(appcat)='botnet' group by threat_name, cat_id, source)### union all ###(select virus as threat_name, 2 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-virus where $pre_period $filter and nullifna(virus) is not null group by threat_name, cat_id, source)### union all ###(select attack as threat_name, 3 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-attack where $pre_period $filter and nullifna(attack) is not null group by threat_name, cat_id, source)###) t; create temporary table rpt_tmptbl_2 as select daystamp, threat_name, cat_id, source from (###(select $DAY_OF_MONTH as daystamp, app as threat_name, 1 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-app-ctrl where $filter and nullifna(app) is not null and lower(appcat)='botnet' group by daystamp, threat_name, cat_id, source order by daystamp)### union all ###(select $DAY_OF_MONTH as daystamp, virus as threat_name, 2 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-virus where $filter and nullifna(virus) is not null group by daystamp, threat_name, cat_id, source order by daystamp)### union all ###(select $DAY_OF_MONTH as daystamp, attack as threat_name, 3 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-attack where $filter and nullifna(attack) is not null group by daystamp, threat_name, cat_id, source order by daystamp)###) t; select threat_name, (case cat_id when 1 then 'Botnet' when 2 then 'Malware' when 3 then 'Attack' end) as threat_cat, count(distinct source) as host_num, string_agg(distinct cve, ',') as cve_agg from rpt_tmptbl_2 left join ips_mdata t2 on rpt_tmptbl_2.threat_name=t2.name where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.threat_name=rpt_tmptbl_1.threat_name) group by threat_name, threat_cat order by host_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-dns-Botnet-Domain-IP |
New Queried Botnet C&C Domains and IPs |
dns |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select domain, malware_type, action_s as action, srcip, sevid from ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action_s, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $pre_period $filter and (botnetdomain is not null or botnetip is not null) group by domain, action_s, srcip, sevid order by sevid desc)### t group by domain, malware_type, action, srcip, sevid; create temporary table rpt_tmptbl_2 as select domain, malware_type, action_s as action, srcip, sevid from ###(select coalesce(botnetdomain, ipstr(botnetip)) as domain, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action_s, srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log where $filter and (botnetdomain is not null or botnetip is not null) group by domain, action_s, srcip, sevid order by sevid desc)### t group by domain, malware_type, action, srcip, sevid; select domain, srcip, sevid, (CASE sevid WHEN 5 THEN 'Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END) as severity from rpt_tmptbl_2 where (domain is not null and not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.domain=rpt_tmptbl_1.domain)) or (srcip is not null and not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.srcip=rpt_tmptbl_1.srcip)) group by domain, srcip, sevid order by sevid desc, domain
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-New-Security-Threats-Timeline |
New security threats timeline |
virus |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select threat_name, cat_id, source from ( ###(select app as threat_name, 1 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-app-ctrl where $pre_period $filter and nullifna(app) is not null and lower(appcat)='botnet' group by threat_name, cat_id, source)### union all ###(select virus as threat_name, 2 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-virus where $pre_period $filter and nullifna(virus) is not null group by threat_name, cat_id, source)### union all ###(select attack as threat_name, 3 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-attack where $pre_period $filter and nullifna(attack) is not null group by threat_name, cat_id, source)###) t; create temporary table rpt_tmptbl_2 as select timestamp, threat_name, cat_id, source from (###(select $flex_timestamp as timestamp, app as threat_name, 1 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-app-ctrl where $filter and nullifna(app) is not null and lower(appcat)='botnet' group by timestamp, threat_name, cat_id, source order by timestamp)### union all ###(select $flex_timestamp as timestamp, virus as threat_name, 2 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-virus where $filter and nullifna(virus) is not null group by timestamp, threat_name, cat_id, source order by timestamp)### union all ###(select $flex_timestamp as timestamp, attack as threat_name, 3 as cat_id, (CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source from $log-attack where $filter and nullifna(attack) is not null group by timestamp, threat_name, cat_id, source order by timestamp)###) t; select $flex_datetime(timestamp) as timescale, count(distinct source) as host_num, (case cat_id when 1 then 'Botnet' when 2 then 'Malware' when 3 then 'Attack' end) as threat_cat from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.threat_name=rpt_tmptbl_1.threat_name) group by timescale, cat_id order by timescale, cat_id
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-New-Vulnerability |
New vulnerabilities |
fct-netscan |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select vulnid, vulnname, vulnseverity, vulncat, hostname from ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $pre_period $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)### t group by vulnid, vulnname, vulnseverity, vulncat, hostname; create temporary table rpt_tmptbl_2 as select vulnid, vulnname, vulnseverity, vulncat, hostname from ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)### t group by vulnid, vulnname, vulnseverity, vulncat, hostname; select vulnname, (case when vulnseverity='Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) as sev, vulnseverity, vulncat, count(distinct hostname) as host_num, cve_id from rpt_tmptbl_2 t1 left join fct_mdata t2 on t1.vulnid=t2.vid::int where not exists (select 1 from rpt_tmptbl_1 where t1.vulnid=rpt_tmptbl_1.vulnid) group by vulnname, sev, vulnseverity, vulncat, cve_id order by sev desc, host_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-New-Vulnerability-Graph |
New vulnerabilities (Graph) |
fct-netscan |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select vulnid, vulnname, vulnseverity, vulncat, hostname from ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $pre_period $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)### t group by vulnid, vulnname, vulnseverity, vulncat, hostname; create temporary table rpt_tmptbl_2 as select vulnid, vulnname, vulnseverity, vulncat, hostname from ###(select vulnid, vulnname, vulnseverity, vulncat, hostname from $log where $filter and nullifna(vulnname) is not null group by vulnid, vulnname, vulnseverity, vulncat, hostname)### t group by vulnid, vulnname, vulnseverity, vulncat, hostname; select vulnseverity, count (distinct vulnid) as vuln_num from rpt_tmptbl_2 where not exists (select 1 from rpt_tmptbl_1 where rpt_tmptbl_2.vulnid=rpt_tmptbl_1.vulnid) group by vulnseverity order by (case when vulnseverity='Critical' then 5 when vulnseverity='High' then 4 when vulnseverity='Medium' then 3 when vulnseverity='Low' then 2 when vulnseverity='Info' then 1 else 0 end) desc
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-System-Alerts |
System Alerts |
local-event |
select from_itime(itime) as timestamp, msg from $log where $filter and msg is not null and level =& #039;critical' order by timestamp desc
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-Configuration-Changes |
Configuration Changes |
event |
select `user` as f_user, devid, from_dtime(dtime) as time_s, ui, msg from $log where $filter and cfgtid>0 order by time_s desc
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-FortiGate-Upgrades |
FortiGate Upgrades |
event |
select devid, from_dtime(dtime) as time_s, info[1] as intf, info[2] as prev_ver, info[3] as new_ver from ( select devid, dtime, regexp_matches( msg, & #039;from ([^ ]+) \\(([^ ]+) -> ([^)]+)\\)') as info from $log where $filter and action='restore-image') t order by time_s desc
Dataset Name |
Description |
Log Category |
---|---|---|
newthing-User-Upgrades |
User Upgrades |
fct-event |
drop table if exists rpt_tmptbl_1; drop table if exists rpt_tmptbl_2; create temporary table rpt_tmptbl_1 as select fgtserial, hostname, deviceip, os, dtime from ###(select distinct on (fgtserial, hostname) fgtserial, hostname, deviceip, os, dtime from $log where $pre_period $filter and hostname is not null order by fgtserial, hostname, dtime desc)### t; create temporary table rpt_tmptbl_2 as select fgtserial, hostname, deviceip, os, dtime from ###(select distinct on (fgtserial, hostname) fgtserial, hostname, deviceip, os, dtime from $log where $filter and hostname is not null order by fgtserial, hostname, dtime desc)### t; select distinct on (1, 2) t2.fgtserial as devid, t2.hostname, t2.deviceip, t1.os as prev_os, t2.os as cur_os, from_dtime(t1.dtime) as time_s from rpt_tmptbl_2 t2 inner join rpt_tmptbl_1 t1 on t2.fgtserial=t1.fgtserial and t2.hostname=t1.hostname and t2.os!=t1.os order by devid, t2.hostname, t1.dtime desc
Dataset Name |
Description |
Log Category |
---|---|---|
GTP-List-of-APN-Used |
List of APNs Used |
gtp |
select apn, from_dtime( min(first_seen) ) as first_seen, from_dtime( max(last_seen) ) as last_seen from ###(select apn, min(dtime) as first_seen, max(dtime) as last_seen from $log where $filter and nullifna(apn) is not null group by apn order by last_seen desc)### t group by apn order by last_seen desc, first_seen
Dataset Name |
Description |
Log Category |
---|---|---|
GTP-Top-APN-by-Bytes |
Top APNs by Bytes |
gtp |
select apn, sum( coalesce(`u-bytes`, 0) ) as total_bytes from $log where $filter and nullifna(apn) is not null and status =& #039;traffic-count' group by apn having sum(coalesce(`u-bytes`, 0))>0 order by total_bytes desc
Dataset Name |
Description |
Log Category |
---|---|---|
GTP-Top-APN-by-Duration |
Top APNs by Duration |
gtp |
select apn, sum( coalesce(duration, 0) ) as total_dura from $log where $filter and nullifna(apn) is not null and status =& #039;traffic-count' group by apn having sum(coalesce(duration, 0)) >0 order by total_dura desc
Dataset Name |
Description |
Log Category |
---|---|---|
GTP-Top-APN-by-Packets |
Top APNs by Number of Packets |
gtp |
select apn, sum( coalesce(`u-pkts`, 0) ) as total_num from $log where $filter and nullifna(apn) is not null and status =& #039;traffic-count' group by apn having sum(coalesce(`u-pkts`, 0))>0 order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top10-dns-Botnet-Domain-IP |
Top Queried Botnet C&C Domains and IPs |
dns |
select domain, malware_type, action, count(distinct srcip) as victims, count(distinct sources_s) as sources, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(botnetdomain, ipstr(botnetip)) as domain, qname, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp, domain, qname, action, srcip, user_src, sevid order by sevid desc)### t group by domain, malware_type, action order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Botnet-Usage |
Top Queried Botnet C&C Domains and IPs |
dns |
select domain, malware_type, action, count(distinct srcip) as victims, count(distinct sources_s) as sources, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(botnetdomain, ipstr(botnetip)) as domain, qname, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp, domain, qname, action, srcip, user_src, sevid order by sevid desc)### t group by domain, malware_type, action order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Dns-Detected-Botnet |
Top Queried Botnet C&C Domains and IPs |
dns |
select domain, malware_type, action, count(distinct srcip) as victims, count(distinct sources_s) as sources, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(botnetdomain, ipstr(botnetip)) as domain, qname, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp, domain, qname, action, srcip, user_src, sevid order by sevid desc)### t group by domain, malware_type, action order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Botnet-Domain-IP |
Queried Botnet C&C Domains and IPs |
dns |
select domain, srcip, sevid, ( CASE sevid WHEN 5 THEN & #039;Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END) as severity from ###(select $flex_timestamp as timestamp, coalesce(botnetdomain, ipstr(botnetip)) as domain, qname, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp, domain, qname, action, srcip, user_src, sevid order by sevid desc)### t group by domain, srcip, sevid order by sevid desc, domain
Dataset Name |
Description |
Log Category |
---|---|---|
dns-High-Risk-Source |
High Risk Sources |
dns |
select srcip, sum(total_num) as total_num, sum( case when sevid = 5 then total_num else 0 end ) as num_cri, sum( case when sevid = 4 then total_num else 0 end ) as num_hig, sum( case when sevid = 3 then total_num else 0 end ) as num_med from ###(select srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, count(*) as total_num from $log where $filter and srcip is not null group by srcip, sevid order by total_num desc)### t where sevid>=3 group by srcip having sum(total_num)>0 order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-DNS-Request-Over-Time |
DNS Request Over Time |
dns |
select $flex_timescale(timestamp) as timescale, sum( case when sevid = 5 then total_num else 0 end ) as num_cri, sum( case when sevid = 4 then total_num else 0 end ) as num_hig, sum( case when sevid = 3 then total_num else 0 end ) as num_med, sum( case when sevid = 2 then total_num else 0 end ) as num_inf, sum( case when sevid = 1 then total_num else 0 end ) as num_low from ###(select $flex_timestamp as timestamp, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, count(*) as total_num from $log where $filter group by timestamp, sevid order by total_num desc)### t group by timescale order by timescale
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Top-Queried-Domain |
Top Queried Domain |
dns |
select qname, count(*) as total_num from $log where $filter and qname is not null group by qname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Top-Domain-Lookup-Failure-Bar |
Top Domain Lookup Failures |
dns |
select qname, srcip, count(*) as total_num from $log where $filter and qname is not null and ( action =& #039;block' or logid_to_int(logid)=54200) group by qname, srcip order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Top-Domain-Lookup-Failure-Table |
Top Domain Lookup Failures |
dns |
select qname, srcip, count(*) as total_num from $log where $filter and qname is not null and ( action =& #039;block' or logid_to_int(logid)=54200) group by qname, srcip order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Query-Timeout |
Query Timeout |
dns |
select srcip, qname, count(*) as total_num from $log where $filter and srcip is not null and logid_to_int(logid)= 54200 group by qname, srcip order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Blocked-Query |
Blocked Queries |
dns |
select srcip, msg, count(*) as total_num from $log where $filter and srcip is not null and action =& #039;block' group by srcip, msg order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-cpu-usage-drilldown |
Fortigate resource detail timeline |
event |
select hodex, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate)/ count(*) as decimal(10, 2) ) as log_rate, cast( sum(sessions)/ count(*) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps)/ count(*) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps)/ count(*) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps)/ count(*) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave)/ count(*) as decimal(10, 0) ) as cps_ave, max(cps_peak) as cps_peak from ( select hodex, devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave) as decimal(10, 0) ) as cps_ave, sum(cps_peak) as cps_peak from ( select $flex_timescale(timestamp) as hodex, devid, slot, sum(total_cpu)/ sum(count) cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak, sum(cps)/ sum(count) as cps_ave, max(cps_peak) as cps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid, slot) t group by hodex, devid, role) t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-mem-usage-drilldown |
Fortigate resource detail timeline |
event |
select hodex, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate)/ count(*) as decimal(10, 2) ) as log_rate, cast( sum(sessions)/ count(*) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps)/ count(*) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps)/ count(*) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps)/ count(*) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave)/ count(*) as decimal(10, 0) ) as cps_ave, max(cps_peak) as cps_peak from ( select hodex, devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave) as decimal(10, 0) ) as cps_ave, sum(cps_peak) as cps_peak from ( select $flex_timescale(timestamp) as hodex, devid, slot, sum(total_cpu)/ sum(count) cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak, sum(cps)/ sum(count) as cps_ave, max(cps_peak) as cps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid, slot) t group by hodex, devid, role) t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-disk-usage-drilldown |
Fortigate resource detail timeline |
event |
select hodex, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate)/ count(*) as decimal(10, 2) ) as log_rate, cast( sum(sessions)/ count(*) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps)/ count(*) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps)/ count(*) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps)/ count(*) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave)/ count(*) as decimal(10, 0) ) as cps_ave, max(cps_peak) as cps_peak from ( select hodex, devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave) as decimal(10, 0) ) as cps_ave, sum(cps_peak) as cps_peak from ( select $flex_timescale(timestamp) as hodex, devid, slot, sum(total_cpu)/ sum(count) cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak, sum(cps)/ sum(count) as cps_ave, max(cps_peak) as cps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid, slot) t group by hodex, devid, role) t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-sessions-drilldown |
Fortigate resource detail timeline |
event |
select hodex, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate)/ count(*) as decimal(10, 2) ) as log_rate, cast( sum(sessions)/ count(*) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps)/ count(*) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps)/ count(*) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps)/ count(*) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave)/ count(*) as decimal(10, 0) ) as cps_ave, max(cps_peak) as cps_peak from ( select hodex, devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave) as decimal(10, 0) ) as cps_ave, sum(cps_peak) as cps_peak from ( select $flex_timescale(timestamp) as hodex, devid, slot, sum(total_cpu)/ sum(count) cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak, sum(cps)/ sum(count) as cps_ave, max(cps_peak) as cps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid, slot) t group by hodex, devid, role) t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-lograte-drilldown |
Fortigate resource detail timeline |
event |
select hodex, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate)/ count(*) as decimal(10, 2) ) as log_rate, cast( sum(sessions)/ count(*) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps)/ count(*) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps)/ count(*) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps)/ count(*) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave)/ count(*) as decimal(10, 0) ) as cps_ave, max(cps_peak) as cps_peak from ( select hodex, devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave) as decimal(10, 0) ) as cps_ave, sum(cps_peak) as cps_peak from ( select $flex_timescale(timestamp) as hodex, devid, slot, sum(total_cpu)/ sum(count) cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak, sum(cps)/ sum(count) as cps_ave, max(cps_peak) as cps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid, slot) t group by hodex, devid, role) t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-connections-drilldown |
Fortigate resource detail timeline |
event |
select hodex, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate)/ count(*) as decimal(10, 2) ) as log_rate, cast( sum(sessions)/ count(*) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps)/ count(*) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps)/ count(*) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps)/ count(*) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave)/ count(*) as decimal(10, 0) ) as cps_ave, max(cps_peak) as cps_peak from ( select hodex, devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave) as decimal(10, 0) ) as cps_ave, sum(cps_peak) as cps_peak from ( select $flex_timescale(timestamp) as hodex, devid, slot, sum(total_cpu)/ sum(count) cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak, sum(cps)/ sum(count) as cps_ave, max(cps_peak) as cps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid, slot) t group by hodex, devid, role) t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-bandwidth-drilldown |
Fortigate resource detail timeline |
event |
select hodex, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate)/ count(*) as decimal(10, 2) ) as log_rate, cast( sum(sessions)/ count(*) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps)/ count(*) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps)/ count(*) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps)/ count(*) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave)/ count(*) as decimal(10, 0) ) as cps_ave, max(cps_peak) as cps_peak from ( select hodex, devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak, cast( sum(cps_ave) as decimal(10, 0) ) as cps_ave, sum(cps_peak) as cps_peak from ( select $flex_timescale(timestamp) as hodex, devid, slot, sum(total_cpu)/ sum(count) cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak, sum(cps)/ sum(count) as cps_ave, max(cps_peak) as cps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid, slot) t group by hodex, devid, role) t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-usage-summary-average |
Fortigate resource summary view |
event |
select devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak from ( select devid, slot, sum(total_cpu)/ sum(count) as cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid, slot) t group by devid, role order by devid, role
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-usage-summary-peak |
Fortigate resource summary view |
event |
select devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak from ( select devid, slot, sum(total_cpu)/ sum(count) as cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid, slot) t group by devid, role order by devid, role
Dataset Name |
Description |
Log Category |
---|---|---|
perf-stat-usage-details-drilldown-master |
Fortigate resource summary view |
event |
select devid, get_fgt_role(devid, slot) as role, cast( sum(cpu_ave)/ count(*) as decimal(6, 0) ) as cpu_ave, cast( sum(mem_ave)/ count(*) as decimal(6, 0) ) as mem_ave, cast( sum(disk_ave)/ count(*) as decimal(6, 0) ) as disk_ave, cast( sum(log_rate) as decimal(10, 2) ) as log_rate, cast( sum(sessions) as decimal(10, 0) ) as sessions, cast( sum(sent_kbps) as decimal(10, 0) ) as sent_kbps, cast( sum(recv_kbps) as decimal(10, 0) ) as recv_kbps, cast( sum(transmit_kbps) as decimal(10, 0) ) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, cast( max(lograte_peak) as decimal(10, 2) ) as lograte_peak, max(session_peak) as session_peak, max(transmit_kbps_peak) as transmit_kbps_peak from ( select devid, slot, sum(total_cpu)/ sum(count) as cpu_ave, sum(total_mem)/ sum(count) as mem_ave, sum(total_disk)/ sum(count) as disk_ave, sum( total_trate + total_erate + total_orate )/ 100.00 / sum(count) as log_rate, sum(totalsession)/ sum(count) as sessions, sum(sent)/ sum(count) as sent_kbps, sum(recv)/ sum(count) as recv_kbps, sum(sent + recv)/ sum(count) as transmit_kbps, max(mem_peak) as mem_peak, max(disk_peak) as disk_peak, max(cpu_peak) as cpu_peak, max(lograte_peak)/ 100.00 as lograte_peak, max(session_peak) as session_peak, max(transmit_peak) as transmit_kbps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid, slot) t group by devid, role order by devid, role
Dataset Name |
Description |
Log Category |
---|---|---|
incident-Incident-Count-by-Status |
Incident status distribution |
select status, sum(cnt) as cnt from /*fabricStart*/ ( select status, count(*) as cnt from $incident where $filter - drilldown group by status order by status ) /*fabricEnd*/ t group by status order by status
Dataset Name |
Description |
Log Category |
---|---|---|
incident-Incident-Count-by-Status-Donut |
Incident status distribution |
select status, sum(cnt) as cnt from /*fabricStart*/ ( select status, count(*) as cnt from $incident where $filter - drilldown group by status order by status ) /*fabricEnd*/ t group by status order by status
Dataset Name |
Description |
Log Category |
---|---|---|
incident-Open-Incident-Count-Timeline |
Incident count by status over time |
select hodex, max(num_sta_draft) as num_sta_draft, max(num_sta_analysis) as num_sta_analysis, max(num_sta_response) as num_sta_response, max(num_sta_closed) as num_sta_closed, max(num_sta_cancelled) as num_sta_cancelled from /*fabricStart*/ ( select $flex_timescale(agg_time) as hodex, max(num_sta_draft) as num_sta_draft, max(num_sta_analysis) as num_sta_analysis, max(num_sta_response) as num_sta_response, max(num_sta_closed) as num_sta_closed, max(num_sta_cancelled) as num_sta_cancelled from $incident_history where $filter - drilldown and $cust_time_filter(agg_time) group by hodex order by hodex ) /*fabricEnd*/ t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
incident-Closed-Incident-Count-Timeline |
Incident count by status over time |
select hodex, max(num_sta_draft) as num_sta_draft, max(num_sta_analysis) as num_sta_analysis, max(num_sta_response) as num_sta_response, max(num_sta_closed) as num_sta_closed, max(num_sta_cancelled) as num_sta_cancelled from /*fabricStart*/ ( select $flex_timescale(agg_time) as hodex, max(num_sta_draft) as num_sta_draft, max(num_sta_analysis) as num_sta_analysis, max(num_sta_response) as num_sta_response, max(num_sta_closed) as num_sta_closed, max(num_sta_cancelled) as num_sta_cancelled from $incident_history where $filter - drilldown and $cust_time_filter(agg_time) group by hodex order by hodex ) /*fabricEnd*/ t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
Top-10-Interested-Apps-by-Bandwidth |
Top Interested Applications by Bandwidth Usage |
traffic |
select app, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select timestamp, user_src, appid, app, appcat, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where appcat in ('P2P', 'Storage.Backup', 'File.Sharing', 'Video/Audio') group by timestamp, user_src, appid, app, appcat /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by app having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Interested-App-Users-by-Bandwidth |
Top Interested Application Users by Bandwidth |
traffic |
select user_src, sum(bandwidth) as bandwidth from ###(select timestamp, user_src, appid, app, appcat, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where appcat in ('P2P', 'Storage.Backup', 'File.Sharing', 'Video/Audio') group by timestamp, user_src, appid, app, appcat /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by user_src having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-10-Interested-Applications-by-Number-of-Users |
Top Applications by number of users |
traffic |
select app, count(distinct user_src) as number from ###(select timestamp, user_src, appid, app, appcat, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where appcat in ('P2P', 'Storage.Backup', 'File.Sharing', 'Video/Audio') group by timestamp, user_src, appid, app, appcat /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by app order by number desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-10-User-by-Session |
Top user by session count |
traffic |
select user_src, sum(sessions) as sessions from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, count(*) as sessions from $log where $filter and (logflag&1>0) group by user_src order by sessions desc)### t group by user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-10-Interested-Apps-by-Session |
Top Interested Applications by Bandwidth Usage |
traffic |
select app, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select timestamp, user_src, appid, app, appcat, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where appcat in ('P2P', 'Storage.Backup', 'File.Sharing', 'Video/Audio') group by timestamp, user_src, appid, app, appcat /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by app having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Interested-Applications-by-Risk-Level |
Interested Applications by Risk Level |
traffic |
select app, min(id) as id, appcat, max(risk) as d_risk, ( case when max(risk)=& #039;5' then 'Critical' when max(risk)='4' then 'High' when max(risk)='3' then 'Medium' when max(risk)='2' then 'Low' else 'Info' end) as risk_level, sum(sessions) as sessions, sum(traffic_out) as sent, sum(traffic_in) as received, sum(bandwidth) as bandwidth from ###(select timestamp, user_src, appid, app, appcat, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where appcat in ('P2P', 'Storage.Backup', 'File.Sharing', 'Video/Audio') group by timestamp, user_src, appid, app, appcat /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t1 inner join app_mdata t2 on lower(t1.app)=lower(t2.name) group by app, appcat order by d_risk desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-App-Category-by-Bandwidth |
Total number of bandwidth consuming applications |
traffic |
select appcat, sum(bandwidth) as bandwidth from ###(select timestamp, app, appcat, user_src, hostname, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by timestamp, app, appcat, user_src, hostname /*SkipSTART*/order by bandwidth desc, sessions desc/*SkipEND*/)### t group by appcat order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Interested-Apps-by-Number-of-Users |
Top Applications by number of users |
traffic |
select app, count(distinct user_src) as number from ###(select timestamp, user_src, appid, app, appcat, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where appcat in ('P2P', 'Storage.Backup', 'File.Sharing', 'Video/Audio') group by timestamp, user_src, appid, app, appcat /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by app order by number desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Interested-App-Users-By-Bandwidth-Timeline |
Top Interested Application Users by Bandwidth Timeline |
traffic |
select hodex, t1.user_src, t1.bandwidth from ( select $flex_timescale(timestamp) as hodex, user_src, sum(bandwidth) as bandwidth from ###(select timestamp, user_src, appid, app, appcat, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where appcat in ('P2P', 'Storage.Backup', 'File.Sharing', 'Video/Audio') group by timestamp, user_src, appid, app, appcat /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by hodex, user_src having sum(bandwidth)>0 order by hodex) t1 inner join (select user_src, sum(bandwidth) as bandwidth from ###(select timestamp, user_src, appid, app, appcat, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where appcat in ('P2P', 'Storage.Backup', 'File.Sharing', 'Video/Audio') group by timestamp, user_src, appid, app, appcat /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by user_src order by bandwidth desc limit $ddown-top) t2 on t1.user_src=t2.user_src order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Event-vs-Incident-Today-Trend |
Events vs Incidents Today Trend |
select item, num_cur, num_pre, num_diff from /*fabricStart*/ ( select & #039;Events' as item, num_cur, num_pre, (num_cur-num_pre) as num_diff from (select (select count(*) from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $filter-drilldown and $cust_time_filter(alerttime,TODAY)) as num_cur, (select count(*) from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $filter-drilldown and $cust_time_filter(alerttime,YESTERDAY)) as num_pre) t union all select 'Incidents' as item, num_cur, num_pre, (num_cur-num_pre) as num_diff from (select (select count(*) from $incident where $cust_time_filter(createtime,TODAY)) as num_cur, (select count(*) from $incident where $cust_time_filter(createtime,YESTERDAY)) as num_pre) t)/*fabricEnd*/ t order by item
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Event-vs-Incident-History-Trend |
Events vs Incidents History Trend |
select item, num_cur, num_pre, num_diff from /*fabricStart*/ ( select & #039;Events' as item, num_cur, num_pre, (num_cur-num_pre) as num_diff from (select (select count(*) from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $filter-drilldown and $cust_time_filter(alerttime)) as num_cur, (select count(*) from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $filter-drilldown and $cust_time_filter(alerttime,LAST_N_PERIOD,1)) as num_pre) t union all select 'Incidents' as item, num_cur, num_pre, (num_cur-num_pre) as num_diff from (select (select count(*) from $incident where $cust_time_filter(createtime)) as num_cur, (select count(*) from $incident where $cust_time_filter(createtime,LAST_N_PERIOD,1)) as num_pre) t)/*fabricEnd*/ t order by item
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Event-vs-Incident-Trend |
Events vs Incidents Trend |
select t1.item, t1.num_cur as num_today, t1.num_pre as num_yesterday, t1.num_diff as num_diff1, t2.num_cur as num_this_period, t2.num_pre as num_last_period, t2.num_diff as num_diff2 from /*fabricStart*/ ( select & #039;Events' as item, num_cur, num_pre, (num_cur-num_pre) as num_diff from (select (select count(*) from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $filter-drilldown and $cust_time_filter(alerttime,TODAY)) as num_cur, (select count(*) from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $filter-drilldown and $cust_time_filter(alerttime,YESTERDAY)) as num_pre) t union all select 'Incidents' as item, num_cur, num_pre, (num_cur-num_pre) as num_diff from (select (select count(*) from $incident where $cust_time_filter(createtime,TODAY)) as num_cur, (select count(*) from $incident where $cust_time_filter(createtime,YESTERDAY)) as num_pre) t)/*fabricEnd*/ t1 full join /*fabricStart*/(select 'Events' as item, num_cur, num_pre, (num_cur-num_pre) as num_diff from (select (select count(*) from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $filter-drilldown and $cust_time_filter(alerttime)) as num_cur, (select count(*) from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $filter-drilldown and $cust_time_filter(alerttime,LAST_N_PERIOD,1)) as num_pre) t union all select 'Incidents' as item, num_cur, num_pre, (num_cur-num_pre) as num_diff from (select (select count(*) from $incident where $cust_time_filter(createtime)) as num_cur, (select count(*) from $incident where $cust_time_filter(createtime,LAST_N_PERIOD,1)) as num_pre) t)/*fabricEnd*/ t2 on t1.item=t2.item order by t1.item
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Total-Event-by-Severity-History |
Total Events by Severity History |
select dom, ( CASE severity WHEN 0 THEN & #039;Critical' WHEN 1 THEN 'High' WHEN 2 THEN 'Medium' WHEN 3 THEN 'Low' ELSE NULL END) as sev, sum(num_events) as num_events from /*fabricStart*/(select dom, unnest(agg_sev) as severity, unnest(agg_num) as num_events from (select $DAY_OF_MONTH(agg_time) as dom, array[0, 1, 2, 3] as agg_sev, array[max(num_sev_critical), max(num_sev_high), max(num_sev_medium), max(num_sev_low)] as agg_num from $event_history where $filter-drilldown and $cust_time_filter(agg_time) group by dom order by dom) t)/*fabricEnd*/ t group by dom, severity order by dom, severity
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Total-Event-by-Severity-Category |
Total Events Count by Severity and Category |
select sev, triggername, sum(num_events) as num_events from /*fabricStart*/ ( select ( CASE severity WHEN 0 THEN & #039;Critical' WHEN 1 THEN 'High' WHEN 2 THEN 'Medium' WHEN 3 THEN 'Low' ELSE NULL END) as sev, triggername, count(*) as num_events from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $cust_time_filter(alerttime) and $filter-drilldown group by severity, triggername order by severity desc, triggername)/*fabricEnd*/ t group by sev, triggername order by sev desc, triggername
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Total-Incident-by-Severity |
Total Incidents by Severity |
select severity, count(num_inc) as num_inc from /*fabricStart*/ ( select severity, count(*) as num_inc from $incident where $filter - drilldown group by severity order by severity ) /*fabricEnd*/ t group by severity order by severity
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Total-Event-vs-Incident-History |
Total Events vs Incidents History |
select hodex, max(num_event_total) as num_event_total, max(num_inc_total) as num_inc_total, max(num_event_high) as num_event_high from /*fabricStart*/ ( select coalesce(t1.hodex, t2.hodex) as hodex, coalesce(num_event_total, 0) as num_event_total, coalesce(num_inc_total, 0) as num_inc_total, coalesce(num_event_high, 0) as num_event_high from ( select $flex_timescale(agg_time) as hodex, max(num_total) as num_event_total, max(num_sev_critical + num_sev_high) as num_event_high from $event_history where $cust_time_filter(agg_time) group by hodex order by hodex ) t1 full join ( select $flex_timescale(agg_time) as hodex, max( num_sev_high + num_sev_medium + num_sev_low ) as num_inc_total from $incident_history where $cust_time_filter(agg_time) group by hodex order by hodex ) t2 on t1.hodex = t2.hodex order by hodex ) /*fabricStart*/ t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Incident-by-Severity |
Incidents by Severity |
select severity, sum(incnum) as incnum from /*fabricStart*/ ( select severity, count(*) as incnum from $incident where $cust_time_filter(createtime) group by severity order by incnum desc ) /*fabricEnd*/ t group by severity order by incnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Incident-by-Status |
Incidents by Status |
select status, sum(incnum) as incnum from /*fabricStart*/ ( select status, count(*) as incnum from $incident where $cust_time_filter(createtime) group by status order by incnum desc ) /*fabricEnd*/ t group by status order by incnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Incident-by-Category-Unresolved |
Unresolved Incidents by Category |
select category, count(incnum) as incnum from /*fabricStart*/ ( select inc_cat_encode(category) as category, count(*) as incnum from $incident where $cust_time_filter(createtime) and status not in ( & #039;closed', 'cancelled') group by category order by incnum desc)/*fabricEnd*/ t group by category order by incnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Incident-by-Severity-Unresolved |
Unresolved Incidents by Severity |
select severity, sum(incnum) as incnum from /*fabricStart*/ ( select severity, count(*) as incnum from $incident where $cust_time_filter(createtime) and status not in ( & #039;closed', 'cancelled') group by severity order by incnum desc)/*fabricEnd*/ t group by severity order by incnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Incident-Timeline-by-Category |
Incidents Timeline by Category |
select hodex, max(num_cat1) as num_cat1, max(num_cat2) as num_cat2, max(num_cat3) as num_cat3, max(num_cat4) as num_cat4, max(num_cat5) as num_cat5, max(num_cat6) as num_cat6 from /*fabricStart*/ ( select $flex_timescale(agg_time) as hodex, max(num_cat_cat1) as num_cat1, max(num_cat_cat2) as num_cat2, max(num_cat_cat3) as num_cat3, max(num_cat_cat4) as num_cat4, max(num_cat_cat5) as num_cat5, max(num_cat_cat6) as num_cat6 from $incident_history where $cust_time_filter(agg_time) group by hodex order by hodex ) /*fabricEnd*/ t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Incident-List-Unresolved |
List of Unresolved Incidents |
select incnum, timestamp, severity, status, endpoint, description from /*fabricStart*/ ( select incid_to_str(incid) as incnum, from_itime(createtime) as timestamp, severity, status, endpoint, description from $incident where $cust_time_filter(createtime) and status not in ( & #039;closed', 'cancelled') order by severity desc)/*fabricEnd*/ t order by severity desc
Dataset Name |
Description |
Log Category |
---|---|---|
fex-RSRQ-timeline |
FortiExtender RSRQ timeline |
event |
select $flex_timescale(timestamp) as hodex, cast( sum(rsrq_sum)/ sum(count) as decimal(18, 2) ) || & #039;dB' as rsrq from ###(select $flex_timestamp(dtime) as timestamp, sum(to_number(rsrq, '999999.99')) as rsrq_sum, sum(to_number(sinr, '999999.99')) as sinr_sum, count(*) as count from $log where $filter and logid='0111046409' group by timestamp order by timestamp desc)### t group by hodex order by hodex desc
Dataset Name |
Description |
Log Category |
---|---|---|
fex-SINR-timeline |
FortiExtender SINR timeline |
event |
select $flex_timescale(timestamp) as hodex, cast( sum(sinr_sum)/ sum(count) as decimal(18, 0) ) || & #039;dB' as sinr from ###(select $flex_timestamp(dtime) as timestamp, sum(to_number(rsrq, '999999.99')) as rsrq_sum, sum(to_number(sinr, '999999.99')) as sinr_sum, count(*) as count from $log where $filter and logid='0111046409' group by timestamp order by timestamp desc)### t group by hodex order by hodex desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-device-monitoring-inventory |
FortiGate Device Monitoring Inventory |
event |
select devname, id_devid, ip, platform, os, total_num from /*fabricStart*/ ( select devname, ( & #039; ' || devid) as id_devid, ip, platform, os, '1' as total_num from $func-fgt-inventory as t1 where exists (select 1 from devtable_ext t2 where $dev_filter and t2.devid=t1.devid) order by devname)/*fabricEnd*/ t
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-inventory-hardware |
FortiGate Monitoring Inventory Hardware |
event |
select platform, sum(total_num) as total_num from /*fabricStart*/ ( select platform, count(*) as total_num from $func - fgt - inventory as t1 where exists ( select 1 from devtable_ext t2 where $dev_filter and t2.devid = t1.devid ) group by platform order by total_num desc ) /*fabricEnd*/ t group by platform order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-inventory-software |
FortiGate Monitoring Inventory Software |
event |
select sf_name, firmware, sum(total_num) as total_num from /*fabricStart*/ ( select & #039;FortiOS' as sf_name, (platform || ' ' || os) as firmware, count(*) as total_num from $func-fgt-inventory as t1 where exists (select 1 from devtable_ext t2 where $dev_filter and t2.devid=t1.devid) group by platform, os order by total_num desc)/*fabricEnd*/ t group by sf_name, firmware order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
cup-utilization-timeline-for-each-device |
FortiGate cpu utilization timeline |
event |
select $flex_timescale(timestamp) as hodex, devid, cast( sum(total_cpu)/ sum(count) as decimal(6, 0) ) as cpu_ave, cast( sum(total_mem)/ sum(count) as decimal(6, 0) ) as mem_ave, cast( sum(total_disk)/ sum(count) as decimal(6, 0) ) as disk_ave, cast( sum(sent)/ sum(count) as decimal(10, 0) ) as sent_kbps, cast( sum(recv)/ sum(count) as decimal(10, 0) ) as recv_kbps from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
status-timeline-by-device-cpu-utilization |
FortiGate cpu summary view |
event |
select devid, cast( sum(total_cpu)/ sum(count) as decimal(6, 0) ) as cpu_ave, max(cpu_peak) as cpu_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by cpu_peak desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-cpu-utilization-dev |
FortiGate cpu summary view |
event |
select devid, cast( sum(total_cpu)/ sum(count) as decimal(6, 0) ) as cpu_ave, max(cpu_peak) as cpu_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by cpu_peak desc
Dataset Name |
Description |
Log Category |
---|---|---|
memory-utilization-timeline-for-each-device |
FortiGate cpu utilization timeline |
event |
select $flex_timescale(timestamp) as hodex, devid, cast( sum(total_cpu)/ sum(count) as decimal(6, 0) ) as cpu_ave, cast( sum(total_mem)/ sum(count) as decimal(6, 0) ) as mem_ave, cast( sum(total_disk)/ sum(count) as decimal(6, 0) ) as disk_ave, cast( sum(sent)/ sum(count) as decimal(10, 0) ) as sent_kbps, cast( sum(recv)/ sum(count) as decimal(10, 0) ) as recv_kbps from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
status-timeline-by-device-mem-utilization |
FortiGate memory summary view |
event |
select devid, cast( sum(total_mem)/ sum(count) as decimal(6, 0) ) as mem_ave, max(mem_peak) as mem_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by mem_peak desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-mem-utilization-dev |
FortiGate memory summary view |
event |
select devid, cast( sum(total_mem)/ sum(count) as decimal(6, 0) ) as mem_ave, max(mem_peak) as mem_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by mem_peak desc
Dataset Name |
Description |
Log Category |
---|---|---|
disk-utilization-timeline-for-each-device |
FortiGate cpu utilization timeline |
event |
select $flex_timescale(timestamp) as hodex, devid, cast( sum(total_cpu)/ sum(count) as decimal(6, 0) ) as cpu_ave, cast( sum(total_mem)/ sum(count) as decimal(6, 0) ) as mem_ave, cast( sum(total_disk)/ sum(count) as decimal(6, 0) ) as disk_ave, cast( sum(sent)/ sum(count) as decimal(10, 0) ) as sent_kbps, cast( sum(recv)/ sum(count) as decimal(10, 0) ) as recv_kbps from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
status-timeline-by-device-disk-utilization |
FortiGate disk summary view |
event |
select devid, cast( sum(total_disk)/ sum(count) as decimal(6, 0) ) as disk_ave, max(disk_peak) as disk_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by disk_peak desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-disk-utilization-dev |
FortiGate disk summary view |
event |
select devid, cast( sum(total_disk)/ sum(count) as decimal(6, 0) ) as disk_ave, max(disk_peak) as disk_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by disk_peak desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-total-session-summary |
FortiGate Total Sessions |
event |
select devid, max(session_peak) as max_session, cast( sum(totalsession)/ sum(count) as decimal(10, 0) ) as sessions, max(cps_peak) as cps_peak, cast( sum(cps)/ sum(count) as decimal(10, 0) ) as cps_ave from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by max_session desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-session-rate-summary |
FortiGate Session Rate |
event |
select devid, max(cps_peak) as max_rate from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by max_rate desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-session-summary-dev |
FortiGate Total Sessions |
event |
select devid, max(session_peak) as max_session, cast( sum(totalsession)/ sum(count) as decimal(10, 0) ) as sessions, max(cps_peak) as cps_peak, cast( sum(cps)/ sum(count) as decimal(10, 0) ) as cps_ave from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by max_session desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-down-timeline-for-each-device |
FortiGate Interface Down Timeline |
event |
select $flex_timescale(timestamp) as hodex, devid, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, devid, status, count(*) as total_num from $log where $filter and logid_to_int(logid)=20099 and status='DOWN' group by timestamp, devid, status)### t where $filter-drilldown group by hodex, devid order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-down-timeline-by-device |
FortiGate Interface Down by Device |
event |
select devid, status, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, devid, status, count(*) as total_num from $log where $filter and logid_to_int(logid)=20099 and status='DOWN' group by timestamp, devid, status)### t group by devid, status order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-down-dev-donut |
FortiGate Interface Down by Device |
event |
select devid, status, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, devid, status, count(*) as total_num from $log where $filter and logid_to_int(logid)=20099 and status='DOWN' group by timestamp, devid, status)### t group by devid, status order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-down-dev-tbl |
FortiGate Interface Down by Device |
event |
select devid, status, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, devid, status, count(*) as total_num from $log where $filter and logid_to_int(logid)=20099 and status='DOWN' group by timestamp, devid, status)### t group by devid, status order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
intf-sent-timeline-for-each-device |
FortiGate cpu utilization timeline |
event |
select $flex_timescale(timestamp) as hodex, devid, cast( sum(total_cpu)/ sum(count) as decimal(6, 0) ) as cpu_ave, cast( sum(total_mem)/ sum(count) as decimal(6, 0) ) as mem_ave, cast( sum(total_disk)/ sum(count) as decimal(6, 0) ) as disk_ave, cast( sum(sent)/ sum(count) as decimal(10, 0) ) as sent_kbps, cast( sum(recv)/ sum(count) as decimal(10, 0) ) as recv_kbps from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
status-timeline-by-device-intf-sent |
FortiGate interface summary view |
event |
select devid, cast( sum(sent)/ sum(count) as decimal(10, 0) ) as sent_kbps, cast( sum(recv)/ sum(count) as decimal(10, 0) ) as recv_kbps, cast( sum(sent + recv)/ sum(count) as decimal(10, 0) ) as transmit_kbps, max(transmit_peak) as transmit_kbps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by transmit_kbps_peak desc
Dataset Name |
Description |
Log Category |
---|---|---|
intf-recv-timeline-for-each-device |
FortiGate cpu utilization timeline |
event |
select $flex_timescale(timestamp) as hodex, devid, cast( sum(total_cpu)/ sum(count) as decimal(6, 0) ) as cpu_ave, cast( sum(total_mem)/ sum(count) as decimal(6, 0) ) as mem_ave, cast( sum(total_disk)/ sum(count) as decimal(6, 0) ) as disk_ave, cast( sum(sent)/ sum(count) as decimal(10, 0) ) as sent_kbps, cast( sum(recv)/ sum(count) as decimal(10, 0) ) as recv_kbps from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hodex, devid order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
status-timeline-by-device-intf-recv |
FortiGate interface summary view |
event |
select devid, cast( sum(sent)/ sum(count) as decimal(10, 0) ) as sent_kbps, cast( sum(recv)/ sum(count) as decimal(10, 0) ) as recv_kbps, cast( sum(sent + recv)/ sum(count) as decimal(10, 0) ) as transmit_kbps, max(transmit_peak) as transmit_kbps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by transmit_kbps_peak desc
Dataset Name |
Description |
Log Category |
---|---|---|
event-intf-summary-dev |
FortiGate interface summary view |
event |
select devid, cast( sum(sent)/ sum(count) as decimal(10, 0) ) as sent_kbps, cast( sum(recv)/ sum(count) as decimal(10, 0) ) as recv_kbps, cast( sum(sent + recv)/ sum(count) as decimal(10, 0) ) as transmit_kbps, max(transmit_peak) as transmit_kbps_peak from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by devid order by transmit_kbps_peak desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-stats-timeline-util-in-each |
FortiGate Interface Statistics Timeline |
event |
select $flex_timescale(tmstamp) as hodex, ( devname || & #039;:' || intfname) as dev_intf, cast(sum(bps_out)/sum(interval)/1000 as decimal(10, 0)) as kbps_out_avg, cast(sum(bps_in)/sum(interval)/1000 as decimal(10, 0)) as kbps_in_avg, cast(sum(util_out)/sum(interval)/100 as decimal(10, 2)) as util_out_avg, cast(sum(util_in)/sum(interval)/100 as decimal(10, 2)) as util_in_avg from /*fabricStart*/(select $flex_timestamp(timestamp) as tmstamp, dvid, intfname, sum(interval) as interval, sum(sentbps*interval) as bps_out, sum(rcvdbps*interval) as bps_in, sum(sentutil*interval) as util_out, sum(rcvdutil*interval) as util_in from intfstats where $cust_time_filter(timestamp) group by tmstamp, dvid, intfname)/*fabricEnd*/ t1 left join devtable_ext t2 on t1.dvid = t2.dvid where $filter-drilldown group by hodex, dev_intf order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-stats-timeline-util-in |
FortiGate Interface Received Utilization |
event |
select ( devname || & #039;:' || intfname) as dev_intf, cast(sum(bps_out)/sum(interval)/1000 as decimal(10, 0)) as kbps_out_avg, cast(sum(bps_in)/sum(interval)/1000 as decimal(10, 0)) as kbps_in_avg, cast(sum(util_out)/sum(interval)/100 as decimal(10, 2)) as util_out_avg, cast(sum(util_in)/sum(interval)/100 as decimal(10, 2)) as util_in_avg from /*fabricStart*/(select $flex_timestamp(timestamp) as tmstamp, tbl_intf.dvid, intfname, sum(interval) as interval, sum(sentbps*interval) as bps_out, sum(rcvdbps*interval) as bps_in, sum(sentutil*interval) as util_out, sum(rcvdutil*interval) as util_in from (select distinct dvid from ###(select dvid from $log-event where $filter and action='perf-stats' group by dvid)### t) tbl_log inner join intfstats tbl_intf on tbl_log.dvid = tbl_intf.dvid where $cust_time_filter(timestamp) group by tmstamp, tbl_intf.dvid, intfname)/*fabricEnd*/ t1 left join devtable_ext t2 on t1.dvid = t2.dvid group by dev_intf order by util_in_avg desc, kbps_in_avg desc, kbps_out_avg desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-stats-timeline-util-out-each |
FortiGate Interface Statistics Timeline |
event |
select $flex_timescale(tmstamp) as hodex, ( devname || & #039;:' || intfname) as dev_intf, cast(sum(bps_out)/sum(interval)/1000 as decimal(10, 0)) as kbps_out_avg, cast(sum(bps_in)/sum(interval)/1000 as decimal(10, 0)) as kbps_in_avg, cast(sum(util_out)/sum(interval)/100 as decimal(10, 2)) as util_out_avg, cast(sum(util_in)/sum(interval)/100 as decimal(10, 2)) as util_in_avg from /*fabricStart*/(select $flex_timestamp(timestamp) as tmstamp, dvid, intfname, sum(interval) as interval, sum(sentbps*interval) as bps_out, sum(rcvdbps*interval) as bps_in, sum(sentutil*interval) as util_out, sum(rcvdutil*interval) as util_in from intfstats where $cust_time_filter(timestamp) group by tmstamp, dvid, intfname)/*fabricEnd*/ t1 left join devtable_ext t2 on t1.dvid = t2.dvid where $filter-drilldown group by hodex, dev_intf order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-stats-timeline-util-out |
FortiGate Interface Sent Utilization |
event |
select ( devname || & #039;:' || intfname) as dev_intf, cast(sum(bps_out)/sum(interval)/1000 as decimal(10, 0)) as kbps_out_avg, cast(sum(bps_in)/sum(interval)/1000 as decimal(10, 0)) as kbps_in_avg, cast(sum(util_out)/sum(interval)/100 as decimal(10, 2)) as util_out_avg, cast(sum(util_in)/sum(interval)/100 as decimal(10, 2)) as util_in_avg from /*fabricStart*/(select $flex_timestamp(timestamp) as tmstamp, tbl_intf.dvid, intfname, sum(interval) as interval, sum(sentbps*interval) as bps_out, sum(rcvdbps*interval) as bps_in, sum(sentutil*interval) as util_out, sum(rcvdutil*interval) as util_in from (select distinct dvid from ###(select dvid from $log-event where $filter and action='perf-stats' group by dvid)### t) tbl_log inner join intfstats tbl_intf on tbl_log.dvid = tbl_intf.dvid where $cust_time_filter(timestamp) group by tmstamp, tbl_intf.dvid, intfname)/*fabricEnd*/ t1 left join devtable_ext t2 on t1.dvid = t2.dvid group by dev_intf order by util_out_avg desc, kbps_out_avg desc, kbps_in_avg desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-stats-timeline-bit-rate-in-each |
FortiGate Interface Statistics Timeline |
event |
select $flex_timescale(tmstamp) as hodex, ( devname || & #039;:' || intfname) as dev_intf, cast(sum(bps_out)/sum(interval)/1000 as decimal(10, 0)) as kbps_out_avg, cast(sum(bps_in)/sum(interval)/1000 as decimal(10, 0)) as kbps_in_avg, cast(sum(util_out)/sum(interval)/100 as decimal(10, 2)) as util_out_avg, cast(sum(util_in)/sum(interval)/100 as decimal(10, 2)) as util_in_avg from /*fabricStart*/(select $flex_timestamp(timestamp) as tmstamp, dvid, intfname, sum(interval) as interval, sum(sentbps*interval) as bps_out, sum(rcvdbps*interval) as bps_in, sum(sentutil*interval) as util_out, sum(rcvdutil*interval) as util_in from intfstats where $cust_time_filter(timestamp) group by tmstamp, dvid, intfname)/*fabricEnd*/ t1 left join devtable_ext t2 on t1.dvid = t2.dvid where $filter-drilldown group by hodex, dev_intf order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-stats-timeline-bit-rate-in |
FortiGate Interface Received Bit Rate |
event |
select ( devname || & #039;:' || intfname) as dev_intf, cast(sum(bps_out)/sum(interval)/1000 as decimal(10, 0)) as kbps_out_avg, cast(sum(bps_in)/sum(interval)/1000 as decimal(10, 0)) as kbps_in_avg, cast(sum(util_out)/sum(interval)/100 as decimal(10, 2)) as util_out_avg, cast(sum(util_in)/sum(interval)/100 as decimal(10, 2)) as util_in_avg from /*fabricStart*/(select $flex_timestamp(timestamp) as tmstamp, tbl_intf.dvid, intfname, sum(interval) as interval, sum(sentbps*interval) as bps_out, sum(rcvdbps*interval) as bps_in, sum(sentutil*interval) as util_out, sum(rcvdutil*interval) as util_in from (select distinct dvid from ###(select dvid from $log-event where $filter and action='perf-stats' group by dvid)### t) tbl_log inner join intfstats tbl_intf on tbl_log.dvid = tbl_intf.dvid where $cust_time_filter(timestamp) group by tmstamp, tbl_intf.dvid, intfname)/*fabricEnd*/ t1 left join devtable_ext t2 on t1.dvid = t2.dvid group by dev_intf order by kbps_in_avg desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-stats-timeline-bit-rate-out-each |
FortiGate Interface Statistics Timeline |
event |
select $flex_timescale(tmstamp) as hodex, ( devname || & #039;:' || intfname) as dev_intf, cast(sum(bps_out)/sum(interval)/1000 as decimal(10, 0)) as kbps_out_avg, cast(sum(bps_in)/sum(interval)/1000 as decimal(10, 0)) as kbps_in_avg, cast(sum(util_out)/sum(interval)/100 as decimal(10, 2)) as util_out_avg, cast(sum(util_in)/sum(interval)/100 as decimal(10, 2)) as util_in_avg from /*fabricStart*/(select $flex_timestamp(timestamp) as tmstamp, dvid, intfname, sum(interval) as interval, sum(sentbps*interval) as bps_out, sum(rcvdbps*interval) as bps_in, sum(sentutil*interval) as util_out, sum(rcvdutil*interval) as util_in from intfstats where $cust_time_filter(timestamp) group by tmstamp, dvid, intfname)/*fabricEnd*/ t1 left join devtable_ext t2 on t1.dvid = t2.dvid where $filter-drilldown group by hodex, dev_intf order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-stats-timeline-bit-rate-out |
FortiGate Interface Sent Bit Rate |
event |
select ( devname || & #039;:' || intfname) as dev_intf, cast(sum(bps_out)/sum(interval)/1000 as decimal(10, 0)) as kbps_out_avg, cast(sum(bps_in)/sum(interval)/1000 as decimal(10, 0)) as kbps_in_avg, cast(sum(util_out)/sum(interval)/100 as decimal(10, 2)) as util_out_avg, cast(sum(util_in)/sum(interval)/100 as decimal(10, 2)) as util_in_avg from /*fabricStart*/(select $flex_timestamp(timestamp) as tmstamp, tbl_intf.dvid, intfname, sum(interval) as interval, sum(sentbps*interval) as bps_out, sum(rcvdbps*interval) as bps_in, sum(sentutil*interval) as util_out, sum(rcvdutil*interval) as util_in from (select distinct dvid from ###(select dvid from $log-event where $filter and action='perf-stats' group by dvid)### t) tbl_log inner join intfstats tbl_intf on tbl_log.dvid = tbl_intf.dvid where $cust_time_filter(timestamp) group by tmstamp, tbl_intf.dvid, intfname)/*fabricEnd*/ t1 left join devtable_ext t2 on t1.dvid = t2.dvid group by dev_intf order by kbps_out_avg desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-intf-stats-summary-view |
FortiGate Interface Received Utilization |
event |
select ( devname || & #039;:' || intfname) as dev_intf, cast(sum(bps_out)/sum(interval)/1000 as decimal(10, 0)) as kbps_out_avg, cast(sum(bps_in)/sum(interval)/1000 as decimal(10, 0)) as kbps_in_avg, cast(sum(util_out)/sum(interval)/100 as decimal(10, 2)) as util_out_avg, cast(sum(util_in)/sum(interval)/100 as decimal(10, 2)) as util_in_avg from /*fabricStart*/(select $flex_timestamp(timestamp) as tmstamp, tbl_intf.dvid, intfname, sum(interval) as interval, sum(sentbps*interval) as bps_out, sum(rcvdbps*interval) as bps_in, sum(sentutil*interval) as util_out, sum(rcvdutil*interval) as util_in from (select distinct dvid from ###(select dvid from $log-event where $filter and action='perf-stats' group by dvid)### t) tbl_log inner join intfstats tbl_intf on tbl_log.dvid = tbl_intf.dvid where $cust_time_filter(timestamp) group by tmstamp, tbl_intf.dvid, intfname)/*fabricEnd*/ t1 left join devtable_ext t2 on t1.dvid = t2.dvid group by dev_intf order by util_in_avg desc, kbps_in_avg desc, kbps_out_avg desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-ha-failure-timeline |
FortiGate HA Failure Timeline |
event |
select $flex_timescale(timestamp) as hodex, count(*) as total_num from ###(select $flex_timestamp as timestamp, dtime, devid, coalesce(nullifna(logdesc), msg) as msg_desc from $log where $filter and subtype='ha' and logid_to_int(logid) in (35011, 35012, 35013, 37892, 37893, 37897, 37898, 37901, 37902, 37907, 37908) order by dtime desc)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-ha-failure-summary |
FortiGate HA Failure Summary |
event |
select from_dtime(dtime) as time_s, devid, msg_desc from ###(select $flex_timestamp as timestamp, dtime, devid, coalesce(nullifna(logdesc), msg) as msg_desc from $log where $filter and subtype='ha' and logid_to_int(logid) in (35011, 35012, 35013, 37892, 37893, 37897, 37898, 37901, 37902, 37907, 37908) order by dtime desc)### t order by time_s desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-env-faults-power |
FortiGate Power Supply Faults |
event |
select time_s, devid, msg_desc from ###(select from_dtime(dtime) as time_s, devid, coalesce(nullifna(logdesc), msg) as msg_desc, logid_to_int(logid) as logid from $log where $filter and logid_to_int(logid) in (22105, 22107, 22108, 22109) order by time_s desc)### t where logid in (22105, 22107) order by time_s desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-env-faults-fan |
FortiGate Fan Faults |
event |
select time_s, devid, msg_desc from ###(select from_dtime(dtime) as time_s, devid, coalesce(nullifna(logdesc), msg) as msg_desc, logid_to_int(logid) as logid from $log where $filter and logid_to_int(logid) in (22105, 22107, 22108, 22109) order by time_s desc)### t where logid=22108 order by time_s desc
Dataset Name |
Description |
Log Category |
---|---|---|
fgt-env-faults-temperature |
FortiGate Temperatre Too High |
event |
select time_s, devid, msg_desc from ###(select from_dtime(dtime) as time_s, devid, coalesce(nullifna(logdesc), msg) as msg_desc, logid_to_int(logid) as logid from $log where $filter and logid_to_int(logid) in (22105, 22107, 22108, 22109) order by time_s desc)### t where logid=22109 order by time_s desc
Dataset Name |
Description |
Log Category |
---|---|---|
Behaviour-Banned-Application |
Bullying Chat Search and Message Logging by Platforms |
app-ctrl |
select app, count(*) as requests from ###(select filename, app, itime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip` from $log where $filter and ($bully_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) order by itime desc)### t group by app order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Behaviour-Banned-User |
Bullying Chat Search and Message Logging by Users |
app-ctrl |
select user_src, count(*) as requests from ###(select filename, app, itime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip` from $log where $filter and ($bully_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) order by itime desc)### t group by user_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Behaviour-Banned-User-Drilldown |
Users Bullying Chat Search and Message Logging |
app-ctrl |
select user_src, filename, min(id) as id, string_agg( distinct app, & #039; ') as app_agg, string_agg(distinct from_itime(itime)::text, ' ') as itime_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(`srcip`), ' ') as srcip_agg, count(*) as requests from ###(select filename, app, itime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip` from $log where $filter and ($bully_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) order by itime desc)### t left join app_mdata t2 on lower(t.app)=lower(t2.name) group by user_src, filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Behaviour-Banned-User-Drilldown-per-App |
Users Bullying Chat Search and Message Logging |
app-ctrl |
select user_src, filename, min(id) as id, string_agg( distinct app, & #039; ') as app_agg, string_agg(distinct from_itime(itime)::text, ' ') as itime_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(`srcip`), ' ') as srcip_agg, count(*) as requests from ###(select filename, app, itime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip` from $log where $filter and ($bully_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) order by itime desc)### t left join app_mdata t2 on lower(t.app)=lower(t2.name) group by user_src, filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
behaviour-banned |
Bullying Chat Search and Message Logging |
app-ctrl |
select filename, min(id) as id, string_agg( distinct app, & #039; ') as app_agg, string_agg(distinct from_itime(itime)::text, ' ') as itime_agg, string_agg(distinct user_src, ', ') as user_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(`srcip`), ' ') as srcip_agg, count(*) as requests from ###(select filename, app, itime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip` from $log where $filter and ($bully_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) order by itime desc)### t left join app_mdata t2 on lower(t.app)=lower(t2.name) group by filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Self-Harm-Behaviour-Banned-User-Pie |
Self-Harm Chat Search and Message Logging |
app-ctrl |
select filename, string_agg( distinct app, & #039; ') as app_agg, string_agg(distinct user_src, ' ') as user_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(`srcip`), ' ') as srcip_agg, count(*) as requests from ###(select $flex_timestamp as timestamp, filename, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip`, count(*) as total_num from $log where $filter and ($banned_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) group by timestamp, filename, app, user_src, `group`, `srcip` /*SkipSTART*/order by total_num desc, timestamp desc/*SkipEND*/)### t group by filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Self-Harm-Behaviour-Banned-Application-Pie |
Self-Harm Chat Search and Message Logging |
app-ctrl |
select filename, string_agg( distinct app, & #039; ') as app_agg, string_agg(distinct user_src, ' ') as user_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(`srcip`), ' ') as srcip_agg, count(*) as requests from ###(select $flex_timestamp as timestamp, filename, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip`, count(*) as total_num from $log where $filter and ($banned_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) group by timestamp, filename, app, user_src, `group`, `srcip` /*SkipSTART*/order by total_num desc, timestamp desc/*SkipEND*/)### t group by filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Self-Harm-Behaviour-Banned-User-Bar |
Self-Harm Chat Search and Message Logging |
app-ctrl |
select filename, string_agg( distinct app, & #039; ') as app_agg, string_agg(distinct user_src, ' ') as user_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(`srcip`), ' ') as srcip_agg, count(*) as requests from ###(select $flex_timestamp as timestamp, filename, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip`, count(*) as total_num from $log where $filter and ($banned_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) group by timestamp, filename, app, user_src, `group`, `srcip` /*SkipSTART*/order by total_num desc, timestamp desc/*SkipEND*/)### t group by filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Self-Harm-Behaviour-Banned-User-Drilldown |
Self-Harm Chat Search and Message Logging |
app-ctrl |
select filename, string_agg( distinct app, & #039; ') as app_agg, string_agg(distinct user_src, ' ') as user_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(`srcip`), ' ') as srcip_agg, count(*) as requests from ###(select $flex_timestamp as timestamp, filename, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip`, count(*) as total_num from $log where $filter and ($banned_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) group by timestamp, filename, app, user_src, `group`, `srcip` /*SkipSTART*/order by total_num desc, timestamp desc/*SkipEND*/)### t group by filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Self-Harm-behaviour-banned |
Self-Harm Chat Search and Message Logging |
app-ctrl |
select filename, string_agg( distinct app, & #039; ') as app_agg, string_agg(distinct user_src, ' ') as user_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(`srcip`), ' ') as srcip_agg, count(*) as requests from ###(select $flex_timestamp as timestamp, filename, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip`, count(*) as total_num from $log where $filter and ($banned_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) group by timestamp, filename, app, user_src, `group`, `srcip` /*SkipSTART*/order by total_num desc, timestamp desc/*SkipEND*/)### t group by filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
self-harm-Risky-Terms-By-App |
Self-Harm Chat Search and Message Logging by Platforms |
app-ctrl |
select app, count(*) as requests from ###(select $flex_timestamp as timestamp, filename, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip`, count(*) as total_num from $log where $filter and ($banned_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) group by timestamp, filename, app, user_src, `group`, `srcip` /*SkipSTART*/order by total_num desc, timestamp desc/*SkipEND*/)### t group by app order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
self-harm-Risky-Terms-Timeline |
Self-Harm Chat Search and Message Logging Timeline |
app-ctrl |
select $flex_timescale(timestamp) as hodex, count(*) as requests from ###(select $flex_timestamp as timestamp, filename, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip`, count(*) as total_num from $log where $filter and ($banned_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) group by timestamp, filename, app, user_src, `group`, `srcip` /*SkipSTART*/order by total_num desc, timestamp desc/*SkipEND*/)### t group by hodex order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
self-harm-Risky-Term-User-Drilldown |
Self-Harm Chat Search and Message Logging by Users |
app-ctrl |
select user_src, filename, count(*) as requests from ###(select $flex_timestamp as timestamp, filename, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, `srcip`, count(*) as total_num from $log where $filter and ($banned_keywords) and (lower(app) in ('facebook_post', 'facebook_chat', 'twitter_post', 'youtube_video.access', 'gmail_chat', 'gmail_send.message', 'linkedin_post', 'vimeo_video.access', 'google.search_search.phrase', 'bing.search_search.phrase')) group by timestamp, filename, app, user_src, `group`, `srcip` /*SkipSTART*/order by total_num desc, timestamp desc/*SkipEND*/)### t group by user_src, filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Browsing-Time-per-Social-Media |
Browsing Time vs. Domain |
traffic |
select domain, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ###(select domain, f_user, srcip, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select app_group_name(app) as app_group, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, srcip, coalesce(nullifna(root_domain(hostname)), ipstr(dstip), NULL) as domain, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) group by app_group, f_user, hostname, domain, srcip, dstip) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Social.Media' group by domain, f_user, srcip order by browsetime, bandwidth desc)### t where browsetime is not null group by domain order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
Social-Networking-Bar-Graph |
Social Networking Browsing Time |
traffic |
select f_user, sum(bandwidth) as bandwidth from ###(select domain, f_user, srcip, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select app_group_name(app) as app_group, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, srcip, coalesce(nullifna(root_domain(hostname)), ipstr(dstip), NULL) as domain, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) group by app_group, f_user, hostname, domain, srcip, dstip) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Social.Media' group by domain, f_user, srcip order by browsetime, bandwidth desc)### t where bandwidth>0 group by f_user order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Social-Networking-Durations-Sources-Drilldown |
Top Social Networking Durations from Sources Drilldown |
traffic |
select f_user, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ###(select domain, f_user, srcip, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select app_group_name(app) as app_group, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, srcip, coalesce(nullifna(root_domain(hostname)), ipstr(dstip), NULL) as domain, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) group by app_group, f_user, hostname, domain, srcip, dstip) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Social.Media' group by domain, f_user, srcip order by browsetime, bandwidth desc)### t where $filter-drilldown and browsetime is not null group by f_user order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Social-Networking-Durations-Domains-Drilldown |
Browsing Time vs. Domain |
traffic |
select domain, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ###(select domain, f_user, srcip, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth from (select app_group_name(app) as app_group, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, srcip, coalesce(nullifna(root_domain(hostname)), ipstr(dstip), NULL) as domain, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter and (logflag&1>0) group by app_group, f_user, hostname, domain, srcip, dstip) t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where app_cat='Social.Media' group by domain, f_user, srcip order by browsetime, bandwidth desc)### t where browsetime is not null group by domain order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
Facebook-Posts |
Facebook Posts |
app-ctrl |
select i_time, f_user, srcip, filename from ###(select from_itime(itime) as i_time, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, srcip, filename, app from $log where $filter and filename is not null order by i_time desc)### t where lower(app)=lower('Facebook_Post') order by i_time desc
Dataset Name |
Description |
Log Category |
---|---|---|
Facebook-Chats |
Facebook Chats |
app-ctrl |
select filename, string_agg( distinct from_itime(itime): :text, & #039; ') as itime_agg, string_agg(distinct user_src, ' ') as user_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(srcip), ' ') as srcip_agg, count(*) as requests from ###(select filename, itime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, srcip, app from $log where $filter and filename is not null order by itime desc)### t where lower(app)=lower('Facebook_Chat') group by filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
Twitter-Posts |
Twitter Posts |
app-ctrl |
select i_time, f_user, srcip, filename from ###(select from_itime(itime) as i_time, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, srcip, filename, app from $log where $filter and filename is not null order by i_time desc)### t where lower(app)=lower('Twitter_Post') order by i_time desc
Dataset Name |
Description |
Log Category |
---|---|---|
LinkedIn-Posts-and-Comments |
LinkedIn Posts and Comments |
app-ctrl |
select filename, string_agg( distinct from_itime(itime): :text, & #039; ') as itime_agg, string_agg(distinct user_src, ' ') as user_agg, string_agg(distinct `group`, ' ') as group_agg, string_agg(distinct ipstr(srcip), ' ') as srcip_agg, count(*) as requests from ###(select filename, itime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, `group`, srcip, app from $log where $filter and filename is not null order by itime desc)### t where lower(app)=lower('LinkedIn_Post') group by filename order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-fw-Device-Interface-Quality_Bibandwidth-drilldown |
SD-WAN Device-Interface Statistic |
event |
select devid, sum(bibandwidth)/ sum(count) as bibandwidth from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and bibandwidth is not null group by devid having sum(count)>0 order by bibandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Interface-Latency-Line |
SD-WAN Device-Interface Latency Timeline |
event |
select $flex_timescale(timestamp) as hodex, t1.interface, min(latency) as latency from ( select timestamp, devid, interface, ( case when sum(count_linkup)> 0 then sum(latency)/ sum(count_linkup) else NULL end ) as latency from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timestamp, devid, interface having sum(count)>0) t1 inner join (select interface, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and interface is not null group by interface order by num_intf desc limit $ddown-top)t2 on t1.interface=t2.interface group by hodex, t1.interface order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Interface-Jitter-Line |
SD-WAN Device-Interface Jitter Timeline |
event |
select $flex_timescale(timestamp) as hodex, t1.interface, min(jitter) as jitter from ( select timestamp, devid, interface, ( case when sum(count_linkup)> 0 then sum(jitter)/ sum(count_linkup) else NULL end ) as jitter from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timestamp, devid, interface having sum(count)>0) t1 inner join (select interface, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and interface is not null group by interface order by num_intf desc limit $ddown-top)t2 on t1.interface=t2.interface group by hodex, t1.interface order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Interface-Packetloss-Line |
SD-WAN Device-Interface Packetloss Timeline |
event |
select $flex_timescale(timestamp) as hodex, t1.interface, min(packetloss) as packetloss from ( select timestamp, devid, interface, ( case when sum(count_linkup)> 0 then sum(packetloss)/ sum(count_linkup) else NULL end ) as packetloss from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timestamp, devid, interface having sum(count)>0) t1 inner join (select interface, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and interface is not null group by interface order by num_intf desc limit $ddown-top)t2 on t1.interface=t2.interface group by hodex, t1.interface order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Latency-Line |
SD-WAN Device Latency Timeline |
event |
select $flex_timescale(timestamp) as hodex, devid, min(latency) as latency from ( select timestamp, devid, interface, ( case when sum(count_linkup)> 0 then sum(latency)/ sum(count_linkup) else NULL end ) as latency from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and latency is not null group by timestamp, devid, interface having sum(count)>0) t1 group by hodex, devid order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Jitter-Line |
SD-WAN Device Jitter Timeline |
event |
select $flex_timescale(timestamp) as hodex, devid, min(jitter) as jitter from ( select timestamp, devid, interface, ( case when sum(count_linkup)> 0 then sum(jitter)/ sum(count_linkup) else NULL end ) as jitter from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and jitter is not null group by timestamp, devid, interface having sum(count)>0) t1 group by hodex, devid order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Packetloss-Line |
SD-WAN Device Packet Loss Timeline |
event |
select $flex_timescale(timestamp) as hodex, devid, min(packetloss) as packetloss from ( select timestamp, devid, interface, ( case when sum(count_linkup)> 0 then sum(packetloss)/ sum(count_linkup) else NULL end ) as packetloss from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and packetloss is not null group by timestamp, devid, interface having sum(count)>0) t1 group by hodex, devid order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Interface-Summary-by-Bibandwidth |
SD-WAN Device Interface Summary by Bibandwidth |
event |
select devid, interface, sum(bibandwidth)/ sum(count) as bibandwidth, cast( min(latency_min) as decimal(18, 2) ) as latency_min, cast( ( case when sum(count_linkup)> 0 then sum(latency)/ sum(count_linkup) else NULL end ) as decimal(18, 2) ) as latency_avg, cast( max(latency_max) as decimal(18, 2) ) as latency_max, cast( min(jitter_min) as decimal(18, 2) ) as jitter_min, cast( ( case when sum(count_linkup)> 0 then sum(jitter)/ sum(count_linkup) else NULL end ) as decimal(18, 2) ) as jitter_avg, cast( max(jitter_max) as decimal(18, 2) ) as jitter_max, cast( min(packetloss_min) as decimal(18, 2) ) as packetloss_min, cast( ( case when sum(count_linkup)> 0 then sum(packetloss)/ sum(count_linkup) else NULL end ) as decimal(18, 2) ) as packetloss_avg, cast( max(packetloss_max) as decimal(18, 2) ) as packetloss_max from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and interface is not null group by devid, interface having sum(count)>0 order by devid, interface
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Top-App-By-Bandwidth |
Top SD-WAN application by bandwidth |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Top-App-By-Bandwidth-Sankey |
Top SD-WAN application by bandwidth usage |
traffic |
select & #039;SD-WAN Utilization' as summary, app_group, devid, dstintf as interface, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by app_group, devid, interface order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Interface-bandwidth-Drilldown |
SD-WAN Device Statistic by Bibandwidth |
event |
select devid, sum(bibandwidth)/ sum(count) as bibandwidth from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and bibandwidth is not null group by devid having sum(count)>0 order by bibandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Rules-Donut-Bandwidth |
Top SD-WAN Links bandwidth |
traffic |
select coalesce( rulename, & #039;Unknown') as rulename, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by rulename order by bandwidth desc limit 10
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-device-interface-bandwidth |
Top SD-WAN Links bandwidth |
traffic |
select interface, sum(bandwidth) as bandwidth from ( ( select srcintf as interface, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where srcintfrole='wan' and $filter-drilldown group by interface) union all (select dstintf as interface, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by interface)) t group by interface order by bandwidth desc limit 10
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Top-Application-Session-Bandwidth |
Top SD-WAN application by bandwidth |
traffic |
select app_group, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Top-Users-By-Bandwidth-Bar |
SD-WAN Top users by bandwidth usage |
traffic |
select user_src, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by user_src order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-top-user-app-Drilldown |
SD-WAN Top users and Application by bandwidth |
traffic |
select user_src, app_group, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by user_src, app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Intfe-traffic-out-bandwidth-Line |
SD-WAN Device-Interface traffic sent bandwidth Timeline |
traffic |
select $flex_timescale(timestamp) as hodex, t1.dstintf as interface, sum(traffic_out) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t1 inner join (select dstintf, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by dstintf order by num_intf desc limit $ddown-top)t2 on t1.dstintf=t2.dstintf group by hodex, t1.dstintf order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Intfe-traffic-in-bandwidth-Line |
SD-WAN Device-Interface traffic received bandwidth Timeline |
traffic |
select $flex_timescale(timestamp) as hodex, t1.srcintf as interface, sum(traffic_in) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t1 inner join (select srcintf, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown and srcintf is not null and srcintfrole ='wan' group by srcintf order by num_intf desc limit $ddown-top)t2 on t1.srcintf=t2.srcintf group by hodex, t1.srcintf order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Intfe-traffic-bandwidth-Line |
SD-WAN Device-Interface traffic sent bandwidth Timeline |
traffic |
select $flex_timescale(timestamp) as hodex, t1.dstintf as interface, sum(traffic_out) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t1 inner join (select dstintf, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by dstintf order by num_intf desc limit $ddown-top)t2 on t1.dstintf=t2.dstintf group by hodex, t1.dstintf order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-SLA-Interface-bandwidth-Drilldown |
SD-WAN Device Statistic by Bibandwidth |
event |
select devid, sum(bibandwidth)/ sum(count) as bibandwidth from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and bibandwidth is not null group by devid having sum(count)>0 order by bibandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-SLA-Rule-Latency-Line |
SD-WAN Device-SLA-Rule Latency Line |
event |
select $flex_timescale(timestamp) as hodex, t1.intf_sla, ( case when sum(count_linkup)> 0 then sum(latency)/ sum(count_linkup) else NULL end ) as latency from ( select timestamp, interface || & #039;:' || sla_rule as intf_sla, sum(latency) as latency, sum(count_linkup) as count_linkup from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where latency is not null group by timestamp, intf_sla having sum(count)>0) t1 inner join (select interface || ':' || sla_rule as intf_sla, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and sla_rule is not null group by intf_sla order by num_intf desc limit $ddown-top)t2 on t1.intf_sla=t2.intf_sla group by hodex, t1.intf_sla order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-SLA-Rule-Jitter-Line |
SD-WAN Device-SLA-Rule Jitter Line |
event |
select $flex_timescale(timestamp) as hodex, t1.intf_sla, ( case when sum(count_linkup)> 0 then sum(jitter)/ sum(count_linkup) else NULL end ) as jitter from ( select timestamp, interface || & #039;:' || sla_rule as intf_sla, sum(jitter) as jitter, sum(count_linkup) as count_linkup from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where jitter is not null group by timestamp, intf_sla having sum(count)>0) t1 inner join (select interface || ':' || sla_rule as intf_sla, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and sla_rule is not null group by intf_sla order by num_intf desc limit $ddown-top)t2 on t1.intf_sla=t2.intf_sla group by hodex, t1.intf_sla order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-SLA-Rule-Packetloss-Line |
SD-WAN Device-SLA-Rule Packetloss Line |
event |
select $flex_timescale(timestamp) as hodex, t1.intf_sla, ( case when sum(count_linkup)> 0 then sum(packetloss)/ sum(count_linkup) else NULL end ) as packetloss from ( select timestamp, interface || & #039;:' || sla_rule as intf_sla, sum(packetloss) as packetloss, sum(count_linkup) as count_linkup from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where packetloss is not null group by timestamp, intf_sla having sum(count)>0) t1 inner join (select interface || ':' || sla_rule as intf_sla, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and sla_rule is not null group by intf_sla order by num_intf desc limit $ddown-top)t2 on t1.intf_sla=t2.intf_sla group by hodex, t1.intf_sla order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-device-sla-intf-latency-pass-percent |
SD-WAN Device Latency Pass Percentage by SLA rules and Interface |
event |
select sla_rule, interface, cast( 100 *( 1 - sum(failed_latency)/ sum(count_linkup) ) as decimal(18, 2) ) as latency from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and sla_rule is not null group by sla_rule, interface having sum(count_linkup)>0 order by latency desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-device-sla-intf-jitter-pass-percent |
SD-WAN Device Jitter Pass Percentage by SLA rules and Interface |
event |
select sla_rule, interface, cast( 100 *( 1 - sum(failed_jitter)/ sum(count_linkup) ) as decimal(18, 2) ) as jitter from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and sla_rule is not null group by sla_rule, interface having sum(count_linkup)>0 order by jitter desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-device-sla-intf-packetloss-pass-percent |
SD-WAN Device Packet Loss Pass Percentage by SLA rules and Interface |
event |
select sla_rule, interface, cast( 100 *( 1 - sum(failed_packetloss)/ sum(count_linkup) ) as decimal(18, 2) ) as packetloss from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and sla_rule is not null group by sla_rule, interface having sum(count_linkup)>0 order by packetloss desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Intf-List-by-Availability |
SD-WAN Device Interface List by Availability |
event |
select devname || & #039;:' || interface as dev_intf, sum(count_linkup)/sum(count) as available from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown group by dev_intf having sum(count)>0 order by dev_intf
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Intf-Updown-Timeline |
SD-WAN Device Interface Updown Time Line |
event |
select $fv_line_timescale(timestamp) as hodex, devname || & #039;:' || interface as dev_intf, cast(100*sum(count_linkup)/sum(count) as decimal(10,2)) as sdwan_status from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex, dev_intf order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Availability-status |
SD-WAN Device Statistic by Bibandwidth |
event |
select devid, sum(bibandwidth)/ sum(count) as bibandwidth from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and bibandwidth is not null group by devid having sum(count)>0 order by bibandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-device-intf-availability-percentage-bar |
SD-WAN Device Interface Availability Percentage |
event |
( select & #039;SD-WAN' as interface, cast(sum(availcnt)*100.0/sum(count) as decimal(18,2)) as available from (select timestamp, devid, first_value(count) OVER (PARTITION BY timestamp, devid ORDER BY link_status/count desc, count desc) as count, first_value(link_status) OVER (PARTITION BY timestamp, devid ORDER BY link_status/count desc, count desc) as availcnt from (select timestamp, devid, interface, sum(link_status) as link_status, sum(count) as count from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and count>0 group by timestamp, devid, interface)t) t group by interface) union all (select interface, cast(sum(link_status)*100.0/sum(count) as decimal(18,2)) as available from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown group by interface order by interface)
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-device-intf-availability-percentage-donut |
SD-WAN Device Interface Availability Percentage Donut |
event |
select interface, unnest(avail) as avail, unnest(val) as val from ( select interface, array[ & #039;Available', 'Unavailable'] as avail, array[available, 100-available] as val from ((select 'SD-WAN' as interface, cast(sum(availcnt)*100.0/sum(count) as decimal(18,2)) as available from (select timestamp, devid, first_value(count) OVER (PARTITION BY timestamp, devid ORDER BY link_status/count desc, count desc) as count, first_value(link_status) OVER (PARTITION BY timestamp, devid ORDER BY link_status/count desc, count desc) as availcnt from (select timestamp, devid, interface, sum(link_status) as link_status, sum(count) as count from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and count>0 group by timestamp, devid, interface)t) t group by interface) union all (select interface, cast(sum(link_status)*100.0/sum(count) as decimal(18,2)) as available from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown group by interface order by interface)) t) t
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Application-sdwan-Rules-and-Ports-drilldown |
SD-WAN Device Statistic by Bibandwidth |
event |
select devid, sum(bibandwidth)/ sum(count) as bibandwidth from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and bibandwidth is not null group by devid having sum(count)>0 order by bibandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Interface-Application-Traffic-Sankey |
Top SD-WAN application by bandwidth sankey |
traffic |
select & #039;SD-WAN Rules' as summary, 'Rule:' || coalesce(rulename, 'Unknown') as rule_name, app_group, devid, dstintf as interface, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by rule_name, app_group, devid, interface order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-fw-Device-Interface-test3 |
SD-WAN Device-Interface Statistic |
event |
select devid, sum(bibandwidth)/ sum(count) as bibandwidth from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and bibandwidth is not null group by devid having sum(count)>0 order by bibandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Total-Bandwidth-Internal-And-External2 |
CTAP SD-WAN Internal and External Bandwidth |
traffic |
select dstintf as interface, coalesce( sum(bandwidth), 0 ) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by interface
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Intf-Avail-Percentage-Timeline |
SD-WAN Device Interface Availability Percentage Timeline |
event |
select hodex, interface, available from ( ( select $flex_datetime(timestamp) as hodex, & #039;SD-WAN' as interface, cast(sum(availcnt)*100.0/sum(count) as decimal(18,2)) as available from (select timestamp, devid, first_value(count) OVER (PARTITION BY timestamp, devid ORDER BY link_status/count desc, count desc) as count, first_value(link_status) OVER (PARTITION BY timestamp, devid ORDER BY link_status/count desc, count desc) as availcnt from (select timestamp, devid, interface, sum(link_status) as link_status, sum(count) as count from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and count>0 group by timestamp, devid, interface)t) t group by hodex order by hodex) union all (select $flex_datetime(timestamp) as hodex, interface, cast(sum(link_status)*100.0/sum(count) as decimal(18,2)) as available from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown group by hodex, interface order by hodex)) t order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Intf-Inbandwidth-Timeline |
SD-WAN Device-Interface Inbandwidth Timeline |
event |
select $flex_timescale(timestamp) as time, t1.interface, cast( sum(inbandwidth)/ sum(count) as decimal(18, 2) ) as inbandwidth from ( select timestamp, devid, interface, sum(count) as count, sum(inbandwidth) as inbandwidth from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timestamp, devid, interface) t1 inner join (select devid, interface, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown group by devid, interface order by num_intf desc limit $ddown-top)t2 on t1.interface=t2.interface and t1.devid=t2.devid group by time, t1.interface having sum(count)>0 order by time
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Device-Intf-Outbandwidth-Timeline |
SD-WAN Device-Interface Outbandwidth Timeline |
event |
select $flex_timescale(timestamp) as time, t1.interface, cast( sum(outbandwidth)/ sum(count) as decimal(18, 2) ) as outbandwidth from ( select timestamp, devid, interface, sum(count) as count, sum(outbandwidth) as outbandwidth from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by timestamp, devid, interface) t1 inner join (select devid, interface, count(*) as num_intf from ###(select $flex_timestamp as timestamp, csf, devname, devid, vd, interface, healthcheck as sla_rule, sum(link_status) as link_status, sum(failed_latency) as failed_latency, sum(failed_jitter) as failed_jitter, sum(failed_packetloss) as failed_packetloss, sum(latency) as latency, max(latency) as latency_max, min(latency) as latency_min, sum(jitter) as jitter, max(jitter) as jitter_max, min(jitter) as jitter_min, sum(packetloss) as packetloss, max(packetloss) as packetloss_max, min(packetloss) as packetloss_min, sum(inbandwidth) as inbandwidth, sum(outbandwidth) as outbandwidth, sum(bibandwidth) as bibandwidth, count(*) as count, sum(CASE WHEN link_status=1 THEN 1 ELSE 0 END) AS count_linkup, min(sdwan_status) as sdwan_status from (select itime, csf, devname, devid, vd, interface, healthcheck, link_status, (CASE WHEN link_status=1 THEN latency ELSE NULL END) AS latency, (CASE WHEN link_status=1 THEN jitter ELSE NULL END) AS jitter, (CASE WHEN link_status=1 THEN packetloss ELSE NULL END) AS packetloss, (CASE WHEN sla_failed=1 AND metric='packetloss' THEN 1 ELSE 0 END) AS failed_packetloss, (CASE WHEN sla_failed=1 AND metric='jitter' THEN 1 ELSE 0 END) AS failed_jitter, (CASE WHEN sla_failed=1 AND metric='latency' THEN 1 ELSE 0 END) AS failed_latency, (CASE WHEN sla_failed=1 THEN 3 ELSE sdwan_status END) AS sdwan_status, (CASE WHEN link_status=1 THEN inbandwidth ELSE 0 END) AS inbandwidth, (CASE WHEN link_status=1 THEN outbandwidth ELSE 0 END) AS outbandwidth, (CASE WHEN link_status=1 THEN bibandwidth ELSE 0 END) AS bibandwidth from (select itime, csf, devname, devid, vd, interface, healthcheck, (CASE WHEN status='down' THEN 0 ELSE 1 END) AS link_status, latency::float as latency, jitter::float as jitter, trim(trailing '%' from packetloss)::float as packetloss, (CASE WHEN status='down' THEN 1 WHEN msg LIKE '%SLA failed%' THEN 1 ELSE 0 END) AS sla_failed, metric, (CASE WHEN msg LIKE '%SLA status%' THEN 1 ELSE 0 END) AS sdwan_status, convert_unit_to_num(inbandwidthused) as inbandwidth, convert_unit_to_num(outbandwidthused) as outbandwidth, convert_unit_to_num(bibandwidthused) as bibandwidth from $log where $filter and logid_to_int(logid) in (22925, 22933, 22936) and interface is not null) t ) t group by timestamp, csf, devname, devid, vd, interface, healthcheck /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown group by devid, interface order by num_intf desc limit $ddown-top)t2 on t1.interface=t2.interface and t1.devid=t2.devid group by time, t1.interface having sum(count)>0 order by time
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Web-Sites-by-Bandwidth |
Top web sites by bandwidth usage |
webfilter |
select domain, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by domain having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by domain order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-App-Category-by-Session |
Application risk application usage by category |
traffic |
select appcat, sum(sessions) as total_num from ###(select appid, app, appcat, apprisk, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t where $filter-drilldown group by appcat order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Region-Name-by-Traffic |
Traffic top destination countries by browsing time |
traffic |
select dstcountry, sum(bandwidth) as bandwidth from ###(select dstcountry, ebtr_agg_flat(browsetime) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from (select dstcountry, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and (logflag&1>0) and $browse_time is not null group by dstcountry) t group by dstcountry /*SkipSTART*/order by ebtr_value(ebtr_agg_flat(browsetime), null, null) desc/*SkipEND*/)### t where $filter-drilldown group by dstcountry order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-App-By-Bandwidth-Chart |
Top applications by bandwidth usage |
traffic |
select app_group_name(app) as app_group, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(sessions) as sessions from ###(select appid, app, appcat, apprisk, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t group by app_group having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Protocols-By-Traffic |
Top applications by bandwidth usage |
traffic |
select service, sum(bandwidth) as bandwidth from ###(select service, sum(bandwidth) as bandwidth from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by timestamp desc/*SkipEND*/)base### base_query group by service order by bandwidth desc)### t where $filter-drilldown group by service order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Web-Sites-by-Sessions |
Top web sites by session count |
webfilter |
select domain, sum(sessions) as sessions from ###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, count(*) as sessions from $log where $filter group by domain order by sessions desc)### t group by domain order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Attacks-by-Count |
Threat attacks by severity |
attack |
select attack, sum(attack_count) as totalnum from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, (case when severity in ('critical', 'high') then 1 else 0 end) as high_severity, count(*) as attack_count from $log where $filter and nullifna(attack) is not null group by user_src, attack, high_severity order by attack_count desc)### t where $filter-drilldown and attack is not null group by attack order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-Spams-by-Count |
User drilldown top spam sources |
emailfilter |
select user_src, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `from` as mf_sender, `to` as mf_receiver, action, eventtype, count(*) as totalnum from $log where $filter group by timestamp, user_src, mf_sender, mf_receiver, action, eventtype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and mf_sender is not null group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
utm-Top-Virus-Count |
UTM top virus |
virus |
select virus, max(virusid_s) as virusid, ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, sum(totalnum) as totalnum from ###(select virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter and nullifna(virus) is not null group by virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t group by virus, malware_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
security-Antivirus-Inspections |
Antivirus Inspections |
virus |
select action, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `from` as mf_sender, `to` as mf_receiver, action, eventtype, count(*) as totalnum from $log where $filter group by timestamp, user_src, mf_sender, mf_receiver, action, eventtype /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t where $filter-drilldown and action is not null group by action order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Top-DLP-by-Count |
Email DLP Activity Summary |
dlp |
select profile, count(*) as total_num from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and profile is not null group by profile order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-AP-By-Client |
Top access point by client |
traffic |
select ap_srcintf as srcintf, count(distinct srcmac) as totalnum from ( select coalesce(ap, srcintf) as ap_srcintf, srcmac from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcmac is not null group by ap_srcintf, srcmac union all (select ap as ap_srcintf, stamac as srcmac from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where stamac is not null group by ap, stamac)) t group by srcintf order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-AP-By-Bandwidth |
Top access point by bandwidth usage |
traffic |
select ap_srcintf, sum(bandwidth) as bandwidth from ( select coalesce(ap, srcintf) as ap_srcintf, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t group by ap_srcintf having sum(bandwidth)>0 union all select ap as ap_srcintf, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by ap having sum(bandwidth)>0) t group by ap_srcintf order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
wifi-Top-SSID-By-Bandwidth |
Top SSIDs by bandwidth usage |
traffic |
select srcssid, sum(bandwidth) as bandwidth from ( select srcssid, sum(bandwidth) as bandwidth from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, ap, srcintf, srcssid, srcssid as ssid, srcmac, srcmac as stamac, coalesce(nullifna(`srcname`), `srcmac`) as hostname_mac, max(srcswversion) as srcswversion, max(osname) as osname, max(osversion) as osversion, max(devtype) as devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as subtotal from $log-traffic where $filter and (logflag&1>0) and (srcssid is not null or dstssid is not null) group by user_src, ap, srcintf, srcssid, srcmac, hostname_mac /*SkipSTART*/order by bandwidth desc, subtotal desc/*SkipEND*/)### t where srcssid is not null group by srcssid having sum(bandwidth)>0 union all select ssid as srcssid, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, stamac, stamac as srcmac, ap, ssid, ssid as srcssid, user_src, sum(coalesce(sentdelta, 0)) as sentdelta, sum(coalesce(rcvddelta, 0)) as rcvddelta, sum(coalesce(sentdelta, 0)+coalesce(rcvddelta, 0)) as bandwidth from (select itime, stamac, ap, ssid, coalesce(`user`, ipstr(`srcip`)) as user_src, sentbyte-lag(coalesce(sentbyte, 0)) over (partition by stamac order by itime) as sentdelta, rcvdbyte-lag(coalesce(rcvdbyte, 0)) over (partition by stamac order by itime) as rcvddelta from $log-event where $filter and subtype='wireless' and stamac is not null and ssid is not null and action in ('sta-wl-bridge-traffic-stats', 'reassoc-req', 'assoc-req')) as t group by timestamp, stamac, ap, ssid, user_src /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by ssid having sum(bandwidth)>0) t group by srcssid order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Total-Bandwidth-Internal-And-External |
CTAP SD-WAN Internal and External Bandwidth |
traffic |
select dstintf as interface, coalesce( sum(bandwidth), 0 ) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by interface
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Total-Bandwidth-External-Business-nonBusiness-Network |
CTAP SD-WAN Bandwidth of External Business and nonBusiness |
traffic |
select ( case when appcat not in ( & #039;Network.Service', 'Mobile','Social.Media','Proxy','Video\/Audio','Game','P2P','unknown') then 'Business' when appcat in ('Mobile','Social.Media','Proxy','Video\/Audio','Game','P2P','unknown') then 'nonBusiness'when appcat in ('Network.Service') then 'Network Service' end) as app_cat, coalesce(sum(bandwidth), 0) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by app_cat order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Top-Appcat-Appgroup-By-Bandwidth-Sankey |
CTAP SD-WAN Top SD-WAN application by bandwidth usage |
traffic |
select & #039;External' as summary, appcat, app_group, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown and bandwidth>0 group by appcat, app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Business-Apps-Bandwidth |
CTAP SD-WAN Business Application with Bandwidth |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t1 inner join app_mdata t2 on lower(t1.app_group)=lower(t2.name) where $filter-drilldown and appcat not in ('Network.Service', 'Mobile','Social.Media','Proxy','Video\/Audio','Game','P2P','unknown') group by app_group order by bandwidth desc, app_group
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Cloud-IT-Apps-Bandwidth |
CTAP SD-WAN Cloud IT Application Bandwidth |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown and appcat='Cloud.IT' and bandwidth>0 group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Storage-Backup-Apps-Bandwidth |
CTAP SD-WAN Storage Backup Application Bandwidth |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown and appcat='Storage.Backup' and bandwidth>0 group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Collaboration-Apps-Bandwidth |
CTAP SD-WAN Collaboration Application Bandwidth |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown and appcat='Collaboration' and bandwidth>0 group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Top-Streaming-App-By-Bandwidth |
CTAP SD-WAN Top Streaming Application by Bandwidth |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown and appcat='Video\/Audio' and bandwidth>0 group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Top-SocialMedia-App-By-Bandwidth |
CTAP SD-WAN Top SocialMedia Application by Bandwidth |
traffic |
select app_group, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown and appcat='Social.Media' and bandwidth>0 group by app_group order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-App-Risk-Reputation-Top-Devices-By-Scores |
Reputation Top Devices By-Scores |
traffic |
select coalesce( nullifna(`srcname`), ipstr(`srcip`), nullifna(`srcmac`) ) as dev_src, sum(crscore % 65536) as scores from $log where $filter and ( logflag&1>0 ) and crscore is not null group by dev_src having sum(crscore % 65536)> 0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-SB-Top-Sandbox-Files |
CTAP SD-WAN Sandbox Top Sandbox Files |
virus |
select filename, analyticscksum, service, sum(totalnum) as total_num, ( case fsaverdict when & #039;malicious' then 'Malicious' when 'high risk' then 'High' when 'medium risk' then 'Medium' when 'low risk' then 'Low' else 'Other' end) as risk, (case fsaverdict when 'malicious' then 5 when 'high risk' then 4 when 'medium risk' then 3 when 'low risk' then 2 else 1 end) as risk_level from ###(select filename, analyticscksum, service, fsaverdict, dtype, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by filename, analyticscksum, service, fsaverdict, dtype, user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where $filter-drilldown and filename is not null and dtype='fortisandbox' and fsaverdict not in ('clean', 'submission failed') group by filename, analyticscksum, risk_level, risk, service order by risk_level desc, total_num desc, service, filename
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-SB-Total-Number-of-Malicious-Suspicious-Files |
CTAP SD-WAN Sandbox Malicious Suspicious Files Number |
virus |
select ( case fsaverdict when & #039;malicious' then 'Malicious' when 'high risk' then 'High' when 'medium risk' then 'Medium' when 'low risk' then 'Low' else 'Other' end) as risk, sum(totalnum) as total_num from ###(select filename, analyticscksum, service, fsaverdict, dtype, coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, virusid_to_str(virusid, eventtype) as virusid_s, count(*) as totalnum from $log where $filter group by filename, analyticscksum, service, fsaverdict, dtype, user_src, virus, virusid_s /*SkipSTART*/order by totalnum desc/*SkipEND*/)### t where $filter-drilldown and dtype='fortisandbox' and fsaverdict not in ('clean','submission failed') group by risk order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Top-Source-Countries |
CTAP SD-WAN Top Source Countries |
traffic |
select srccountry, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown and nullifna(srccountry) is not null and srccountry <> 'Reserved' and bandwidth>0 group by srccountry order by bandwidth desc, srccountry
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Average-Bandwidth-Day-Hour |
CTAP SD-WAN Average Bandwidth by Day of Week and Hour |
traffic |
select hourstamp, daystamp, round( sum(bandwidth) / count(*) ) as bandwidth from ( select $hour_of_day(timestamp) as hourstamp, $HOUR_OF_DAY(timestamp) as hour_stamp, $day_of_week(timestamp) as daystamp, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t where $filter-drilldown group by hourstamp, hour_stamp, daystamp) t group by hourstamp, daystamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Average-Log-Rate-By-Hour |
CTAP SD-WAN Average Log Rate by Hour |
event |
select $hour_of_day(timestamp) as hourstamp, cast( ( sum( total_trate + total_erate + total_orate ) )/ sum(count)/ 100.0 as decimal(10, 2) ) as log_rate from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t where $filter-drilldown group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-CPU-Usage-Per-Hour |
Event usage CPU |
event |
select $hour_of_day(timestamp) as hourstamp, cast( sum(total_cpu)/ sum(count) as decimal(6, 2) ) as cpu_avg_usage from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-CTAP-Memory-Usage-Per-Hour |
Event usage memory |
event |
select $hour_of_day(timestamp) as hourstamp, cast( sum(total_mem)/ sum(count) as decimal(6, 2) ) as mem_avg_usage from ###(select $flex_timestamp as timestamp, devid, slot, sum(coalesce(trate, 0)) as total_trate, sum(coalesce(erate, 0)) as total_erate, sum(coalesce(orate, 0)) as total_orate, min(itime) as first_seen, max(itime) as last_seen, sum(coalesce(mem, 0)) as total_mem, max(coalesce(mem, 0)) as mem_peak, sum(coalesce(disk, 0)) as total_disk, max(coalesce(disk, 0)) as disk_peak, sum(coalesce(cpu, 0)) as total_cpu, max(coalesce(cpu, 0)) as cpu_peak, max(coalesce(trate, 0)+coalesce(erate, 0)+coalesce(orate, 0)) as lograte_peak, sum(coalesce(totalsession, 0)) as totalsession, max(coalesce(totalsession, 0)) as session_peak, sum(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)) as sent, sum(cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as recv, max(cast(coalesce(split_part(bandwidth, '/', 1), '0') as integer)+cast(coalesce(split_part(bandwidth, '/', 2), '0') as integer)) as transmit_peak, sum(coalesce(setuprate, 0)) as cps, max(coalesce(setuprate, 0)) as cps_peak, count(*) as count from $log where $filter and subtype='system' and action='perf-stats' group by timestamp, devid, slot order by total_mem desc)### t group by hourstamp order by hourstamp
Dataset Name |
Description |
Log Category |
---|---|---|
sdwan-Top-Destination-Addresses-By-Bandwidth-Bar |
SD-WAN Top Destinations by Bandwidth Usage |
traffic |
select user_src as domain, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select $flex_timestamp as timestamp, csf, devid, vd, srccountry, dstintf, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group_name(app) as app_group, coalesce(vwlname,vwlservice) as rulename, service, coalesce(nullifna(`srcname`),ipstr(`srcip`),nullifna(`srcmac`)) as dev_src, sum(crscore%65536) as crscore, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, count(*) as sessions from $log-traffic where $filter and vwlid IS NOT NULL and (logflag&(1|32)>0) group by timestamp, srccountry, dstintf, csf, devid, vd, srcintf, srcintfrole, dstintfrole, appid, appcat, app_group, rulename, service, user_src, dev_src order by bandwidth desc)### t group by domain having sum(bandwidth)>0 order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
intf-Timeline-Sampling |
Interface Utilization Timeline by Data Sampling |
event |
with base_qry as ( select tm, rcvdbps, ntile(100) over ( order by rcvdbps ) as percentile from /*fabricStart*/ ( select (timestamp / 300 * 300) as tm, sum(rcvdbps) as rcvdbps, 300 as interval from $intfstats_billing tb1 join ( select ti.dvid, intfname from intfinfo ti left join devtable_ext td on ti.dvid = td.dvid where $dev_filter ) tb2 on tb1.dvid = tb2.dvid and tb1.intfname = tb2.intfname where $cust_time_filter(timestamp) group by tm ) /*fabricEnd*/ tmp ), ref_qry as ( select cast( max(rcvdbps)/ 1000000 as decimal(18, 2) ) as ref_val from base_qry where percentile = 95 ) select from_itime(timestamp) as tmstamp, cast( rcvdbps / 1000000 as decimal(18, 2) ) as rcvdbps, ref_val from ref_qry, ( select tm as timestamp, rcvdbps, rank() over( partition by (tm / 3600) order by tm ) as r from base_qry ) t where r = 1 order by tmstamp
Dataset Name |
Description |
Log Category |
---|---|---|
intf-Util-Histogram |
Interface Utilization Value Distribution |
event |
select cast( ( ( max(max_value) over () )* seq / 100 ) as decimal(16, 0) ) as value, cnt from ( select generate_series(0, 100, 2) as seq ) t1 left join ( select perc, max_value, count(*) as cnt from ( select WIDTH_BUCKET( rcvdbps, 0, ( max(rcvdbps) over () ) + 1, 50 )* 2 as perc, max(rcvdbps) over () as max_value from /*fabricStart*/ ( select (timestamp / 300 * 300) as tm, sum(rcvdbps) as rcvdbps, 300 as interval from $intfstats_billing tb1 join ( select ti.dvid, intfname from intfinfo ti left join devtable_ext td on ti.dvid = td.dvid where $dev_filter ) tb2 on tb1.dvid = tb2.dvid and tb1.intfname = tb2.intfname where $cust_time_filter(timestamp) group by tm ) /*fabricEnd*/ tmp ) t_bucket group by perc, max_value ) t2 on t1.seq = t2.perc order by seq
Dataset Name |
Description |
Log Category |
---|---|---|
intf-Sorted-Line |
Interface Utilization Line Sorted by bps |
event |
with base_qry as ( select rcvdbps, ntile(100) over ( order by rcvdbps ) as percentile from /*fabricStart*/ ( select (timestamp / 300 * 300) as tm, sum(rcvdbps) as rcvdbps, 300 as interval from $intfstats_billing tb1 join ( select ti.dvid, intfname from intfinfo ti left join devtable_ext td on ti.dvid = td.dvid where $dev_filter ) tb2 on tb1.dvid = tb2.dvid and tb1.intfname = tb2.intfname where $cust_time_filter(timestamp) group by tm ) /*fabricEnd*/ tmp ), ref_qry as ( select cast( max(rcvdbps)/ 1000000 as decimal(18, 2) ) as ref_val from base_qry where percentile = 95 ) select n_perc, cast( rcvdbps / 1000000 as decimal(18, 2) ) as rcvdbps, ref_val from ( select seq as n_perc, rcvdbps from ( select generate_series(0, 100, 1) as seq ) t1 left join ( select max(rcvdbps) as rcvdbps, percentile from base_qry group by percentile ) t2 on t1.seq = t2.percentile ) t, ref_qry order by n_perc
Dataset Name |
Description |
Log Category |
---|---|---|
intf-Data-Analysis-Table |
Interface Utilization Data Analysis |
event |
with base_qry as ( select rcvdbps, interval, ntile(100) over ( order by rcvdbps ) as percentile from /*fabricStart*/ ( select (timestamp / 300 * 300) as tm, sum(rcvdbps) as rcvdbps, 300 as interval from $intfstats_billing tb1 join ( select ti.dvid, intfname from intfinfo ti left join devtable_ext td on ti.dvid = td.dvid where $dev_filter ) tb2 on tb1.dvid = tb2.dvid and tb1.intfname = tb2.intfname where $cust_time_filter(timestamp) group by tm ) /*fabricEnd*/ tmp ) select min_mbps, low_ref_mbps, mean_mbps, ref_mbps, peak_mbps, actual_gb, total from ( select cast( min(rcvdbps)/ 1000000 as decimal(18, 2) ) as min_mbps, cast( avg(rcvdbps)/ 1000000 as decimal(18, 2) ) as mean_mbps, cast( max(rcvdbps)/ 1000000 as decimal(18, 2) ) as peak_mbps, cast( ( select max(rcvdbps) from base_qry where percentile = 5 )/ 1000000 as decimal(18, 2) ) as low_ref_mbps, cast( ( select max(rcvdbps) from base_qry where percentile = 95 )/ 1000000 as decimal(18, 2) ) as ref_mbps, cast( sum(interval * rcvdbps)/ 8 /(1024 * 1024 * 1024) as decimal(18, 2) ) as actual_gb, count(*) as total from base_qry ) t
Dataset Name |
Description |
Log Category |
---|---|---|
intf-Device-Summary |
Interface Utilization Device Summary |
event |
select devname, t1.intfname, rcvd_gb from /*fabricStart*/ ( select devname, ti.dvid, intfname from devtable_ext td join intfinfo ti on ti.dvid = td.dvid where $dev_filter ) /*fabricEnd*/ t1 join /*fabricStart*/ ( select dvid, intfname, cast( sum(interval * rcvdbps)/ 8 /(1024 * 1024 * 1024) as decimal(18, 2) ) as rcvd_gb from $intfstats_billing tb1 where $cust_time_filter(timestamp) group by dvid, intfname ) /*fabricEnd*/ t2 on t1.dvid = t2.dvid and t1.intfname = t2.intfname order by devname, rcvd_gb desc, t1.intfname
Dataset Name |
Description |
Log Category |
---|---|---|
daily-Summary-Traffic-Bandwidth-Line |
Daily Summary - Traffic Bandwidth Line |
traffic |
select $fv_line_timescale(timescale) as time, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(session_block) as session_block, ( sum(sessions)- sum(session_block) ) as session_pass from ( ( select timescale, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(session_block) as session_block, sum(sessions) as sessions from t group by timescale ) union all ( select timescale, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(session_block) as session_block, sum(sessions) as sessions from t group by timescale ) ) t group by time order by time
Dataset Name |
Description |
Log Category |
---|---|---|
daily-Summary-Top-User |
Daily Summary - Top User by Bandwidth |
traffic |
select coalesce( nullifna(f_user), ipstr(srcip), & #039;Unknown') as f_user, srcip, sum(bandwidth) as bandwidth FROM t group by f_user, srcip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
daily-Summary-Top-Domain |
Daily Summary - Top Domain by Bandwidth |
traffic |
select domain, sum(bandwidth) as bandwidth from t where domain is not null group by domain order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
daily-Summary-Top-Appcat-Bandwidth |
Daily Summary - Top Application Category by Bandwidth |
traffic |
select appcat, sum(bandwidth) as bandwidth from ( select t1.*, t2.app_cat as appcat from t1 left join app_mdata t2 on t1.app_group = t2.name ) t where $filter - drilldown and appcat is not null group by appcat order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
daily-Summary-Top-App |
Daily Summary - Top Application |
traffic |
select app_group, max(appcat) as appcat, ( case max(d_risk) when 1 then & #039;Low' when 2 then 'Elevated' when 3 then 'Medium' when 4 then 'High' when 5 then 'Critical' else NULL end) as risk, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(session_block) as session_block, (sum(sessions)-sum(session_block)) as session_pass, sum(sessions) as sessions from (select t1.*, (case when (d_flags & 1) = 1 then 'Not.Scanned' when t2.app_cat is null then 'Unknown' else t2.app_cat end) as appcat, (case when t2.risk is null then 0 else t2.risk::int end) as d_risk from t1 left join app_mdata t2 on t1.app_group=t2.name) t where $filter-drilldown group by app_group order by max(d_risk) desc, sessions desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
daily-Summary-Top-Threats |
Daily Summary - Top Threats |
traffic |
select threat_s as threat, threattype_s as threattype, sum(threatweight) as threatweight, sum(threat_block) as threat_block, ( sum(threatweight)- sum(threat_block) ) as threat_pass, sum(incidents) as incidents, sum(incident_block) as incident_block, ( sum(incidents)- sum(incident_block) ) as incident_pass from ( ( select threat_s, threattype_s, sum(threatweight) as threatweight, sum(threat_block) as threat_block, sum(incidents) as incidents, sum(incident_block) as incident_block from t group by threat_s, threattype_s ) union all ( select threat_s, threattype_s, sum(threatweight) as threatweight, sum(threat_block) as threat_block, sum(incidents) as incidents, sum(incident_block) as incident_block from t group by threat_s, threattype_s ) ) t group by threat, threattype order by threatweight desc
Dataset Name |
Description |
Log Category |
---|---|---|
daily-Summary-Top-Compromised-Hosts |
Daily Summary - Top Compromised Hosts |
traffic |
select epid, devid, vd, ( case when email <>& #039;' then inet '0.0.0.0' else srcip end) as srcip, ip_reversed, devtype, fctuid, euid, bmp_logtype as logtype, unauthuser, srcmac, osname, osversion, f_user,(case when epid>1024 then epname when email<>'' then '' else ipstr(srcip) end) as epname,threat_num, bl_count, cs_score, cs_count, verdict, rescan, (case verdict when 1 then 'Low Suspicion' when 2 then 'Medium Suspicion' when 3 then 'High Suspicion' when 4 then 'Infected' else 'N/A' end) as verdict_s,ack_time, ack_note, last_bl as last_detected_time from (/*NOLOG_SUBQRY_BEG*/SELECT epid, email, itime, bl_count, cs_score, cs_count, threat_num, bmp_logtype, last_bl, verdict, rescan, srcip, ip_reversed, epname, srcmac, osname, osversion, devtype, fctuid, euid, unauthuser, f_user, ack_note, ack_time, devid, vd, csf, devname FROM (SELECT tvdt.epid, tvdt.email, itime, tvdt.bl_count, tvdt.cs_score, tvdt.cs_count, tvdt.threat_num, tvdt.bmp_logtype, tvdt.last_bl, tvdt.verdict, tvdt.ip_reversed, tvdt.rescan, (CASE WHEN tvdt.epid>1024 THEN tep.epip ELSE tvdt.srcip END) as srcip, tep.epname, tep.mac as srcmac, tep.osname, tep.osversion,tep.epdevtype as devtype, teu.fctuid, teu.euid, teu.unauthuser, (case when teu.euid>1024 then teu.euname when email<>'' then email when ipstr(tvdt.srcip)<>'0.0.0.0' then ipstr(tvdt.srcip) else NULL end) as f_user, tack.ack_note, (case when (tvdt.ack_time_max=0 or tvdt.ack_time_min=0) then NULL else tvdt.ack_time_max end) as ack_time,tdev.devid, tdev.vd, tdev.csf, tdev.devname, tdev.devgrps FROM (SELECT epid, srcip, email, min(day_st) as itime, array_length(intarr_agg(threatid), 1) as threat_num, intarr_agg(dvid) as dvid, sum(bl_count) as bl_count, max(cs_score) as cs_score, sum(cs_count) as cs_count, max(last_bl) as last_bl, max(ack_time) as ack_time_max, min(ack_time) as ack_time_min, bit_or(bmp_logtype) as bmp_logtype, max(verdict) as verdict, max(ip_reversed) as ip_reversed, max(rescan) as rescan FROM (SELECT epid, (coalesce(srcip, '0.0.0.0'::inet)) as srcip, (coalesce(ioc_email, ''::text)) as email, day_st, ack_time, threatid, dvid,bl_count, cs_score, cs_count, last_bl, bmp_logtype, verdict, (case when ioc_flags&2>0 then 1 else 0 end) as ip_reversed, (case when ioc_flags&1>0 then 1 else 0 end) as rescan FROM $ADOMTBL_PLHD_IOC_VERDICT /*verdict table*/WHERE day_st>=$start_time and day_st<=$end_time /*time filter*/) tvdt_int GROUP BY epid, srcip, email) tvdt INNER JOIN /*end points*/ $ADOM_ENDPOINT as tep ON tvdt.epid=tep.epid LEFT JOIN /*end user*/ (select epid, euname, fctuid, euid, unauthuser from (select epid, eu.euid, euname, fctuid, euname as unauthuser, row_number() over (partition by epid order by ((case when fctuid is null then 0 else 1 end), lastactive) desc) nth from $ADOM_ENDUSER eu /*end user*/, $ADOM_EPEU_DEVMAP as map /*epeu dev_map*/ where eu.euid=map.euid and eu.euid>1024) eum where nth=1) teu on tvdt.epid=teu.epid LEFT JOIN /*ack table*/(SELECT epid, srcip, ack_time, ack_note FROM (SELECT epid, srcip, ack_time, ack_note, row_number() over (PARTITION BY epid, srcip order by ack_time desc) as ackrank FROM ioc_ack WHERE adomoid=$adom_oid) rankqry WHERE ackrank=1) tack ON tvdt.epid=tack.epid and (tack.srcip is null or tvdt.srcip=tack.srcip) LEFT JOIN /*devtable */ devtable_ext tdev ON tdev.dvid = tvdt.dvid[1] WHERE tvdt.dvid && (SELECT array_agg(dvid) from /*devtable */ devtable_ext WHERE $filter-drilldown)) tioc /*NOLOG_SUBQRY_END*/ ) t order by threat_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
daily-Summary-Incidents-by-Severity |
Incidents by Severity |
select severity, sum(incnum) as incnum from /*fabricStart*/ ( select severity, count(*) as incnum from $incident where $cust_time_filter(createtime) group by severity order by incnum desc ) /*fabricEnd*/ t group by severity order by incnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
ueba-Asset-Count-by-Detecttype |
Asset Count by Detection Type |
select ( case detecttype when & #039;by_ip' then 'IP' when 'by_mac' then 'MAC' end) as detecttype, count(distinct epid) as count from $ADOM_ENDPOINT t1 where epid>1024 and $filter-drilldown and lastseen>=$start_time and firstseen<$end_time and detecttype in ('by_ip', 'by_mac') group by detecttype order by count desc
Dataset Name |
Description |
Log Category |
---|---|---|
ueba-Asset-Identification |
Asset Count by Identification |
with qualified_ep as ( select t2.epid, t2.euid from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid = t2.epid where $filter - drilldown and lastseen >= $start_time and firstseen<$end_time and t2.epid>1024 ), identified_ep as ( select distinct epid from qualified_ep t1 inner join $ADOM_ENDUSER t2 on t1.euid = t2.euid where t1.euid is not null and t1.euid>1024 and euname !=& #039;(none)' and euname is not null) (select 'Identified' as type, count(distinct epid) as count from identified_ep) union all (select 'Unidentified' as type, count(distinct epid) as count from qualified_ep where epid not in (select * from identified_ep))
Dataset Name |
Description |
Log Category |
---|---|---|
ueba-Asset-Count-by-HWOS |
Asset Count by Hardware OS |
select osname, count(distinct t2.epid) as count from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid = t2.epid where $filter - drilldown and lastseen >= $start_time and firstseen<$end_time and osname is not null and t2.epid>1024 group by osname order by count desc
Dataset Name |
Description |
Log Category |
---|---|---|
ueba-Asset-Count-by-Device-and-Detecttype |
Asset Count by Source and Detection Type |
select devname, ( case detecttype when & #039;by_ip' then 'IP' when 'by_mac' then 'MAC' end) as detecttype, count(distinct t1.epid) as count from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid=t2.epid inner join devtable_ext t3 on t2.devid=t3.devid where t1.epid>1024 and $filter-drilldown and t1.lastseen>=$start_time and firstseen<$end_time and devname is not null and detecttype in ('by_ip', 'by_mac') group by devname, detecttype order by count desc
Dataset Name |
Description |
Log Category |
---|---|---|
ueba-User-Count-by-Usergroup |
User Count by User Group |
select coalesce( eugroup, & #039;Unknown') as eugroup, count(distinct t1.euid) as count from $ADOM_ENDUSER t1 inner join $ADOM_EPEU_DEVMAP t2 ON t1.euid=t2.euid where $filter-drilldown and t1.euid>1024 and t1.lastseen>=$start_time and firstseen<$end_time group by eugroup order by count desc
Dataset Name |
Description |
Log Category |
---|---|---|
ueba-Asset-User-Count-by-Device |
Asset and User Count by Device |
select devname, cnt_for, sum(count) as count from ( ( select devname, & #039;Endpoint' as cnt_for, count(distinct t2.epid) as count from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid=t2.epid inner join devtable_ext t3 on t2.devid=t3.devid where $filter-drilldown and t1.lastseen>=$start_time and t1.firstseen<$end_time and t2.epid>1024 group by devname order by count desc) union all (select devname, 'User' as cnt_for, count(distinct t1.euid) as count from $ADOM_ENDUSER t1 inner join $ADOM_EPEU_DEVMAP t2 ON t1.euid=t2.euid inner join devtable_ext t3 on t2.devid=t3.devid where $filter-drilldown and t1.lastseen>=$start_time and t1.firstseen<$end_time and euname != '(none)' and epid>1024 and t1.euid>1024 group by devname order by count desc)) t group by devname, cnt_for order by count desc
Dataset Name |
Description |
Log Category |
---|---|---|
ueba-Asset-User-Count-by-Device-Interface-and-Detectiontype |
Asset and User Count by Source Device Interface and Detection Method |
select devname, srcintf, sum(mac_cnt) as mac_cnt, sum(ip_cnt) as ip_cnt, sum(ep_count) as ep_count, sum(eu_count) as eu_count from ( ( select devname, srcintf, sum( case when detecttype =& #039;by_mac' then count else 0 end) as mac_cnt, sum(case when detecttype='by_ip' then count else 0 end) as ip_cnt, sum(count) as ep_count, 0 as eu_count from (select devname, srcintf, detecttype, count(distinct t1.epid) as count from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid=t2.epid inner join devtable_ext t3 on t2.devid=t3.devid where t1.epid>1024 and $filter-drilldown and t1.lastseen>=$start_time and firstseen<$end_time and devname is not null and srcintf is not null and detecttype in ('by_ip', 'by_mac') group by devname,srcintf, detecttype order by count desc) t1 group by devname,srcintf order by ep_count desc) union all (SELECT devname, srcintf, 0 as mac_cnt, 0 as ip_cnt, 0 as ep_count, count(DISTINCT euid) as eu_count from (select euid, euname, t3.epid, eugroup, srcintf, devname, devid from (select t1.euid, euname, epid, eugroup, srcintf, devname, t2.devid from $ADOM_ENDUSER t1 inner join $ADOM_EPEU_DEVMAP t2 ON t1.euid=t2.euid inner join devtable_ext t3 on t2.devid=t3.devid where t1.lastseen>=$start_time and t1.firstseen<$end_time and srcintf is not null ) t3 LEFT JOIN $ADOM_ENDPOINT t4 ON t3.epid = t4.epid) t5 where euname != '(none)' and epid>1024 and euid>1024 and $filter-drilldown group by devname, srcintf order by eu_count desc)) t group by devname, srcintf order by devname, sum(eu_count)+ sum(ep_count) desc
Dataset Name |
Description |
Log Category |
---|---|---|
ueba-Asset-User-Discovery-by-Time |
Asset and User Count by Discovery Time |
select $flex_timescale(firstseen) as time, count(distinct epid) as ep_count, count(distinct euid) as eu_count from ( ( select firstseen, t1.epid, null as euid from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid = t2.epid where $filter - drilldown and t1.firstseen >= $start_time and t1.firstseen<$end_time and t1.epid>1024 ) union all ( select firstseen, null as epid, t1.euid from $ADOM_ENDUSER t1 inner join $ADOM_EPEU_DEVMAP t2 ON t1.euid = t2.euid where t1.euid>1024 and $filter - drilldown and firstseen >= $start_time and firstseen<$end_time ) ) t group by time order by time
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Domain-Count-by-Threat-Level |
Domain Count by Threat level |
dns |
select threat_level, total_num from ( select ( case when tdtype in ( & #039;infected-domain', 'infected-ip', 'infected-url') then 'critical' when is_botnet or catdesc in ('Malicious Websites', 'Phishing', 'Spam URLs') then 'high' when catdesc in ('Newly Observed Domain', 'Newly Registered Domain', 'Proxy Avoidance','Unrated') or catdesc LIKE '%Dynamic DNS%' then 'medium' end) as threat_level, sum(total_num) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t group by threat_level order by total_num desc) t where threat_level is not null order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Top-Queried-Domain-Bar |
Top Queried Domain |
dns |
select qname, count(*) as total_num from $log where $filter and qname is not null group by qname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Visited-Domain-Categories |
Top Visited Domain Categories |
dns |
select catdesc, sum(total_num) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where catdesc is not null group by catdesc order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Visited-High-Risk-Domain-Categories |
Top Visited High Risk Domain Categories |
dns |
select catdesc, sum(total_num) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where level>='warning' and catdesc is not null group by catdesc order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Domain-with-Botnet-CC-Detected |
Top Domain with Botnet C&C Detected |
dns |
select qname, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(botnetdomain, ipstr(botnetip)) as domain, qname, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp, domain, qname, action, srcip, user_src, sevid order by sevid desc)### t where qname is not null group by qname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-FortiGate-with-Top-Domain-Visited-by_Source-IP |
FortiGate with Top Domain Visited by Source IP |
dns |
select devname, srcip, qname, category, total_num from ( select devname, srcip, qname, category, total_num, row_number() over ( partition by devname, srcip, qname order by total_num desc, qname ) as rank from ( select devname, srcip, qname, max(catdesc) as category, sum(total_num) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t1 inner join devtable_ext t2 on t1.dvid=t2.dvid where qname is not null and srcip is not null group by devname, srcip, qname order by total_num desc) t) t where rank=1 order by devname, srcip, qname
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Domain-Lookup-Failure-by-Count |
Top Domain Lookup Failures by Count |
dns |
select qname, count(*) as total_num from $log - dns where $filter and qname is not null and ( action =& #039;block' or logid_to_int(logid)=54200) group by qname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Source-IP-by-Destination-Count |
Top Source IP by Destination Count |
dns |
select srcip, count(distinct dstip) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where srcip is not null and dstip is not null group by srcip order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Destination-IP-by-Source-Count |
Top Destination IP by Source Count |
dns |
select dstip, count(distinct srcip) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where srcip is not null and dstip is not null group by dstip order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Severity-by-High-Risk-Source-IPs-Count |
Severity by High Risk Source IPs Count |
dns |
select ( CASE sevid WHEN 5 THEN & #039;Critical' WHEN 4 THEN 'High' WHEN 3 THEN 'Medium' WHEN '2' THEN 'Info' ELSE 'Low' END) as severity, count(distinct srcip) as total_num from (select srcip, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, count(*) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where level>='warning' and srcip is not null group by srcip, sevid order by total_num desc) t group by severity having sum(total_num)>0 order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-DNS-High-Risk-Source-IP |
Top DNS High Risk Source IP |
dns |
select srcip, sum( case when sevid = 5 then total_num else 0 end ) as num_cri, sum( case when sevid = 4 then total_num else 0 end ) as num_hig, sum( case when sevid = 3 then total_num else 0 end ) as num_med, sum(total_num) as total_num from ( select srcip, ( CASE WHEN level IN ( & #039;critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, count(*) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where level>='warning' and srcip is not null group by srcip, sevid order by total_num desc) t group by srcip having sum(total_num)>0 order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Infected-Domain-by-Count |
Top Infected Domain by Count |
dns |
select qname, count(distinct srcip) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where qname is not null and tdtype='infected-domain' group by qname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Blocked-Domains-by-Reason |
Top Blocked Domains by Reason |
dns |
select qname, msg, count(*) as total_num from $log where $filter and qname is not null and msg LIKE & #039;Domain was blocked%' group by qname, msg order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Users-by-Infected-Domain-Visits |
Top Users by Infected Domain Visits |
dns |
select coalesce( f_user, ipstr(`srcip`) ) as user_src, count(distinct qname) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where qname is not null and tdtype='infected-domain' and (f_user is not null or srcip is not null) group by user_src order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Users-and-Infected-Domain-by-Visit-Count |
Top Users and Infected Domain by Visit Count |
dns |
select coalesce( f_user, ipstr(`srcip`) ) as user_src, qname, sum(total_num) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where qname is not null and (f_user is not null or srcip is not null) and tdtype='infected-domain' group by user_src, qname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Users-by-Visited-Domain-Category-Count |
Top Users by Visited Domain Category Count |
dns |
select coalesce( f_user, ipstr(`srcip`) ) as user_src, count(distinct catdesc) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where catdesc is not null and (f_user is not null or srcip is not null) group by user_src order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Users-and-Visited-Domain-Category-by-Count |
Top Users and Visited Domain Category by Count |
dns |
select coalesce( f_user, ipstr(`srcip`) ) as user_src, catdesc, srcip, sum(total_num) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where catdesc is not null and (f_user is not null or srcip is not null) group by user_src, catdesc, srcip order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Newly-Detected-Domain-by-Count |
Top Newly Detected Domain by Count |
dns |
select qname, sum(total_num) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where last_seen>=$start_time and first_seen<$end_time and tdtype is not null and qname is not null group by qname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
dns-Security-Top-Newly-Detected-Domain-and-Source-IP-with-First-Seen-and-Last-Seen |
Top Newly Detected Domain and Source IP with First Seen and Last Seen |
dns |
select qname, srcip, from_itime( min(first_seen) ) as first_seen, from_itime( max(last_seen) ) as last_seen, sum(total_num) as total_num from ###(select dvid, qname, coalesce(nullifna(`user`), nullifna(`unauthuser`)) as f_user, dstip, srcip, catdesc, level, tdtype, (botnetdomain is not null or botnetip is not null) as is_botnet, min(nanosec_to_sec(eventtime)) as first_seen, max(nanosec_to_sec(eventtime)) as last_seen, count(*) as total_num from $log-dns where $filter group by dvid, qname, f_user, dstip, srcip, catdesc, level, tdtype, is_botnet order by total_num desc)### t where last_seen>=$start_time and first_seen<$end_time and tdtype is not null and qname is not null group by qname, srcip order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-User-Category-By-Count |
Top Web User and Category by Count |
traffic |
select coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, catdesc, requests, sum(requests) over (partition by usersrc) as total_num from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid where usersrc is not null and catdesc<>'Unknown' order by total_num desc, user_src
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-User-Category-by-Browsing-Time |
Web Usage Top User and Category by Browsing Time |
traffic |
select coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, catdesc, ebtr_value(ebtr_agg_flat(browsetime), null, $timespan) as browsetime from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid where usersrc is not null group by user_src, catdesc order by browsetime desc, user_src, catdesc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Count-By-Allowed-Blocked |
Web Usage Allowed and Blocked Count |
webfilter |
select unnest(type) as allow_block, unnest(request_cnt) as totoal_num from ( select array[ & #039;Allowed', 'Blocked'] as type, array[sum(case when action!='blocked' then requests end), sum(case when action='blocked' then requests end)] as request_cnt from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, action, count(*) as requests from $log-webfilter where $filter and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null group by timestamp, usersrc, euid, action /*SkipSTART*/order by requests desc, timestamp desc/*SkipEND*/)### t) t
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Web-Users-By-Allowed-Requests |
Web Usage Top Web Users by Allowed Requests |
webfilter |
select coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, sum(requests) as requests from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, action, count(*) as requests from $log-webfilter where $filter and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null group by timestamp, usersrc, euid, action /*SkipSTART*/order by requests desc, timestamp desc/*SkipEND*/)### t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid where action!='blocked' group by user_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Web-Users-By-Blocked-Requests |
Web Usage Top Web Users by Blocked Requests |
webfilter |
select coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, sum(requests) as requests from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, action, count(*) as requests from $log-webfilter where $filter and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null group by timestamp, usersrc, euid, action /*SkipSTART*/order by requests desc, timestamp desc/*SkipEND*/)### t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid where action='blocked' group by user_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Request-Summary-Timeline |
Webfilter web activity summary by requests |
webfilter |
select $flex_timescale(timestamp) as hodex, sum(allowed_request) as allowed_request, sum(blocked_request) as blocked_request from ###(select $flex_timestamp as timestamp, sum(case when action!='blocked' then 1 else 0 end) as allowed_request, sum(case when action='blocked' then 1 else 0 end) as blocked_request from $log where $filter group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Bandwidth-Timeline |
Web Usage Bandwidth Timeline |
traffic |
select $flex_timescale(timestamp) as hodex, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Web-Users-By-Requests |
Web Usage Top Web Users by Requests |
webfilter |
select coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, sum(requests) as requests from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, action, count(*) as requests from $log-webfilter where $filter and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null group by timestamp, usersrc, euid, action /*SkipSTART*/order by requests desc, timestamp desc/*SkipEND*/)### t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid where usersrc is not null group by user_src order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Web-Users-By-Requests-Timeline |
Web Usage top Web Users by Requests Timeline |
webfilter |
with time_users as ( select $flex_timescale(timestamp) as hodex, coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, sum(requests) as requests from (select timestamp, usersrc, euid, requests from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, action, count(*) as requests from $log-webfilter where $filter and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null group by timestamp, usersrc, euid, action /*SkipSTART*/order by requests desc, timestamp desc/*SkipEND*/)### t where usersrc is not null) t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid group by hodex, user_src order by hodex), top_users as (select user_src, sum(requests) as requests from time_users group by user_src order by requests desc limit $ddown-top) select hodex, user_src, requests from time_users t where exists (select 1 from top_users where user_src=t.user_src) order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Category-Sites-By-Session |
Web top user visted websites by session |
webfilter |
select website, catdesc, sum(sessions) as sessions from ###(select hostname as website, catdesc, count(*) as sessions from $log where $filter and hostname is not null group by hostname, catdesc order by sessions desc)### t where catdesc is not null group by website, catdesc order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-User-Browsing-Time |
Web Usage Top User Browsing Time |
traffic |
select user_src, sum(browsetime) as browsetime from ( select coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, catdesc, ebtr_value(ebtr_agg_flat(browsetime), null, $timespan) as browsetime from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid where usersrc is not null group by user_src, catdesc order by browsetime desc) t group by user_src order by browsetime desc, user_src
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Category-By-Website-Browsetime |
Top Category By Website Browsetime |
traffic |
select catdesc, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where catdesc!='Unrated' and browsetime is not null group by catdesc order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Sites-By-Browsing-Time |
Web Usage Top Websites by Browsing Time |
traffic |
select website, max(catdesc) as catdesc, ebtr_value( ebtr_agg_flat(browsetime), null, $timespan ) as browsetime, sum(bandwidth) as bandwidth, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where website is not null and catdesc is not null group by website order by browsetime desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-User-By-Bandwidth |
Web Usage Top User By Bandwidth |
traffic |
select coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid where bandwidth>0 group by user_src order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-User-By-Bandwidth-Timeline |
Web Usage Top User By Bandwidth Timeline |
traffic |
with time_users as ( select $flex_timescale(timestamp) as hodex, coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, sum(bandwidth) as bandwidth from (select timestamp, usersrc, euid, bandwidth from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where usersrc is not null) t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid group by hodex, user_src order by bandwidth desc), top_users as (select user_src, sum(bandwidth) as bandwidth from time_users where bandwidth>0 group by user_src order by bandwidth desc limit $ddown-top) select hodex, user_src, bandwidth from time_users t where exists (select 1 from top_users where user_src=t.user_src) order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Category-Website-By-Bandwidth |
Web Usage Top Web Category and Websites by Bandwidth |
traffic |
select catdesc, website, bandwidth, sum(bandwidth) over (partition by catdesc) as sub_bandwidth from ( select website, catdesc, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t where website is not null and catdesc is not null group by website, catdesc order by bandwidth desc) t order by sub_bandwidth desc, catdesc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Blocked-User-Category-By-Request |
Web Usage Top Blocked Web User and Category by Request |
webfilter |
select user_src, catdesc, requests, sum(requests) over (partition by user_src) as total_num from ( select coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, catdesc, sum(requests) as requests from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, hostname, catdesc, action, count(*) as requests from $log where $filter group by usersrc, euid, hostname, catdesc, action order by requests desc)### t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid where usersrc is not null and catdesc<>'Unknown' and action='blocked' group by user_src, catdesc order by requests desc) t order by total_num desc, user_src
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Web-Users-By-Blocked-Requests-Timeline |
Web Usage Top Web Users Timeline by Blocked Requests |
webfilter |
with time_users as ( select $flex_timescale(timestamp) as hodex, coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, sum(requests) as requests from (select timestamp, usersrc, euid, requests from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, action, count(*) as requests from $log-webfilter where $filter and coalesce(nullifna(`user`), ipstr(`srcip`)) is not null group by timestamp, usersrc, euid, action /*SkipSTART*/order by requests desc, timestamp desc/*SkipEND*/)### t where usersrc is not null and action='blocked') t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid group by hodex, user_src order by hodex), top_users as (select user_src, sum(requests) as requests from time_users group by user_src order by requests desc limit $ddown-top) select hodex, user_src, requests from time_users t where exists (select 1 from top_users where user_src=t.user_src) order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Top-Blocked-Web-Categories-by-Request |
Web Usage Top Blocked Web Categories by Request |
webfilter |
select catdesc, hostname, sum(requests) as requests from ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as usersrc, euid, hostname, catdesc, action, count(*) as requests from $log where $filter group by usersrc, euid, hostname, catdesc, action order by requests desc)### t1 where catdesc is not null and hostname is not null and action='blocked' group by catdesc, hostname order by requests desc
Dataset Name |
Description |
Log Category |
---|---|---|
web-Usage-Browsing-Time-Summary-Timeline |
Traffic browsing time summary |
traffic |
select $flex_timescale(timestamp) as hodex, cast( ebtr_value( ebtr_agg_flat(browsetime), null, $timespan )/ 60.0 as decimal(18, 2) ) as browsetime from ###(select $flex_timestamp as timestamp, ebtr_agg_flat($browse_time) as browsetime from $log where $filter and (logflag&1>0) and $browse_time is not null group by timestamp /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Rating-Asset-Endpoint-HWOS-Count |
Asset Endpoint Count by OS |
select osname, count(distinct t2.epid) as count from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid = t2.epid where exists ( select 1 from devtable_ext t3 where $dev_filter and t3.devid = t2.devid ) and lastseen >= $start_time and firstseen<$end_time and osname is not null and t2.epid>1024 group by osname order by count desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-daily-Summary-Traffic-Session-Line |
Daily Summary - Traffic Bandwidth Line |
traffic |
select $fv_line_timescale(timescale) as time, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(session_block) as session_block, ( sum(sessions)- sum(session_block) ) as session_pass from ( ( select timescale, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(session_block) as session_block, sum(sessions) as sessions from t group by timescale ) union all ( select timescale, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out, sum(session_block) as session_block, sum(sessions) as sessions from t group by timescale ) ) t group by time order by time
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-wifi-WiFi-Client-Number-Timeline |
WiFi client Number Timeline |
event |
select $flex_timescale(timestamp) as hodex, count( distinct ( case when radioband =& #039;5G' then stamac else NULL end)) as g5, count(distinct (case when radioband='2G' then stamac else NULL end)) as g2 from ###(select $flex_timestamp as timestamp, stamac, radioband from $log where $filter and subtype='wireless' group by timestamp, stamac, radioband /*SkipSTART*/order by timestamp desc/*SkipEND*/)### t group by hodex order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-ueba-Asset-Count-by-HWOS-Donut |
Asset Count by Hardware OS |
select osname, count(distinct t2.epid) as count from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid = t2.epid where $filter - drilldown and lastseen >= $start_time and firstseen<$end_time and osname is not null and t2.epid>1024 group by osname order by count desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Rating-Posture-Stats-Status-Count |
Posture Security Rating Statistic Status Count |
select unnest(name) as stats, unnest(val) as value from ( select array[ & #039;Passed','Failed','Exempt','Unmet'] as name, array[(sum(passedchkcnt::int)/count(*)), sum((failedchkcnt-unmetchkcnt)::int)/count(*), sum((data->'statistics'->'numExemptChecks')::int)/count(*), sum(unmetchkcnt::int)/count(*)] as val from $ADOMTBL_PLHD_AUDIT_HST t inner join devtable_ext td on td.dvid = t.dvid where $filter-drilldown and $cust_time_filter(itime) and reporttype='PostureReport') t
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Rating-Coverage-Stats-Status-Count |
Fabric Coverage Security Rating Statistic Status Count |
select unnest(name) as stats, unnest(val) as value from ( select array[ & #039;Passed','Failed','Exempt'] as name, array[(sum(passedchkcnt::int)/count(*)), sum(failedchkcnt::int)/count(*), sum((data->'statistics'->'numExemptChecks')::int)/count(*)] as val from $ADOMTBL_PLHD_AUDIT_HST t inner join devtable_ext td on td.dvid = t.dvid where $filter-drilldown and $cust_time_filter(itime) and reporttype='CoverageReport') t
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Rating-Optimize-Stats-Status-Count |
Optimization Security Rating Statistic Status Count |
select unnest(name) as stats, unnest(val) as value from ( select array[ & #039;Passed','Failed','Exempt'] as name, array[(sum(passedchkcnt::int)/count(*)), sum(failedchkcnt::int)/count(*), sum((data->'statistics'->'numExemptChecks')::int)/count(*)] as val from $ADOMTBL_PLHD_AUDIT_HST t inner join devtable_ext td on td.dvid = t.dvid where $filter-drilldown and $cust_time_filter(itime) and reporttype='OptimizationReport') t
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Rating-Asset-Count-by-HWVendor |
Asset Count by Hardware Vendor |
select ( case when hwvendor =& #039;Fortinet' then hwvendor else 'Other identified device' end) as vendor, sum(total_num) as total_num from (select osname, hwvendor, srcintf, count(distinct t1.epid) as total_num from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid=t2.epid where exists (select 1 from devtable_ext t3 where $dev_filter and t3.devid=t2.devid) and lastseen>=$start_time and firstseen<$end_time and hwvendor is not null and osname is not null and t2.srcintf is not null and t2.epid>1024 group by osname, hwvendor, srcintf order by total_num desc) t group by vendor order by vendor
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Rating-Asset-Count-by-HWOS-List |
Asset Count by Hardware OS List |
select osname, sum(total_num) as total_num from ( select osname, hwvendor, srcintf, count(distinct t1.epid) as total_num from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid = t2.epid where exists ( select 1 from devtable_ext t3 where $dev_filter and t3.devid = t2.devid ) and lastseen >= $start_time and firstseen<$end_time and hwvendor is not null and osname is not null and t2.srcintf is not null and t2.epid>1024 group by osname, hwvendor, srcintf order by total_num desc ) t group by osname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Rating-Asset-Count-by-Interface |
Asset Count by Interface |
select srcintf, sum(total_num) as count from ( select osname, hwvendor, srcintf, count(distinct t1.epid) as total_num from $ADOM_ENDPOINT t1 inner join $ADOM_EPEU_DEVMAP t2 on t1.epid = t2.epid where exists ( select 1 from devtable_ext t3 where $dev_filter and t3.devid = t2.devid ) and lastseen >= $start_time and firstseen<$end_time and hwvendor is not null and osname is not null and t2.srcintf is not null and t2.epid>1024 group by osname, hwvendor, srcintf order by total_num desc ) t group by srcintf order by count desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Rating-Asset-List-From-Fortinet |
Asset List from Fortinet |
traffic |
select coalesce( epname, ipstr(`srcip`) ) as ep_name, coalesce( epip : :text || & #039; ' || mac::text, ipstr(`srcip`)) as addr, osname, hwfamily, hwversion, coalesce(osname, max(epdevtype)) as devtype, sum(sessions) as sessions from (select dvid, epid, srcip, sum(sessions) as sessions from ###(select dvid, $flex_timestamp as timestamp, epid, srcip, policyname, policyid, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log-traffic where $filter and (logflag&(1|32)>0) group by dvid, timestamp, epid, srcip, policyname, policyid order by bandwidth desc)### t where epid>1024 group by dvid, epid, srcip) t1 inner join (select epid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.epid=t2.epid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.epid=t3.epid and t2.epmac=t3.mac where hwvendor='Fortinet' group by ep_name, addr, osname, hwfamily, hwversion order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Rating-Asset-List-From-Other-Identified-Device |
Asset List from Other Identified Device |
traffic |
select coalesce( epname, ipstr(`srcip`) ) as ep_name, coalesce( epip : :text || & #039; ' || mac::text, ipstr(`srcip`)) as addr, osname, hwfamily, hwversion, coalesce(osname, max(epdevtype)) as devtype, sum(sessions) as sessions from (select dvid, epid, srcip, sum(sessions) as sessions from ###(select dvid, $flex_timestamp as timestamp, epid, srcip, policyname, policyid, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log-traffic where $filter and (logflag&(1|32)>0) group by dvid, timestamp, epid, srcip, policyname, policyid order by bandwidth desc)### t where epid>1024 group by dvid, epid, srcip) t1 inner join (select epid, srcmac as epmac, dvid from $ADOM_EPEU_DEVMAP dm inner join devtable dt ON dm.devid=dt.devid and dm.vd=dt.vd) t2 on t1.epid=t2.epid and t1.dvid=t2.dvid left join $ADOM_ENDPOINT t3 on t1.epid=t3.epid and t2.epmac=t3.mac where hwvendor<>'Fortinet' group by ep_name, addr, osname, hwfamily, hwversion order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-wifi-AP-WaitingAuth-Online-Offline-Count |
WiFi AP count by Waiting Auth Online and Offline Status |
event |
select * from ( select unnest(status) as ap_status, unnest(num) as totalnum from ( select array[ & #039;Online', 'Offline'] as status, array[sum(case when onwire!='no' or onwire is null then 1 end), sum(case when onwire='no' then 1 end)] as num from ###(select apstatus, bssid, ssid, onwire, count(*) as subtotal from $log where $filter and apstatus is not null and apstatus!=0 and bssid is not null and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by apstatus, bssid, ssid, onwire order by subtotal desc)### t)t union all (select ap_status, totalnum from ###(select (case when not (action like '%join%') then 'Waiting for Authentication' end) as ap_status, count(*) as totalnum from $log where $filter and logid_to_int(logid) in (43522, 43551) group by ap_status order by totalnum desc)### t)) t where ap_status is not null and totalnum>0
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-wifi-Top-AP-By-Client |
WiFi Top Access Point by Client |
event |
select ap, count(distinct lmac) as totalnum from ###(select ap, stamac as lmac, ssid, action, max(dtime) as last from $log-event where $filter and ssid is not null group by ap, lmac, ssid, action order by last desc)### t group by ap order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-wifi-Signal-By-Client |
WiFi Signal by Client |
event |
select sig_status, count(distinct lmac) as totalnum from ###(select ap, stamac as lmac, ssid, action, (case when signal>=-65 then 'Good (>=-65dBm)' when signal<-75 then 'Poor (<-75dBm)' end) as sig_status, max(dtime) as last from $log-event where $filter and ssid is not null group by ap, lmac, ssid, action, sig_status order by last desc)### t where sig_status is not null group by sig_status order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-wifi-Auth-Failure-Event |
WiFi Authentication Failure Event |
event |
select ssid, from_dtime(last) as last from ###(select ap, stamac as lmac, ssid, action, max(dtime) as last from $log-event where $filter and ssid is not null group by ap, lmac, ssid, action order by last desc)### t where action like '%auth-failure' order by last desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top-Policy-Bandwidth-Timeline |
Top Policy Bandwidth Timeline |
traffic |
select timestamp, policy, bandwidth, sum(bandwidth) over (partition by policy) as total_bandwidth from ( select timestamp, t1.policy, t1.bandwidth from ( select $fv_line_timescale(timestamp) as timestamp, coalesce(policyname, policyid : :text) as policy, sum(bandwidth) as bandwidth FROM ###(select dvid, $flex_timestamp as timestamp, epid, srcip, policyname, policyid, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log-traffic where $filter and (logflag&(1|32)>0) group by dvid, timestamp, epid, srcip, policyname, policyid order by bandwidth desc)### t group by timestamp, policy order by timestamp) t1 inner join (select coalesce(policyname, policyid::text) as policy, sum(bandwidth) as bandwidth FROM ###(select dvid, $flex_timestamp as timestamp, epid, srcip, policyname, policyid, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log-traffic where $filter and (logflag&(1|32)>0) group by dvid, timestamp, epid, srcip, policyname, policyid order by bandwidth desc)### t where coalesce(policyname, policyid::text) is not null and bandwidth>0 group by policy order by bandwidth desc limit $ddown-top) t2 on t1.policy=t2.policy order by timestamp) t order by timestamp, total_bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Policy-by-Bandwidth |
Top Policy by Bandwidth |
traffic |
select policy, sum(bandwidth) as bandwidth FROM ###(select coalesce(policyname, policyid::text) as policy, max(policytype) as policytype, srcintf, dstintf, max(devname) as devname, max(vd) as vd, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions, from_dtime(max(dtime)) as time_stamp from $log-traffic where $filter and (logflag&(1|32)>0) and coalesce(policyname, policyid::text) is not null group by policy, srcintf, dstintf order by bandwidth desc)### t where bandwidth>0 group by policy order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Policy-by-Session |
Top Policy by Session |
traffic |
select coalesce(policyname, policyid : :text) as policy, sum(sessions) as sessions FROM ###(select dvid, $flex_timestamp as timestamp, epid, srcip, policyname, policyid, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log-traffic where $filter and (logflag&(1|32)>0) group by dvid, timestamp, epid, srcip, policyname, policyid order by bandwidth desc)### t where policyid is not null group by policy order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Policy-Details |
Top Policy with Details by Bandwidth |
traffic |
select policy, max(policytype) as policytype, string_agg( distinct srcintf, & #039;,') as srcintf, string_agg(distinct dstintf, ',') as dstintf, max(devname) as devname, max(vd) as vd, sum(bandwidth) as bandwidth, sum(sessions) as sessions, max(time_stamp) as time_stamp from ###(select coalesce(policyname, policyid::text) as policy, max(policytype) as policytype, srcintf, dstintf, max(devname) as devname, max(vd) as vd, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions, from_dtime(max(dtime)) as time_stamp from $log-traffic where $filter and (logflag&(1|32)>0) and coalesce(policyname, policyid::text) is not null group by policy, srcintf, dstintf order by bandwidth desc)### t where bandwidth>0 group by policy order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top-Source-Session-Timeline |
Top Source Session Timeline |
traffic |
select $fv_line_timescale(timestamp) as timestamp, sum(session_block) as session_block, ( sum(sessions)- sum(session_block) ) as session_pass FROM ###(select dvid, $flex_timestamp as timestamp, epid, srcip, policyname, policyid, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log-traffic where $filter and (logflag&(1|32)>0) group by dvid, timestamp, epid, srcip, policyname, policyid order by bandwidth desc)### t group by timestamp order by timestamp
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top-Source-Details |
Top Source with Details by Bandwidth |
traffic |
select f_user, string_agg( distinct srcintf, & #039;,') as srcintf, string_agg(distinct dev_src, ',') as dev_src, sum(threatwgt) as threatweight, sum(threat_block) as threat_block, (sum(threatwgt)-sum(threat_block)) as threat_pass, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, srcintf, max(coalesce(srcname, srcmac)) AS dev_src, sum(threatwgt) as threatwgt, sum(CASE WHEN (logflag&2>0) THEN threatwgt ELSE 0 END) AS threat_block, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from (select `user`, unauthuser, srcip, srcintf, srcname, srcmac, threatweight_sum(threatwgts, threatcnts) as threatwgt, sentdelta, sentbyte, rcvddelta, rcvdbyte, logflag from $log-traffic where $filter and (logflag&(1|32)>0)) t group by f_user, srcintf order by bandwidth desc)### t where f_user is not null group by f_user order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top-Destination-Bandwidth-Timeline |
Top Destination Bandwidth Timeline |
traffic |
select $fv_line_timescale(timestamp) as timestamp, sum(traffic_in) as traffic_in, sum(traffic_out) as traffic_out from ###(select dvid, $flex_timestamp as timestamp, epid, srcip, policyname, policyid, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log-traffic where $filter and (logflag&(1|32)>0) group by dvid, timestamp, epid, srcip, policyname, policyid order by bandwidth desc)### t group by timestamp order by timestamp
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top-Destination-Details |
Top Destination with Details by Bandwidth |
traffic |
select dstip, count(distinct app_group) as app_num, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select dstip, app_group_name(app) as app_group, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) AS sessions from $log-traffic where $filter and (logflag&(1|32)>0) group by dstip, app_group order by bandwidth desc)### t1 where dstip is not null group by dstip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-High-Risk-Application-By-Category |
High risk application by category |
traffic |
select app_cat, count(distinct app) as total_num from ###(select app_cat, app from $log t1 inner join app_mdata t2 on t1.appid=t2.id where $filter and risk>='4' and (logflag&1>0) group by app_cat, app)### t group by app_cat order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Apprisk-Ctrl-High-Risk-Application-Behavioral |
Application Behavioral Characteristics |
traffic |
select behavior, round( sum(total_num)* 100 / sum( sum(total_num) ) over (), 2 ) as percentage from ( ###(select timestamp, (case when lower(appcat)='botnet' then 'malicious' when lower(appcat)='remote.access' then 'tunneling' when lower(appcat) in ('storage.backup', 'video/audio') then 'bandwidth-consuming' when lower(appcat)='p2p' then 'peer-to-peer' when lower(appcat)='proxy' then 'proxy' end) as behavior, sum(sessions) as total_num from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by timestamp desc/*SkipEND*/)base### t where lower(appcat) in ('botnet', 'remote.access', 'storage.backup', 'video/audio', 'p2p', 'proxy') and apprisk in ('critical', 'high') group by timestamp, behavior order by total_num desc)### union all ###(select $flex_timestamp as timestamp, 'malicious' as behavior, count(*) as total_num from $log-attack where $filter and (logflag&16>0) and severity in ('critical', 'high') group by timestamp, behavior order by total_num desc)###) t where $filter-drilldown group by behavior order by percentage desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top10-App-Category-Group-By-Bandwidth |
Category breakdown of all applications, sorted by bandwidth |
traffic |
select appcat, count(distinct app) as app_num, count(distinct user_src) as user_num, sum(bandwidth) as bandwidth, sum(sessions) as num_session from ###(select app, appcat, user_src, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where nullifna(appcat) is not null and appcat not in ('Not.Scanned', 'unscanned', 'unknown') group by app, appcat, user_src order by bandwidth desc)### t where $filter-drilldown group by appcat order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Applications-By-Bandwidth |
Top Web Applications by Bandwidth |
traffic |
select risk as d_risk, t2.name, t2.app_cat, t2.technology, count(distinct f_user) as users, sum(bandwidth) as bandwidth, sum(num_session) as sessions from ###(select appid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log where $filter and (logflag&1>0) and nullifna(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by appid, f_user order by bandwidth desc)### t1 inner join app_mdata t2 on t1.appid=t2.id group by d_risk, t2.name, t2.app_cat, t2.technology order by d_risk desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top-Web-Categories-Visited |
Top Web Category and User by Count |
traffic |
select catdesc, coalesce( firstname || & #039; ' || lastname, euname, usersrc) as user_src, requests, sum(requests) over (partition by catdesc) as total_num from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as usersrc, euid, catdesc, hostname as website, ebtr_agg_flat($browse_time) as browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out, count(*) as requests from $log-traffic where $filter and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by timestamp, usersrc, euid, catdesc,website /*SkipSTART*/order by bandwidth desc/*SkipEND*/)### t1 left join $ADOM_ENDUSER t3 on t1.euid=t3.euid where usersrc is not null and catdesc<>'Unknown' order by total_num desc, catdesc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top5-Malware-Virus-Botnet-Spyware |
Top Virus Botnet Spyware Adware and Phishing Websites |
traffic |
select malware_type, virus_s, total_num, sum(total_num) over (partition by malware_type) as type_total_num from ( ( select ( case when lower(appcat)=& #039;botnet' then 'Botnet C&C' else (case when virus_s like 'Riskware%' then 'Spyware' when virus_s like 'Adware%' then 'Adware' else 'Virus' end) end) as malware_type, virus_s, sum(total_num) as total_num from (###(select app as virus_s, appcat, hostname, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and lower(appcat)='botnet' group by virus_s, appcat, hostname order by total_num desc)### union all ###(select unnest(string_to_array(virus, ',')) as virus_s, appcat, hostname, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and virus is not null group by virus_s, appcat, hostname order by total_num desc)### union all ###(select attack as virus_s, 'botnet' as appcat, hostname, count(*) as total_num from $log-attack where $filter and (logflag&16>0) group by virus_s, appcat, hostname order by total_num desc)###) t where virus_s is not null group by malware_type, virus_s) union all (select 'Phishing' as malware_type, hostname as virus_s, count(*) as total_num from $log-webfilter where $filter and hostname is not null and catdesc='Phishing' group by malware_type, virus_s)) t order by type_total_num desc, virus_s
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top5-Victims-of-Malware |
Victims of Malware |
virus |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, virus as malware, count(*) as total_num from $log where $filter and virus is not null group by user_src, malware order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top5-Victims-of-Phishing-Site |
Victims of Phishing Site |
webfilter |
select coalesce( nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`) ) as user_src, url as phishing_site, count(*) as total_num from $log where $filter and cat in (26, 61) group by user_src, phishing_site order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top5-Malicious-Phishing-Sites |
Victims of Phishing Site by Count |
webfilter |
select phishing_site, user_src, total_num, sum(total_num) over (partition by phishing_site) as user_total_num from ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, hostname as phishing_site, count(*) as total_num from $log where $filter and lower(service) in ('http', 'https') and hostname is not null and cat in (26, 61) group by user_src, phishing_site order by total_num desc)### t order by user_total_num desc, user_src
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Application-Vulnerability |
Application vulnerabilities discovered |
attack |
select attack, attackid, vuln_type, cve, severity_number, count( distinct ( CASE WHEN direction =& #039;incoming' THEN srcip ELSE dstip END)) as victims, count(distinct (CASE WHEN direction='incoming' THEN dstip ELSE srcip END)) as sources, sum(totalnum) as totalnum from ###(select attack, attackid, (case when severity='critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, direction, dstip, srcip, count(*) as totalnum from $log where $filter and nullifna(attack) is not null and severity is not null group by attack, attackid, severity, direction, dstip, srcip order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Files-Analyzed-By-FortiCloud-Sandbox |
Files analyzed by FortiCloud Sandbox |
virus |
select $day_of_week as dow, count(*) as total_num from $log where $filter and nullifna(filename) is not null and logid_to_int(logid)= 9233 group by dow order by dow
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Apprisk-Ctrl-Malicious-Files-Detected-By-FortiCloud-Sandbox |
Files detected by FortiCloud Sandbox |
virus |
select filename, analyticscksum, count(distinct victim) as victims, count(distinct source) as source from ###(select filename, analyticscksum,(CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as totalnum from $log where $filter and filename is not null and logid_to_int(logid)=9233 and analyticscksum is not null group by filename, analyticscksum, source, victim order by totalnum desc)### t group by filename, analyticscksum order by victims desc, source desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Data-Loss-Incidents-By-Severity |
Data loss incidents summary by severity |
dlp |
select initcap(severity : :text) as s_severity, count(*) as total_num from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and severity is not null group by s_severity order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Data-Loss-Files-By-Service |
Data Lass Files By Service |
dlp |
select filename, ( case direction when & #039;incoming' then 'Download' when 'outgoing' then 'Upload' end) as action, max(filesize) as filesize, service from ###(select itime, hostname,`from` as sender, `to` as receiver, profile, action, service, subtype, srcip, dstip, severity, filename, direction, filesize, (case when severity='critical' then 'Critical Data Exfiltration' else (case when coalesce(nullifna(`user`), ipstr(`srcip`)) is not null then 'User Associated Data Loss' else NULL end) end) as data_loss from $log where $filter /*SkipSTART*/order by itime desc/*SkipEND*/)### t where $filter-drilldown and filesize is not null group by filename, direction, service order by filesize desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Endpoint-Security-Events-Summary |
Endpoint Security Events summary |
fct-traffic |
select ( case utmevent when & #039;antivirus' then 'Malware incidents' when 'webfilter' then 'Malicious/phishing websites' when 'appfirewall' then 'Risk applications' when 'dlp' then 'Data loss incidents' when 'netscan' then 'Vulnerability detected' else 'Others' end) as events, count(*) as total_num from $log where $filter and utmevent is not null group by events order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
360-security-Top-Endpoing-Running-High-Risk-Application |
Endpoints Running High Risk Application |
fct-traffic |
select coalesce( nullifna(`user`), ipstr(`srcip`), & #039;Unknown') as f_user, coalesce(nullifna(hostname), 'Unknown') as host_name, threat as app, t2.app_cat as appcat, risk as d_risk from $log t1 inner join app_mdata t2 on t1.threat=t2.name where $filter and utmevent='appfirewall' and risk>='4' group by f_user, host_name, t1.threat, t2.app_cat, t2.risk order by risk desc
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Total-Event-by-Severity |
Total Events by Severity |
select sev, sum(num_events) as num_events from /*fabricStart*/ ( select ( CASE severity WHEN 0 THEN & #039;Critical' WHEN 1 THEN 'High' WHEN 2 THEN 'Medium' WHEN 3 THEN 'Low' ELSE NULL END) as sev, count(*) as num_events from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $cust_time_filter(alerttime) and $filter-drilldown group by severity order by severity desc)/*fabricEnd*/ t group by sev order by sev desc
Dataset Name |
Description |
Log Category |
---|---|---|
soc-summary-Total-Event-by-Severity-Category |
Total Events Count by Severity and Category |
select sev, triggername, sum(num_events) as num_events from /*fabricStart*/ ( select ( CASE severity WHEN 0 THEN & #039;Critical' WHEN 1 THEN 'High' WHEN 2 THEN 'Medium' WHEN 3 THEN 'Low' ELSE NULL END) as sev, triggername, count(*) as num_events from $event t1 left join devtable_ext t2 on t1.dvid=t2.dvid where $cust_time_filter(alerttime) and $filter-drilldown group by severity, triggername order by severity desc, triggername)/*fabricEnd*/ t group by sev, triggername order by sev desc, triggername
Dataset Name |
Description |
Log Category |
---|---|---|
soc-summary-Affected-Endpoint-by-HWOS |
Affected Endpoint Count by OS |
select osname, sum(count) as count from /*fabricStart*/ ( select ( case when osname is null then & #039;N/A' else osname end) as osname, count(distinct(endpoint)) as count from $incident t1 inner join $ADOM_ENDPOINT t2 on t1.epid=t2.epid where $cust_time_filter(createtime) and t2.epid>1024 group by osname order by count desc)/*fabricEnd*/ t group by osname order by count desc
Dataset Name |
Description |
Log Category |
---|---|---|
soc-summary-Incident-by-Category |
Incident Count by Category |
select cat, sum(num_cat) as num_cat from /*fabricStart*/ ( select inc_cat_encode(category) as cat, count(*) as num_cat from $incident where $cust_time_filter(createtime) group by cat order by num_cat desc ) /*fabricEnd*/ t group by cat order by num_cat desc
Dataset Name |
Description |
Log Category |
---|---|---|
soc-summary-Incident-by-Status |
Incidents by Status |
select status, sum(incnum) as incnum from /*fabricStart*/ ( select status, count(*) as incnum from $incident where $cust_time_filter(createtime) group by status order by incnum desc ) /*fabricEnd*/ t group by status order by incnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
soc-Incident-List |
List of Incidents |
select incnum, timestamp, category, severity, status, endpoint from /*fabricStart*/ ( select incid_to_str(incid) as incnum, from_itime(createtime) as timestamp, inc_cat_encode(category) as category, severity, status, endpoint from $incident where $cust_time_filter(createtime) order by createtime desc ) /*fabricEnd*/ t order by timestamp desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Severe-High-Risk-Application |
Severe and high risk applications |
traffic |
select appcat, count(distinct app) as total_num from ###(select appid, app, appcat, apprisk, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t group by appid, app, appcat, apprisk /*SkipSTART*/order by sessions desc, bandwidth desc/*SkipEND*/)### t where $filter-drilldown and nullifna(appcat) is not null and apprisk in ('critical', 'high') group by appcat order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Threats-Prevention |
Threat Prevention |
app-ctrl |
select threat_name, count(distinct threats) as total_num from ( ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, app as threats, count(*) as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet' group by app order by total_num desc)### union all ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, virus as threats, count(*) as total_num from $log-virus where $filter and nullifna(virus) is not null group by virus order by total_num desc)### union all ###(select cast('Malicious & Phishing Sites' as char(32)) as threat_name, hostname as threats, count(*) as total_num from $log-webfilter where $filter and cat in (26, 61) group by hostname order by total_num desc)### union all ###(select cast('Critical & High Intrusion Attacks' as char(32)) as threat_name, attack as threats, count(*) as total_num from $log-attack where $filter and severity in ('critical', 'high') group by attack order by total_num desc)###) t group by threat_name order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Top-High-Risk-Application |
Application risk high risk application |
traffic |
select risk as d_risk, count(distinct user_src) as users, id, name, app_cat, technology, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by app, user_src, action, utmaction order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' group by id, name, app_cat, technology, risk order by d_risk desc, sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-High-Risk-Application-Behavioral-Pie-Chart |
Application Behavioral Characteristics |
traffic |
select behavior, round( sum(total_num)* 100 / sum( sum(total_num) ) over (), 2 ) as percentage from ( ###(select timestamp, (case when lower(appcat)='botnet' then 'malicious' when lower(appcat)='remote.access' then 'tunneling' when lower(appcat) in ('storage.backup', 'video/audio') then 'bandwidth-consuming' when lower(appcat)='p2p' then 'peer-to-peer' when lower(appcat)='proxy' then 'proxy' end) as behavior, sum(sessions) as total_num from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by timestamp desc/*SkipEND*/)base### t where lower(appcat) in ('botnet', 'remote.access', 'storage.backup', 'video/audio', 'p2p', 'proxy') and apprisk in ('critical', 'high') group by timestamp, behavior order by total_num desc)### union all ###(select $flex_timestamp as timestamp, 'malicious' as behavior, count(*) as total_num from $log-attack where $filter and (logflag&16>0) and severity in ('critical', 'high') group by timestamp, behavior order by total_num desc)###) t where $filter-drilldown group by behavior order by percentage desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-High-Risk-Apps-Behavioral-Timeline |
Application Behavioral Timeline |
traffic |
select $flex_timescale(timestamp) as hodex, behavior, sum(total_num) as total_num from ( ###(select timestamp, (case when lower(appcat)='botnet' then 'malicious' when lower(appcat)='remote.access' then 'tunneling' when lower(appcat) in ('storage.backup', 'video/audio') then 'bandwidth-consuming' when lower(appcat)='p2p' then 'peer-to-peer' when lower(appcat)='proxy' then 'proxy' end) as behavior, sum(sessions) as total_num from ###base(/*tag:rpt_base_t_bndwdth_sess*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, count(*) as sessions, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in from $log-traffic where $filter and (logflag&(1|32)>0) group by timestamp, dvid, srcip, dstip, epid, euid, appcat, apprisk, user_src, service /*SkipSTART*/order by timestamp desc/*SkipEND*/)base### t where lower(appcat) in ('botnet', 'remote.access', 'storage.backup', 'video/audio', 'p2p', 'proxy') and apprisk in ('critical', 'high') group by timestamp, behavior order by total_num desc)### union all ###(select $flex_timestamp as timestamp, 'malicious' as behavior, count(*) as total_num from $log-attack where $filter and (logflag&16>0) and severity in ('critical', 'high') group by timestamp, behavior order by total_num desc)###) t where $filter-drilldown group by hodex, behavior order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Top-High-Risk-Application-By-Bandwidth |
High Risk Applications by Bandwidth |
traffic |
select risk as d_risk, count(distinct user_src) as users, id, name, app_cat, technology, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by app, user_src, action, utmaction order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' group by id, name, app_cat, technology, risk order by d_risk desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Top-Web-Applications |
Top 25 Web Applications by Bandwidth |
traffic |
select risk as d_risk, id, name, technology, count(distinct user_src) as user_num, sum(bandwidth) as bandwidth, sum(num_session) as num_session from ###(select appid, user_src, sum(bandwidth) as bandwidth, sum(sessions) as num_session from ###base(/*tag:rpt_base_t_top_app*/select $flex_timestamp as timestamp, dvid, srcip, dstip, epid, euid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, service, appid, app, appcat, apprisk, hostname, sum(coalesce(rcvddelta, rcvdbyte, 0)) as traffic_in, sum(coalesce(sentdelta, sentbyte, 0)) as traffic_out, sum(coalesce(sentdelta, sentbyte, 0)+coalesce(rcvddelta, rcvdbyte, 0)) as bandwidth, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log-traffic where $filter and (logflag&(1|32)>0) and nullifna(app) is not null group by timestamp, dvid, srcip, dstip, epid, euid, user_src, service, appid, app, appcat, apprisk, hostname order by sessions desc, bandwidth desc)base### t where nullifna(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') group by appid, user_src order by bandwidth desc)### t1 inner join app_mdata t2 on t1.appid=t2.id group by d_risk, id, name, technology order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Top-Visited-Web-Categories |
Top 25 Web Categories Visited |
traffic |
select catdesc, count(distinct f_user) as user_num, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not null and (logflag&1>0) and (countweb>0 or ((logver is null or logver<502000000) and (hostname is not null or utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')))) group by f_user, catdesc order by sessions desc)### t group by catdesc order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Top-Application-Vulnerability |
Application vulnerabilities discovered |
attack |
select attack, attackid, vuln_type, cve, severity_number, count( distinct ( CASE WHEN direction =& #039;incoming' THEN srcip ELSE dstip END)) as victims, count(distinct (CASE WHEN direction='incoming' THEN dstip ELSE srcip END)) as sources, sum(totalnum) as totalnum from ###(select attack, attackid, (case when severity='critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, direction, dstip, srcip, count(*) as totalnum from $log where $filter and nullifna(attack) is not null and severity is not null group by attack, attackid, severity, direction, dstip, srcip order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Files-FortiCloud-Sandbox-Analyzed |
Files FortiCloud Sandbox Analyzed |
virus |
select $fv_line_timescale(timestamp) as dom, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, count(*) as total_num from $log where $filter and nullifna(filename) is not null and logid_to_int(logid)=9233 group by timestamp order by total_num desc)### t group by dom order by dom
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Malicious-Files-Detected-By-FortiCloud-Sandbox |
Files detected by FortiCloud Sandbox |
virus |
select filename, analyticscksum, count(distinct victim) as victims, count(distinct source) as source from ###(select filename, analyticscksum,(CASE WHEN direction='incoming' THEN dstip ELSE srcip END) as source, (CASE WHEN direction='incoming' THEN srcip ELSE dstip END) as victim, count(*) as totalnum from $log where $filter and filename is not null and logid_to_int(logid)=9233 and analyticscksum is not null group by filename, analyticscksum, source, victim order by totalnum desc)### t group by filename, analyticscksum order by victims desc, source desc
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-High-Risk-Category-App-by-Bandwidth |
High Risk Applications and Categories by Bandwidth |
traffic |
select app_cat, name, bandwidth, sum(bandwidth) over (partition by app_cat) as sub_bandwidth from ( select app_cat, name, sum(bandwidth) as bandwidth from ###(select app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, utmaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by app, user_src, action, utmaction order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' group by app_cat, name order by bandwidth desc) t order by sub_bandwidth desc, app_cat
Dataset Name |
Description |
Log Category |
---|---|---|
Apprisk-Ctrl-Malware-Virus-Botnet-Spyware-by-Count |
Malware: Viruses, Bots, Spyware/Adware by Count |
traffic |
select malware_type, virus, totalnum, sum(totalnum) over (partition by malware_type) as sub_totalnum from ( select ( case when lower(appcat)=& #039;botnet' then 'Botnet C&C' else (case when virus_s like 'Riskware%' then 'Spyware' when virus_s like 'Adware%' then 'Adware' else 'Virus' end) end) as malware_type, virus_s as virus, sum(total_num) as totalnum from (###(select app as virus_s, appcat, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and lower(appcat)='botnet' group by virus_s, appcat, dstip, srcip order by total_num desc)### union all ###(select unnest(string_to_array(virus, ',')) as virus_s, appcat, dstip, srcip, count(*) as total_num from $log-traffic where $filter and (logflag&1>0) and virus is not null group by virus_s, appcat, dstip, srcip order by total_num desc)### union all ###(select attack as virus_s, 'null' as appcat, dstip, srcip, count(*) as total_num from $log-attack where $filter and (logflag&16>0) group by virus_s, appcat, dstip, srcip order by total_num desc)###) t group by malware_type, virus order by totalnum desc ) t order by sub_totalnum desc, malware_type
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-Audit-Entry-Fail-List |
Security Rating Audit Entry Fail List |
select audit_entry, max(compliance) as compliance, sum(count) as count, rtrim( to_char( sum(score), & #039;FM99999999D999'), '.') as score from /*fabricStart*/(select audit_entry, failed as count, compliance, score from (select audit_entry, max(compliance) as compliance, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, devid, result, sum(score) as score, '(' || string_agg(distinct compliance, ',') || ')' as compliance from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, '$security-standard ' || compliance as compliance from (select td.*, reporttype, audit_entry, compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, json_array_elements_text(audit_result->'$security-standard') as compliance, json_array_elements(audit_result->'instances') as instance from (select dvid, reporttype, (json_each((data->'results')::json)).key as audit_entry, (json_each((data->'results')::json)).value as audit_result from (select distinct on(dvid, reporttype) dvid, reporttype, data from $ADOMTBL_PLHD_AUDIT_HST t where $cust_time_filter(itime) order by dvid, reporttype, itime desc) t) t where audit_result->'$security-standard' is not NULL) t inner join devtable_ext td on td.dvid = t.dvid) t where $filter-drilldown) t group by audit_entry, devid, result) t group by audit_entry) t where failed>0 order by count desc, audit_entry)/*fabricEnd*/ t group by audit_entry order by count desc, audit_entry
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-Audit-Entry-Unmet-List |
Security Rating Audit Entry Unmet List |
select audit_entry, unmet as count, compliance, rtrim( to_char( score, & #039;FM99999999D999'), '.') as score from /*fabricStart*/(select audit_entry, max(compliance) as compliance, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, devid, result, sum(score) as score, '(' || string_agg(distinct compliance, ',') || ')' as compliance from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, '$security-standard ' || compliance as compliance from (select td.*, reporttype, audit_entry, compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, json_array_elements_text(audit_result->'$security-standard') as compliance, json_array_elements(audit_result->'instances') as instance from (select dvid, reporttype, (json_each((data->'results')::json)).key as audit_entry, (json_each((data->'results')::json)).value as audit_result from (select distinct on(dvid, reporttype) dvid, reporttype, data from $ADOMTBL_PLHD_AUDIT_HST t where $cust_time_filter(itime) order by dvid, reporttype, itime desc) t) t where audit_result->'$security-standard' is not NULL) t inner join devtable_ext td on td.dvid = t.dvid) t where $filter-drilldown) t group by audit_entry, devid, result) t group by audit_entry)/*fabricEnd*/ t where failed=0 and unmet>0 order by count desc, audit_entry
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-Audit-Entry-Pass-List |
Security Rating Audit Entry Pass List |
select audit_entry, passed as count, compliance, rtrim( to_char( score, & #039;FM99999999D999'), '.') as score from /*fabricStart*/(select audit_entry, max(compliance) as compliance, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, devid, result, sum(score) as score, '(' || string_agg(distinct compliance, ',') || ')' as compliance from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, '$security-standard ' || compliance as compliance from (select td.*, reporttype, audit_entry, compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, json_array_elements_text(audit_result->'$security-standard') as compliance, json_array_elements(audit_result->'instances') as instance from (select dvid, reporttype, (json_each((data->'results')::json)).key as audit_entry, (json_each((data->'results')::json)).value as audit_result from (select distinct on(dvid, reporttype) dvid, reporttype, data from $ADOMTBL_PLHD_AUDIT_HST t where $cust_time_filter(itime) order by dvid, reporttype, itime desc) t) t where audit_result->'$security-standard' is not NULL) t inner join devtable_ext td on td.dvid = t.dvid) t where $filter-drilldown) t group by audit_entry, devid, result) t group by audit_entry)/*fabricEnd*/ t where failed=0 and unmet=0 and exempt=0 and passed>0 order by score desc, audit_entry
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-Audit-Entry-Exempt-List |
Security Rating Audit Entry Exempt List |
select audit_entry, exempt as count, compliance, rtrim( to_char( score, & #039;FM99999999D999'), '.') as score from /*fabricStart*/(select audit_entry, max(compliance) as compliance, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, devid, result, sum(score) as score, '(' || string_agg(distinct compliance, ',') || ')' as compliance from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, '$security-standard ' || compliance as compliance from (select td.*, reporttype, audit_entry, compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, json_array_elements_text(audit_result->'$security-standard') as compliance, json_array_elements(audit_result->'instances') as instance from (select dvid, reporttype, (json_each((data->'results')::json)).key as audit_entry, (json_each((data->'results')::json)).value as audit_result from (select distinct on(dvid, reporttype) dvid, reporttype, data from $ADOMTBL_PLHD_AUDIT_HST t where $cust_time_filter(itime) order by dvid, reporttype, itime desc) t) t where audit_result->'$security-standard' is not NULL) t inner join devtable_ext td on td.dvid = t.dvid) t where $filter-drilldown) t group by audit_entry, devid, result) t group by audit_entry)/*fabricEnd*/ t where failed=0 and unmet=0 and exempt>0 order by score desc, audit_entry
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-Stats-Status-Details |
Security Rating Statistics |
select audit_entry, devtype, devid, scope, severity, rtrim( to_char( sum(score), & #039;FM99999999D999'), '.') AS score, result, string_agg(distinct (CASE WHEN compliance = 'None' THEN NULL ELSE compliance END), ',') AS compliance from /*fabricStart*/(select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, '$security-standard ' || compliance as compliance from (select audit_entry, instance, json_array_elements_text(compliances) as compliance from (select td.*, reporttype, audit_entry, compliances, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'$security-standard') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-Stats-Recommendation |
Security Rating Statistics Recommendation |
select audit_entry, devtype, devid, scope, severity, rtrim( to_char( score, & #039;FM99999999D999'), '.') as score, result, max(recommendation) as recommendation from /*fabricStart*/(select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, '$security-standard ' || compliance as compliance from (select audit_entry, instance, json_array_elements_text(compliances) as compliance from (select td.*, reporttype, audit_entry, compliances, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'$security-standard') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-Stats-Status-Count |
Security Rating Statistic Status Count |
select unnest(name) as stats, unnest(val) as value from ( select array[ & #039;Failed', 'Unmet', 'Passed','Exempt'] as name, array[ count(distinct (case when failed>0 then audit_entry end)), count(distinct (case when failed=0 and unmet>0 then audit_entry end)), count(distinct (case when failed=0 and unmet=0 and exempt=0 and passed>0 then audit_entry end)), count(distinct (case when failed=0 and unmet=0 and exempt>0 then audit_entry end))] as val from /*fabricStart*/(select audit_entry, max(compliance) as compliance, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, devid, result, sum(score) as score, '(' || string_agg(distinct compliance, ',') || ')' as compliance from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, '$security-standard ' || compliance as compliance from (select td.*, reporttype, audit_entry, compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, json_array_elements_text(audit_result->'$security-standard') as compliance, json_array_elements(audit_result->'instances') as instance from (select dvid, reporttype, (json_each((data->'results')::json)).key as audit_entry, (json_each((data->'results')::json)).value as audit_result from (select distinct on(dvid, reporttype) dvid, reporttype, data from $ADOMTBL_PLHD_AUDIT_HST t where $cust_time_filter(itime) order by dvid, reporttype, itime desc) t) t where audit_result->'$security-standard' is not NULL) t inner join devtable_ext td on td.dvid = t.dvid) t where $filter-drilldown) t group by audit_entry, devid, result) t group by audit_entry)/*fabricEnd*/ t) t
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Control-Result-Count |
Security Rating CIS Control Result by Count |
select unnest(name) as stats, unnest(val) as value from ( select array[ & #039;Failed', 'Passed', 'Exempt', 'Unmet'] as name, array[ count(distinct (case when failed>0 then cis_sub_control_id||devid||fsbp_id end)), count(distinct (case when failed=0 and unmet=0 and exempt=0 and passed>0 then cis_sub_control_id||devid||fsbp_id end)), count(distinct (case when failed=0 and unmet=0 and exempt>0 then cis_sub_control_id||devid||fsbp_id end)), count(distinct (case when failed=0 and unmet>0 then cis_sub_control_id||devid||fsbp_id end)) ] as val from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Control-Compliance-Results |
Security Rating CIS Control Compliance Results |
select & #039;CIS Controls '||unnest(name) as stats, unnest(val) as value from (select array['Failed', 'Passed'] as name, array[ count(distinct (case when failed>0 or (failed=0 and passed=0) then cis_sub_control_id end)), count(distinct (case when failed = 0 and passed>0 then cis_sub_control_id end)) ] as val from (select cis_sub_control_id, count(distinct (case when failed>0 or unmet>0 or exempt>0 then devid end)) as failed, count(distinct (case when failed=0 and unmet=0 and exempt=0 and passed>0 then devid end)) as passed from (select cis_sub_control_id, devid, sum(failed) as failed, sum(passed) as passed, sum(unmet) as unmet, sum(exempt) as exempt from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Control-Overview |
Security Rating CIS Control Overview |
select ( case when cis_sub>0 then & #039;CIS Control '||cis||'.'||cis_sub else 'CIS Control '||cis end) as cis_control, title, passed, failed from (select cis, cis_sub, title, count(distinct (case when failed=0 and unmet=0 and exempt=0 and passed>0 then devid end)) as passed, count(distinct (case when failed>0 or unmet>0 or exempt>0 then devid end)) as failed from ((select cis, cis_sub, devid, title, sum(failed) as failed, sum(passed) as passed, sum(unmet) as unmet, sum(exempt) as exempt from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Control-Result-List |
Security Rating CIS Control Result List |
select cis, name, description, count( distinct ( case when failed>0 then cis_sub || devid || fsbp_id end ) ) as total_failed, count( distinct ( case when failed = 0 and unmet>0 then cis_sub || devid || fsbp_id end ) ) as total_unmet, count( distinct ( case when failed = 0 and unmet = 0 and exempt = 0 and passed>0 then cis_sub || devid || fsbp_id end ) ) as total_passed, count( distinct ( case when failed = 0 and unmet = 0 and exempt>0 and passed = 0 then cis_sub || devid || fsbp_id end ) ) as total_exempt from /*fabricStart*/ ( select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum( case when result =& #039;passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Sub-Control-Result-List |
Security Rating CIS Sub Control Result List |
select cis_sub_control_id, cis, cis_sub, asset_type, title, count(distinct devid || fsbp_id) as total_num from /*fabricStart*/ ( select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum( case when result =& #039;passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Sub-Control-Failed-Result-List |
Security Rating CIS Sub Control Fail List |
select title, count(distinct devid || fsbp_id) as total_num, string_agg( distinct compliance, & #039;,') as compliance, sum(score) as score from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Sub-Control-Failed-Stats-Recommendation |
Security Rating CIS Sub Control Failed Statistics Recommendation |
select cis, cis_sub, devtype, devid, compliance, severity, rtrim( to_char( sum(score), & #039;FM99999999D999'), '.') as score, result, recommendation from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Sub-Control-Unmet-Result-List |
Security Rating CIS Sub Control Unmet List |
select title, count(distinct devid || fsbp_id) as total_num, string_agg( distinct compliance, & #039;,') as compliance, sum(score) as score from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Sub-Control-Unmet-Stats-Recommendation |
Security Rating CIS Sub Control Unmet Statistics Recommendation |
select cis, cis_sub, devtype, devid, compliance, severity, rtrim( to_char( sum(score), & #039;FM99999999D999'), '.') as score, result, recommendation from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Sub-Control-Passed-Result-List |
Security Rating CIS Sub Control Passed List |
select title, count(distinct devid || fsbp_id) as total_num, string_agg( distinct compliance, & #039;,') as compliance, sum(score) as score from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Sub-Control-Passed-Stats-Recommendation |
Security Rating CIS Sub Control Passed Statistics Recommendation |
select cis, cis_sub, devtype, devid, compliance, severity, rtrim( to_char( sum(score), & #039;FM99999999D999'), '.') as score, result, recommendation from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Sub-Control-Exempt-Result-List |
Security Rating CIS Sub Control Exempt List |
select title, count(distinct devid || fsbp_id) as total_num, string_agg( distinct compliance, & #039;,') as compliance, sum(score) as score from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
security-Rating-CIS-Sub-Control-Exempt-Stats-Recommendation |
Security Rating CIS Sub Control Exempt Statistics Recommendation |
select cis, cis_sub, devtype, devid, compliance, severity, rtrim( to_char( sum(score), & #039;FM99999999D999'), '.') as score, result, recommendation from /*fabricStart*/(select devid, devtype, scope, result, severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description, recommendation, sum(case when result='passed' then 1 else 0 end) as passed, sum(case when result='exempt' then 1 else 0 end) as exempt, sum(case when result='failed' then 1 else 0 end) as failed, sum(case when result='dependenciesNotMet' then 1 else 0 end) as unmet, sum(score) as score from (select audit_entry, (instance->>'score')::float as score, instance->>'deviceID' as devid, instance->>'device' as devtype, (case when instance->'domain'->>'type' in ('adom-global', 'global') then 'Global' when instance->'domain'->'id' is not null then instance->'domain'->>'id' else 'Device' end) as scope, instance->'recommendation' #>> '{}' as recommendation, instance->>'result' as result, (case instance->>'result' when 'passed' then 'none' when 'exempt' then 'low' else instance->>'severity' end) as severity, compliance, cis, cis_sub, cis_sub_control_id, asset_type, title, fsbp_id, name, description from (select t1.cis_control_id as cis, split_part(t1.cis_sub_control_id, '.', 2)::int as cis_sub, t1.cis_sub_control_id, asset_type, title, fsbp_id, t2.name, t2.description from fsbp_cis_mdata t1 inner join cis_control_mdata t2 on t1.cis_control_id = t2.cis_control_id) t1 left join (select td.*, reporttype, audit_entry, json_array_elements_text(compliances) as compliance, instance from (select dvid, reporttype, json_build_object('name', audit_entry, 'desc', audit_result->>'description')::text as audit_entry, (case when json_array_length(audit_result->'FSBP') = 0 then '[\
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Total-Managed-vs-Unmanaged-Apps |
Total Managed vs Unmanaged Cloud Apps |
app-ctrl |
select ( case when action =& #039;pass' then 'Managed' else 'Unmanaged' end) as type, count(distinct app) as total_num from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid group by type
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Total-Managed-vs-Unmanaged-Users |
Total Managed vs Unmanaged Cloud App Users |
app-ctrl |
select ( case when action =& #039;pass' then 'Managed' else 'Unmanaged' end) as type, count(distinct user_src) as total_num from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid group by type
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Total-Data-Volume |
Total Shadow IT Cloud App Data Volume |
app-ctrl |
select direction, volume from ( select unnest(traffic_direction) as direction, unnest(traffic_volume) as volume from ( select array[ & #039;Download', 'Upload'] as traffic_direction, array[sum(download_size), sum(upload_size)] as traffic_volume from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid) t) t where volume > 0
Dataset Name |
Description |
Log Category |
---|---|---|
dlp-Total-Allow-vs-Block-Actions |
Total DLP Allow vs Block Actions |
dlp |
select ( case when action = & #039;pass' then 'Allow' else 'Block' end) as type, sum(sessions) as sessions from ###(select hostname, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, severity, filename, sensitivity, service, profile, count(*) as sessions from $log where $filter and hostname is not null and action in ('pass', 'block') group by hostname, user_src, action, severity, filename, sensitivity, service, profile order by sessions desc)### t group by type
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Total-Appctrl-vs-Inline-CASB-Upload-Size |
Total App Control vs Inline CASB Upload Size |
app-ctrl |
select type, upload_size from ( ( select & #039;App Control' as type, sum(upload_size) as upload_size from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid group by type) union all (select 'Inline CASB' as type, sum(upload_size) as upload_size from ###(select saasname, srcip, dstip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions, sum(case when accessctrl='upload' THEN coalesce(sentbyte, 0) ELSE 0 END) AS upload_size from $log-traffic where $filter and (logflag&1>0) and saasname is not null group by saasname, srcip, dstip, user_src order by sessions desc)### t group by type)) t where upload_size > 0
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-App-Actions-by-Session |
Cloud App Actions by Session |
app-ctrl |
select ( case when action =& #039;block' then 'Block' when action='reset' then 'Reset' else 'Allow' end) as action, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid group by action order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-App-Categories-by-Session |
Cloud App Categories by Session |
app-ctrl |
select attributes ->& #039;Information'->>'Category' as category, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid group by category order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-App-Risk-Levels-by-Session |
Cloud App Risk Levels by Session |
app-ctrl |
select ( case when riskscore between 1 and 15 then & #039;Low' when riskscore between 16 and 30 then 'Guarded' when riskscore between 31 and 50 then 'Elevated' when riskscore between 51 and 70 then 'High' when riskscore between 71 and 100 then 'Severe' else 'N/A' end) as risk_level, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid group by risk_level order by risk_level desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Managed-Cloud-App-Users-by-Requests |
Top Managed Cloud App Users by Requests |
app-ctrl |
select user_src, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action = 'pass' group by user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Unmanaged-Cloud-App-Users-by-Requests |
Top Unmanaged Cloud App Users by Requests |
app-ctrl |
select user_src, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action != 'pass' group by user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Cloud-App-Users-by-Risk-Score |
Top Cloud App Users by Risk Score |
app-ctrl |
select user_src, sum(riskscore * sessions) as riskscore from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid group by user_src order by riskscore desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Malware-Types-by-Occurrences |
Cloud App Malware Types by Occurrences |
traffic |
select malware_type, sum(sessions) as sessions from ( select ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, app, sum(sessions) as sessions from ###(select attack, virus, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN (logflag&128>0) THEN srcip ELSE dstip END) as victim, (CASE WHEN (logflag&128>0) THEN dstip ELSE srcip END) as source, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null and (attack is not null or virus is not null) group by attack, virus, app, user_src, victim, source, action_flag order by sessions desc)### t where virus is not null group by malware_type, app order by sessions desc) t1 inner join shadowit_application t2 on t1.app=t2.appname group by malware_type order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Malware-Actions-by-Occurrences |
Cloud App Malware Actions by Occurrences |
traffic |
select ( case when action_flag = 1 then & #039;Block' when action_flag=2 then 'Allow' else 'Reset' end) as action, sum(sessions) as sessions from (select action_flag, app, sum(sessions) as sessions from ###(select attack, virus, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN (logflag&128>0) THEN srcip ELSE dstip END) as victim, (CASE WHEN (logflag&128>0) THEN dstip ELSE srcip END) as source, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null and (attack is not null or virus is not null) group by attack, virus, app, user_src, victim, source, action_flag order by sessions desc)### t where virus is not null group by action_flag, app order by sessions desc) t1 inner join shadowit_application t2 on t1.app=t2.appname where action_flag>0 group by action
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Malwares-by-Occurrences |
Top Cloud App Malwares by Occurrences |
traffic |
select virus, ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, sum(session_block) as session_block, sum(sessions)-sum(session_block) as session_pass, sum(sessions) as sessions from (select virus, app, sum(session_block) as session_block, sum(sessions) as sessions from ###(select attack, virus, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN (logflag&128>0) THEN srcip ELSE dstip END) as victim, (CASE WHEN (logflag&128>0) THEN dstip ELSE srcip END) as source, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null and (attack is not null or virus is not null) group by attack, virus, app, user_src, victim, source, action_flag order by sessions desc)### t where virus is not null group by virus, app order by sessions desc) t1 inner join shadowit_application t2 on t1.app=t2.appname group by virus, malware_type order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Malware-Victims-by-Occurrences |
Top Cloud App Malware Victims by Occurrences |
traffic |
select user_src, sum(sessions) as sessions from ( select user_src, app, sum(sessions) as sessions from ###(select attack, virus, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN (logflag&128>0) THEN srcip ELSE dstip END) as victim, (CASE WHEN (logflag&128>0) THEN dstip ELSE srcip END) as source, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null and (attack is not null or virus is not null) group by attack, virus, app, user_src, victim, source, action_flag order by sessions desc)### t where virus is not null group by user_src, app order by sessions desc) t1 inner join shadowit_application t2 on t1.app=t2.appname group by user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Managed-Apps-by-Risk |
Top Managed Cloud Apps by Risk |
app-ctrl |
select ( case when riskscore between 1 and 15 then & #039;Info' when riskscore between 16 and 30 then 'Low' when riskscore between 31 and 50 then 'Medium' when riskscore between 51 and 70 then 'High' when riskscore between 71 and 100 then 'Critical' else 'Info' end) as risk_level, riskscore, appname, attributes->'Information'->>'Category' as category, count(distinct user_src) as num_users, replace(right(left(attributes->>'Compliance', -1), -1), '`', '') as compliance from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action='pass' group by risk_level, riskscore, appname, category, compliance order by riskscore desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Unmanaged-Apps-by-Risk |
Top Unmanaged Cloud Apps by Risk |
app-ctrl |
select ( case when riskscore between 1 and 15 then & #039;Info' when riskscore between 16 and 30 then 'Low' when riskscore between 31 and 50 then 'Medium' when riskscore between 51 and 70 then 'High' when riskscore between 71 and 100 then 'Critical' else 'Info' end) as risk_level, riskscore, appname, attributes->'Information'->>'Category' as category, count(distinct user_src) as num_users, replace(right(left(attributes->>'Compliance', -1), -1), '`', '') as compliance from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action!='pass' group by risk_level, riskscore, appname, category, compliance order by riskscore desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-App-Vulnerability-Risk-Levels-by-Occurrences |
Cloud App Vulnerability Risk Levels by Occurrences |
traffic |
select ( case when riskscore between 1 and 15 then & #039;Info' when riskscore between 16 and 30 then 'Low' when riskscore between 31 and 50 then 'Medium' when riskscore between 51 and 70 then 'High' when riskscore between 71 and 100 then 'Critical' else 'Info' end) as severity, sum(sessions) as sessions from (select attack, app, sum(sessions) as sessions from ###(select attack, virus, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN (logflag&128>0) THEN srcip ELSE dstip END) as victim, (CASE WHEN (logflag&128>0) THEN dstip ELSE srcip END) as source, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null and (attack is not null or virus is not null) group by attack, virus, app, user_src, victim, source, action_flag order by sessions desc)### t where attack is not null group by attack, app order by sessions desc) t1 inner join shadowit_application t2 on t1.app=t2.appname left join (select name, id, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name group by severity order by severity desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-App-Vulnerability-Types-by-Occurrences |
Cloud App Vulnerability Types by Occurrences |
traffic |
select vuln_type, sum(sessions) as sessions from ( select attack, app, sum(sessions) as sessions from ###(select attack, virus, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN (logflag&128>0) THEN srcip ELSE dstip END) as victim, (CASE WHEN (logflag&128>0) THEN dstip ELSE srcip END) as source, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null and (attack is not null or virus is not null) group by attack, virus, app, user_src, victim, source, action_flag order by sessions desc)### t where attack is not null group by attack, app order by sessions desc) t1 inner join shadowit_application t2 on t1.app=t2.appname left join (select name, id, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name where vuln_type is not null group by vuln_type order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-App-Vulnerability-Actions-by-Occurrences |
Cloud App Vulnerability Actions by Occurrences |
traffic |
select ( case when action_flag = 1 then & #039;Block' when action_flag=2 then 'Allow' else 'Reset' end) as action, sum(sessions) as sessions from (select attack, app, action_flag, sum(sessions) as sessions from ###(select attack, virus, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN (logflag&128>0) THEN srcip ELSE dstip END) as victim, (CASE WHEN (logflag&128>0) THEN dstip ELSE srcip END) as source, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null and (attack is not null or virus is not null) group by attack, virus, app, user_src, victim, source, action_flag order by sessions desc)### t where attack is not null group by attack, app, action_flag order by sessions desc) t1 inner join shadowit_application t2 on t1.app=t2.appname left join (select name, id, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name where action_flag>0 group by action order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-App-Vulnerabilities-by-Severity |
Top App Vulnerabilities by Severity |
traffic |
select attack, id as attackid, vuln_type, cve, ( case when riskscore between 1 and 15 then & #039;Info' when riskscore between 16 and 30 then 'Low' when riskscore between 31 and 50 then 'Medium' when riskscore between 51 and 70 then 'High' when riskscore between 71 and 100 then 'Critical' else 'Info' end) as severity, count(distinct victim) as victims, count(distinct source) as sources, sum(session_block) as session_block, sum(sessions)-sum(session_block) as session_pass, sum(sessions) as sessions from (select attack, app, victim, source, sum(session_block) as session_block, sum(sessions) as sessions from ###(select attack, virus, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN (logflag&128>0) THEN srcip ELSE dstip END) as victim, (CASE WHEN (logflag&128>0) THEN dstip ELSE srcip END) as source, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and nullifna(app) is not null and (attack is not null or virus is not null) group by attack, virus, app, user_src, victim, source, action_flag order by sessions desc)### t where attack is not null group by attack, app, victim, source order by sessions desc) t1 inner join shadowit_application t2 on t1.app=t2.appname left join (select name, id, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name group by attack, attackid, vuln_type, severity, cve order by severity desc, sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Managed-Apps-by-Upload-Size-Timeline |
Top Managed Cloud Apps by Upload Size Timeline |
app-ctrl |
select hodex, t1.appname, t1.upload_size from ( select $flex_timestamp(timestamp) as hodex, appname, sum(upload_size) as upload_size from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action = 'pass' group by hodex, appname having sum(upload_size)>0 order by hodex) t1 inner join (select appname, sum(upload_size) as upload_size from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action = 'pass' group by appname order by upload_size desc limit $ddown-top) t2 on t1.appname=t2.appname order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Managed-Apps-by-Upload-Size |
Top Managed Cloud Apps by Upload Size |
app-ctrl |
select ( case when riskscore between 1 and 15 then & #039;Info' when riskscore between 16 and 30 then 'Low' when riskscore between 31 and 50 then 'Medium' when riskscore between 51 and 70 then 'High' when riskscore between 71 and 100 then 'Critical' else 'Info' end) as risk_level, riskscore, appname, attributes->'Information'->>'Category' as category, count(distinct user_src) as num_users, replace(right(left(attributes->>'Compliance', -1), -1), '`', '') as compliance, sum(upload_size) as upload_size from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action = 'pass' group by risk_level, riskscore, appname, category, compliance having sum(upload_size)>0 order by upload_size desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Managed-Apps-by-User-Num-Timeline |
Top Managed Cloud Apps by Total Users Timeline |
app-ctrl |
select hodex, t1.appname, t1.num_users from ( select $flex_timestamp(timestamp) as hodex, appname, count(distinct user_src) as num_users from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action = 'pass' group by hodex, appname order by hodex) t1 inner join (select appname, count(distinct user_src) as num_users from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action = 'pass' group by appname order by num_users desc limit $ddown-top) t2 on t1.appname=t2.appname order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Managed-Apps-by-User-Num |
Top Managed Cloud Apps by Total Users |
app-ctrl |
select ( case when riskscore between 1 and 15 then & #039;Info' when riskscore between 16 and 30 then 'Low' when riskscore between 31 and 50 then 'Medium' when riskscore between 51 and 70 then 'High' when riskscore between 71 and 100 then 'Critical' else 'Info' end) as risk_level, riskscore, appname, attributes->'Information'->>'Category' as category, count(distinct user_src) as num_users, replace(right(left(attributes->>'Compliance', -1), -1), '`', '') as compliance from ###(select $flex_timestamp as timestamp, app, siappid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, sum(case when cloudaction='upload' then coalesce(filesize, 0) else 0 end) as upload_size, sum(case when cloudaction='download' or (cloudaction='others' and app like '%Video%') then coalesce(filesize, 0) else 0 end) as download_size, count(*) as sessions from $log-app-ctrl where $filter and siappid is not null and action in ('pass', 'block', 'reset') group by timestamp, app, siappid, action, user_src order by sessions desc)### t1 inner join shadowit_application t2 on t1.siappid=t2.appid where action = 'pass' group by risk_level, riskscore, appname, category, compliance order by num_users desc
Dataset Name |
Description |
Log Category |
---|---|---|
dlp-Total-DLP-Events-by-Severity |
Total DLP Events by Severity |
dlp |
select severity, sum(sessions) as sessions from ###(select hostname, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, severity, filename, sensitivity, service, profile, count(*) as sessions from $log where $filter and hostname is not null and action in ('pass', 'block') group by hostname, user_src, action, severity, filename, sensitivity, service, profile order by sessions desc)### t group by severity order by severity desc
Dataset Name |
Description |
Log Category |
---|---|---|
dlp-Total-DLP-Events-by-Sensitivity |
Total DLP Events by Sensitivity |
dlp |
select coalesce( sensitivity, & #039;Unclassified') as sensitivity, sum(sessions) as sessions from ###(select hostname, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, severity, filename, sensitivity, service, profile, count(*) as sessions from $log where $filter and hostname is not null and action in ('pass', 'block') group by hostname, user_src, action, severity, filename, sensitivity, service, profile order by sessions desc)### t group by sensitivity order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
dlp-Total-DLP-Events-by-Action |
Total DLP Events by Action |
dlp |
select ( case when action = & #039;pass' then 'Allow' else 'Block' end) as type, sum(sessions) as sessions from ###(select hostname, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, severity, filename, sensitivity, service, profile, count(*) as sessions from $log where $filter and hostname is not null and action in ('pass', 'block') group by hostname, user_src, action, severity, filename, sensitivity, service, profile order by sessions desc)### t group by type
Dataset Name |
Description |
Log Category |
---|---|---|
dlp-Top-DLP-Events-by-Severity |
Top DLP Events by Severity |
dlp |
select severity, hostname, user_src, filename, coalesce( sensitivity, & #039;Unclassified') as sensitivity, service, profile, sum(case when action = 'pass' then sessions else 0 end) as session_pass, sum(case when action = 'block' then sessions else 0 end) as session_block, sum(sessions) as sessions from ###(select hostname, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, action, severity, filename, sensitivity, service, profile, count(*) as sessions from $log where $filter and hostname is not null and action in ('pass', 'block') group by hostname, user_src, action, severity, filename, sensitivity, service, profile order by sessions desc)### t where hostname is not null and action in ('pass', 'block') group by severity, hostname, user_src, filename, sensitivity, service, profile order by severity desc
Dataset Name |
Description |
Log Category |
---|---|---|
shadowit-Top-Inline-CASB-Apps-by-Upload-Size |
Top Inline CASB Apps by Upload Size |
traffic |
select saasname, srcip, dstip, user_src, sum(session_block) as session_block, sum(sessions)- sum(session_block) as session_pass, sum(sessions) as sessions, sum(upload_size) as upload_size from ###(select saasname, srcip, dstip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, count(*) as sessions, sum(case when accessctrl='upload' THEN coalesce(sentbyte, 0) ELSE 0 END) AS upload_size from $log-traffic where $filter and (logflag&1>0) and saasname is not null group by saasname, srcip, dstip, user_src order by sessions desc)### t group by saasname, srcip, dstip, user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Asset-OS-by-Count |
OT Zone OS by Asset Count |
traffic |
select ( case when osname is null then & #039;Unknown OS' else osname end) as osname, count(distinct epid) as total_num from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by osname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Asset-OS-by-Count |
IT Zone OS by Asset Count |
traffic |
select ( case when osname is null then & #039;Unknown OS' else osname end) as osname, count(distinct epid) as total_num from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by osname order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Application-Vulnerabilities-by-Risk-Level |
OT Zone Application Vulnerabilities by Risk Level |
attack |
select severity, ( case when severity =& #039;critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, count(distinct t1.attack) as totalnum from ###(select $flex_timestamp as timestamp, dvid, (CASE WHEN direction='incoming' THEN epid ELSE dstepid END) as ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null and (epid>1024 or dstepid>1024) group by timestamp, dvid, ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid left join (select name, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name group by severity, severity_number order by severity_number desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Application-Vulnerabilities-by-Type |
OT Zone Application Vulnerabilities by Type |
attack |
select vuln_type, count(distinct t1.attack) as totalnum from ###(select $flex_timestamp as timestamp, dvid, (CASE WHEN direction='incoming' THEN epid ELSE dstepid END) as ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null and (epid>1024 or dstepid>1024) group by timestamp, dvid, ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid left join (select name, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name where vuln_type is not null group by vuln_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Application-Vulnerabilities-by-Action |
OT Zone Application Vulnerabilities by Action |
attack |
select ( case when action_flag = 1 then & #039;Allow' when action_flag=2 then 'Reset' else 'Block' end) as action, count(distinct t1.attack) as totalnum from ###(select $flex_timestamp as timestamp, dvid, (CASE WHEN direction='incoming' THEN epid ELSE dstepid END) as ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null and (epid>1024 or dstepid>1024) group by timestamp, dvid, ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid left join (select name, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name group by action order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Top-Application-Vulnerability-by-Risk-Level |
Top OT Zone Application Vulnerabilities by Risk Level |
attack |
select attack, attackid, vuln_type, cve, ( case when severity =& #039;critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, count(distinct (CASE WHEN direction='incoming' THEN srcip ELSE dstip END)) as victims, count(distinct (CASE WHEN direction='incoming' THEN dstip ELSE srcip END)) as sources, sum(case when action_flag=3 then totalnum else 0 end) as total_block, sum(case when action_flag!=3 then totalnum else 0 end) as total_allow, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, dvid, (CASE WHEN direction='incoming' THEN epid ELSE dstepid END) as ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null and (epid>1024 or dstepid>1024) group by timestamp, dvid, ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid left join (select name, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-High-Risk-Apps-by-Risk-Level |
OT Zone High Risk Applications by Risk Level |
traffic |
select & #039;Risk' || risk as severity, risk as d_risk, count(distinct app) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='2' group by severity, d_risk order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-High-Risk-Apps-by-Category |
OT Zone High Risk Applications by Category |
traffic |
select ( case when proto = 6 then & #039;TCP' when proto=17 then 'UDP' else 'N/A' end) as protocol, count(distinct app) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='2' group by protocol order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-High-Risk-Apps-by-Action |
OT Zone High Risk Applications by Action |
traffic |
select ( case when action_flag = 1 then & #039;Block' when action_flag=2 then 'Allow' else 'Reset' end) as action, count(distinct app) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='2' and action_flag>0 group by action order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Top-High-Risk-Apps-by-Risk |
Top OT Zone High Risk Applications by Risk Level |
traffic |
select risk as d_risk, name, max( ( case when proto = 6 then & #039;TCP' || dstport when proto=17 then 'UDP' || dstport else 'N/A' end)) as port, max(srcip) as asset, sum(bandwidth) as bandwidth, sum(session_block) as session_block, sum(sessions)-sum(session_block) as session_pass, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='2' group by d_risk, name order by d_risk desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Top-Asset-by-Threat-Score |
Top OT Zone Assets by Threat Score |
traffic |
select srcip, & #039;Level ' || min(purduelevel) as purduelevel, sum(scores) as scores from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by srcip having sum(scores)>0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Top-High-Risk-Apps-By-Bandwidth-Timeline |
Top OT Applications by Bandwidth Timeline |
traffic |
select hodex, t1.app, t1.bandwidth from ( select $flex_timescale(timestamp) as hodex, app, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by hodex, app having sum(bandwidth)>0 order by hodex) t1 inner join (select app, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by app order by bandwidth desc limit $ddown-top) t2 on t1.app=t2.app order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Top-High-Risk-Apps-by-Bandwidth |
Top OT Zone High Risk Applications by Bandwidth |
traffic |
select risk as d_risk, name, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by d_risk, name, app_cat, technology order by bandwidth desc, d_risk desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Top-High-Risk-Apps-By-Sessions-Timeline |
Top OT Applications by Sessions Timeline |
traffic |
select hodex, t1.app, t1.sessions from ( select $flex_timescale(timestamp) as hodex, app, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by hodex, app having sum(sessions)>0 order by hodex) t1 inner join (select app, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by app order by sessions desc limit $ddown-top) t2 on t1.app=t2.app order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Top-High-Risk-Apps-by-Sessions |
Top OT Zone High Risk Applications by Sessions |
traffic |
select risk as d_risk, name, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by d_risk, name, app_cat, technology order by sessions desc, d_risk desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Traffic-Flow-by-Bandwidth |
Top OT Zone Traffic Flow by Bandwidth |
traffic |
select srcip, dstip, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by srcip, dstip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Top-Asset-by-Last-External-Connection |
Top OT Zone Assets by Last External Connection |
traffic |
select srcip, min(purduelevel) as purduelevel, sum(sessions) as sessions, max(last_app) as last_app, from_dtime( max(timestamp) ) as last_seen from ( select srcip, timestamp, purduelevel, sessions, first_value(app) over ( PARTITION by srcip order by timestamp desc RANGE BETWEEN UNBOUNDED PRECEDING AND UNBOUNDED FOLLOWING ) as last_app from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3') t group by srcip order by last_seen desc, sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
OT-Top-Asset-by-Bandwidth |
Top OT Zone Assets by Bandwidth |
traffic |
select srcip, min(purduelevel) as purduelevel, sum(bandwidth) as bandwidth, max(last_app) as last_app, sum(sessions) as sessions, max(dstip) as dstip, from_dtime( max(timestamp) ) as last_seen from ( select srcip, dstip, timestamp, purduelevel, sessions, bandwidth, first_value(app) over ( PARTITION by srcip order by timestamp desc RANGE BETWEEN UNBOUNDED PRECEDING AND UNBOUNDED FOLLOWING ) as last_app from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (20, 30, 35) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3') t group by srcip order by last_seen desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Application-Vulnerabilities-by-Risk-Level |
IT Zone Application Vulnerabilities by Risk Level |
attack |
select severity, ( case when severity =& #039;critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, count(distinct t1.attack) as totalnum from ###(select $flex_timestamp as timestamp, dvid, (CASE WHEN direction='incoming' THEN epid ELSE dstepid END) as ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null and (epid>1024 or dstepid>1024) group by timestamp, dvid, ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid left join (select name, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name group by severity, severity_number order by severity_number desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Application-Vulnerabilities-by-Type |
IT Zone Application Vulnerabilities by Type |
attack |
select vuln_type, count(distinct t1.attack) as totalnum from ###(select $flex_timestamp as timestamp, dvid, (CASE WHEN direction='incoming' THEN epid ELSE dstepid END) as ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null and (epid>1024 or dstepid>1024) group by timestamp, dvid, ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid left join (select name, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name where vuln_type is not null group by vuln_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Application-Vulnerabilities-by-Action |
IT Zone Application Vulnerabilities by Action |
attack |
select ( case when action_flag = 1 then & #039;Allow' when action_flag=2 then 'Reset' else 'Block' end) as action, count(distinct t1.attack) as totalnum from ###(select $flex_timestamp as timestamp, dvid, (CASE WHEN direction='incoming' THEN epid ELSE dstepid END) as ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null and (epid>1024 or dstepid>1024) group by timestamp, dvid, ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid left join (select name, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name group by action order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Top-Application-Vulnerability-by-Risk-Level |
Top IT Zone Application Vulnerabilities by Risk Level |
attack |
select attack, attackid, vuln_type, cve, ( case when severity =& #039;critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, count(distinct (CASE WHEN direction='incoming' THEN srcip ELSE dstip END)) as victims, count(distinct (CASE WHEN direction='incoming' THEN dstip ELSE srcip END)) as sources, sum(case when action_flag=3 then totalnum else 0 end) as total_block, sum(case when action_flag!=3 then totalnum else 0 end) as total_allow, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, dvid, (CASE WHEN direction='incoming' THEN epid ELSE dstepid END) as ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null and (epid>1024 or dstepid>1024) group by timestamp, dvid, ep_id, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid left join (select name, cve, vuln_type from ips_mdata) t3 on t1.attack=t3.name group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-High-Risk-Apps-by-Risk-Level |
IT Zone High Risk Applications by Risk Level |
traffic |
select & #039;Risk' || risk as severity, risk as d_risk, count(distinct app) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by severity, d_risk order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-High-Risk-Apps-by-Category |
IT Zone High Risk Applications by Category |
traffic |
select app_cat, count(distinct app) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by app_cat order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-High-Risk-Apps-by-Action |
IT Zone High Risk Applications by Action |
traffic |
select ( case when action_flag = 1 then & #039;Block' when action_flag=2 then 'Allow' else 'Reset' end) as action, count(distinct app) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' and action_flag>0 group by action order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Top-High-Risk-Apps-by-Risk |
Top IT Zone High Risk Applications by Risk Level |
traffic |
select risk as d_risk, name, app_cat, technology, max(srcip) as asset, sum(bandwidth) as bandwidth, sum(session_block) as session_block, sum(sessions)- sum(session_block) as session_pass, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by d_risk, name, app_cat, technology order by d_risk desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Top-Asset-by-Threat-Score |
Top IT Zone Assets by Threat Score |
traffic |
select srcip, & #039;Level ' || min(purduelevel) as purduelevel, sum(scores) as scores from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by srcip having sum(scores)>0 order by scores desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Top-High-Risk-Apps-By-Bandwidth-Timeline |
Top IT Applications by Bandwidth Timeline |
traffic |
select hodex, t1.app, t1.bandwidth from ( select $flex_timescale(timestamp) as hodex, app, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by hodex, app having sum(bandwidth)>0 order by hodex) t1 inner join (select app, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by app order by bandwidth desc limit $ddown-top) t2 on t1.app=t2.app order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Top-High-Risk-Apps-by-Bandwidth |
Top IT Zone High Risk Applications by Bandwidth |
traffic |
select risk as d_risk, name, app_cat, sum(bandwidth) as bandwidth, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by d_risk, name, app_cat order by bandwidth desc, d_risk desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Top-High-Risk-Apps-By-Sessions-Timeline |
Top IT Applications by Sessions Timeline |
traffic |
select hodex, t1.app, t1.sessions from ( select $flex_timescale(timestamp) as hodex, app, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by hodex, app having sum(sessions)>0 order by hodex) t1 inner join (select app, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by app order by sessions desc limit $ddown-top) t2 on t1.app=t2.app order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Top-High-Risk-Apps-by-Sessions |
Top IT Zone High Risk Applications by Sessions |
traffic |
select risk as d_risk, name, app_cat, sum(sessions) as sessions, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name group by d_risk, name, app_cat order by sessions desc, d_risk desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Traffic-Flow-by-Bandwidth |
Top IT Zone Traffic Flow by Bandwidth |
traffic |
select srcip, dstip, sum(bandwidth) as bandwidth from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3' group by srcip, dstip order by bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Top-Asset-by-Last-External-Connection |
Top IT Zone Assets by Last External Connection |
traffic |
select srcip, min(purduelevel) as purduelevel, sum(sessions) as sessions, max(last_app) as last_app, from_dtime( max(timestamp) ) as last_seen from ( select srcip, timestamp, purduelevel, sessions, first_value(app) over ( PARTITION by srcip order by timestamp desc RANGE BETWEEN UNBOUNDED PRECEDING AND UNBOUNDED FOLLOWING ) as last_app from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3') t group by srcip order by last_seen desc, sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
IT-Top-Asset-by-Bandwidth |
Top IT Zone Assets by Bandwidth |
traffic |
select srcip, min(purduelevel) as purduelevel, sum(bandwidth) as bandwidth, max(last_app) as last_app, sum(sessions) as sessions, max(dstip) as dstip, from_dtime( max(timestamp) ) as last_seen from ( select srcip, dstip, timestamp, purduelevel, sessions, bandwidth, first_value(app) over ( PARTITION by srcip order by timestamp desc RANGE BETWEEN UNBOUNDED PRECEDING AND UNBOUNDED FOLLOWING ) as last_app from ###(select $flex_timestamp as timestamp, dvid, epid as ep_id, srcip, dstip, osname, proto, dstport, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(crscore%65536) as scores, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) and epid>1024 group by timestamp, dvid, ep_id, srcip, dstip, osname, proto, dstport, app, user_src, action_flag order by bandwidth desc)### t1 inner join (select epid, min(purduelevel::float/10) as purduelevel from $ADOM_ENDPOINT ep where purduelevel in (40, 50) group by epid) t2 on t1.ep_id=t2.epid inner join app_mdata t3 on t1.app=t3.name where risk>='3') t group by srcip order by last_seen desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Reconnaissance-Activities-by-Country |
Reconnaissance Activities by Country |
attack |
select srccountry, sum(incidents) as incidents from ###(select $flex_timestamp as timestamp, attack, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, srcip, dstip, srccountry, count(*) as incidents from $log-attack where $filter and attack is not null and msg like 'anomaly%' group by timestamp, attack, action_flag, srcip, dstip, srccountry order by incidents desc)### t where srccountry is not null group by srccountry order by incidents desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Reconnaissance-Activities-by-Attack |
Reconnaissance Activities by Attack |
attack |
select attack, sum(incidents) as incidents from ###(select $flex_timestamp as timestamp, attack, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, srcip, dstip, srccountry, count(*) as incidents from $log-attack where $filter and attack is not null and msg like 'anomaly%' group by timestamp, attack, action_flag, srcip, dstip, srccountry order by incidents desc)### t group by attack order by incidents desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Reconnaissance-Activities-by-Action |
Reconnaissance Activities by Action |
attack |
select ( case when action_flag = 1 then & #039;Allow' when action_flag=1 then 'Reset' else 'Block' end) as action, sum(incidents) as incidents from ###(select $flex_timestamp as timestamp, attack, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, srcip, dstip, srccountry, count(*) as incidents from $log-attack where $filter and attack is not null and msg like 'anomaly%' group by timestamp, attack, action_flag, srcip, dstip, srccountry order by incidents desc)### t group by action order by incidents desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-Reconnaissance-Activities-by-Occurrences |
Top Reconnaissance Activities by Occurrences |
attack |
select attack, srcip, dstip, sum(incidents_pass) as incidents_pass, sum(incidents)- sum(incidents_pass) as incidents_block, sum(incidents) as incidents from ( select attack, srcip, dstip, sum( case when action_flag = 1 then incidents else 0 end ) as incidents_pass, sum( case when action_flag != 2 then incidents else 0 end ) as incidents from ###(select $flex_timestamp as timestamp, attack, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, srcip, dstip, srccountry, count(*) as incidents from $log-attack where $filter and attack is not null and msg like 'anomaly%' group by timestamp, attack, action_flag, srcip, dstip, srccountry order by incidents desc)### t group by attack, srcip, dstip order by incidents desc) t group by attack, srcip, dstip order by incidents desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-High-Risk-Web-Access-Attempts-by-Category |
High Risk Web Access Attempts by Category |
webfilter |
select catdesc, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as total_num from $log-webfilter where $filter and catdesc in ('Dynamic DNS', 'Malicious Websites', 'Newly Observed Domain', 'Newly Registered Domain', 'Phishing', 'Spam URLs') group by timestamp, user_src, catdesc, action order by total_num desc)### t group by catdesc order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-High-Risk-Web-Access-Attempts-by-Action |
High Risk Web Access Attempts by Action |
webfilter |
select ( case when action =& #039;blocked' then 'Block' else 'Allow' end) as action, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as total_num from $log-webfilter where $filter and catdesc in ('Dynamic DNS', 'Malicious Websites', 'Newly Observed Domain', 'Newly Registered Domain', 'Phishing', 'Spam URLs') group by timestamp, user_src, catdesc, action order by total_num desc)### t group by action order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-High-Risk-Web-Users-by-Access-Attempts |
Top High Risk Website Users by Requests |
webfilter |
select user_src, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as total_num from $log-webfilter where $filter and catdesc in ('Dynamic DNS', 'Malicious Websites', 'Newly Observed Domain', 'Newly Registered Domain', 'Phishing', 'Spam URLs') group by timestamp, user_src, catdesc, action order by total_num desc)### t group by user_src order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-High-Risk-Apps-by-Risk-Level |
High Risk Applications by Risk Level |
traffic |
select ( case when risk =& #039;5' then 'Critical' when risk='4' then 'High' else '0' end) as severity, risk as d_risk, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by timestamp, app, user_src, action_flag order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' group by severity, d_risk order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-High-Risk-Apps-by-Category |
High Risk Applications by Category |
traffic |
select app_cat, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by timestamp, app, user_src, action_flag order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' group by app_cat order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-High-Risk-Apps-by-Action |
High Risk Applications by Action |
traffic |
select ( case when action_flag = 1 then & #039;Block' when action_flag=2 then 'Allow' else 'Reset' end) as action, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by timestamp, app, user_src, action_flag order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' and action_flag>0 group by action order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-High-Risk-Apps-by-Risk |
Top High Risk Applications by Risk |
traffic |
select risk as d_risk, name, app_cat, count(distinct user_src) as users, sum(bandwidth) as bandwidth, sum(session_block) as session_block, sum(sessions)- sum(session_block) as session_pass, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) AS session_block, count(*) as sessions from $log where $filter and (logflag&1>0) group by timestamp, app, user_src, action_flag order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' group by d_risk, name, app_cat order by d_risk desc, bandwidth desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-High-Risk-App-Users |
Top High Risk Application Users |
traffic |
select user_src, count(distinct app) as total_num from ###(select $flex_timestamp as timestamp, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by timestamp, app, user_src, action_flag order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' group by user_src order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-First-Stage-Timeline |
Cyber Kill Chain First Stage Timeline |
traffic |
select $flex_timestamp(timestamp) as hodex, type, sum(totalnum) as totalnum from ( ( select timestamp, & #039;Reconnaissance Activities' as type, sum(incidents) as totalnum from ###(select $flex_timestamp as timestamp, attack, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, srcip, dstip, srccountry, count(*) as incidents from $log-attack where $filter and attack is not null and msg like 'anomaly%' group by timestamp, attack, action_flag, srcip, dstip, srccountry order by incidents desc)### t group by timestamp, type order by totalnum desc) union all (select timestamp, 'Access Attempts to High-Risk Websites' as type, sum(total_num) as totalnum from ###(select $flex_timestamp as timestamp, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, catdesc, action, count(*) as total_num from $log-webfilter where $filter and catdesc in ('Dynamic DNS', 'Malicious Websites', 'Newly Observed Domain', 'Newly Registered Domain', 'Phishing', 'Spam URLs') group by timestamp, user_src, catdesc, action order by total_num desc)### t group by timestamp, type order by totalnum desc) union all (select timestamp, 'High-Risk Applications' as type, sum(sessions) as totalnum from ###(select $flex_timestamp as timestamp, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log where $filter and (logflag&1>0) group by timestamp, app, user_src, action_flag order by bandwidth desc)### t1 inner join app_mdata t2 on t1.app=t2.name where risk>='4' group by timestamp, type order by totalnum desc)) t group by hodex, type order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Application-Vulnerabilities-by-Risk-Level |
Application Vulnerabilities by Risk Level |
attack |
select severity, ( case when severity =& #039;critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name group by severity, severity_number order by severity_number desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Application-Vulnerabilities-by-Type |
Application Vulnerabilities by Type |
attack |
select vuln_type, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where vuln_type is not null group by vuln_type order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Application-Vulnerabilities-by-Action |
Application Vulnerabilities by Action |
attack |
select ( case when action_flag = 1 then & #039;Allow' when action_flag=2 then 'Reset' else 'Block' end) as action, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name group by action order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-Application-Vulnerability-by-Risk-Level |
Top Application Vulnerabilities by Risk Level |
attack |
select attack, attackid, vuln_type, cve, ( case when severity =& #039;critical' then 5 when severity='high' then 4 when severity='medium' then 3 when severity='low' then 2 when severity='info' then 1 else 0 end) as severity_number, count(distinct (CASE WHEN direction='incoming' THEN srcip ELSE dstip END)) as victims, count(distinct (CASE WHEN direction='incoming' THEN dstip ELSE srcip END)) as sources, sum(case when action_flag=3 then totalnum else 0 end) as total_block, sum(case when action_flag!=3 then totalnum else 0 end) as total_allow, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name group by attack, attackid, vuln_type, severity_number, cve order by severity_number desc, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-Application-Vulnerability-Sources |
Top Application Vulnerability Sources |
attack |
select srcip, srccountry, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name where srcip is not null group by srcip, srccountry order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-Application-Vulnerability-Destinations |
Top Application Vulnerability Destinations |
attack |
select dstip, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name group by dstip order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Malware-Types-by-Occurrences |
Malware Types by Occurrences |
traffic |
select ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, virus, app, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, dstip, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null and virus is not null group by timestamp, virus, app, user_src, srcip, dstip, action_flag order by sessions desc)### t group by malware_type order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Malware-Actions-by-Occurrences |
Malware Actions by Occurrences |
traffic |
select ( case when action_flag = 1 then & #039;Block' when action_flag=2 then 'Allow' else 'Reset' end) as action, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, virus, app, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, dstip, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null and virus is not null group by timestamp, virus, app, user_src, srcip, dstip, action_flag order by sessions desc)### t where action_flag>0 group by action order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-Malwares-by-Occurrences |
Top Malwares by Occurrences |
traffic |
select virus, ( case when virus like & #039;Riskware%' then 'Spyware' when virus like 'Adware%' then 'Adware' else 'Virus' end) as malware_type, count(distinct srcip) as victims, count(distinct dstip) as sources, sum(session_block) as session_block, sum(sessions)-sum(session_block) as session_pass, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, virus, app, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, dstip, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null and virus is not null group by timestamp, virus, app, user_src, srcip, dstip, action_flag order by sessions desc)### t group by virus, malware_type order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-Malware-Victims-by-Occurrences |
Top Malware Victims by Occurrences |
traffic |
select user_src, sum(sessions) as sessions from ###(select $flex_timestamp as timestamp, virus, app, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, dstip, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null and virus is not null group by timestamp, virus, app, user_src, srcip, dstip, action_flag order by sessions desc)### t where user_src is not null group by user_src order by sessions desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Second-Stage-Timeline |
Cyber Kill Chain Second Stage Timeline |
traffic |
select $flex_timestamp(timestamp) as hodex, type, sum(totalnum) as totalnum from ( ( select timestamp, & #039;Application Vulnerabilities' as type, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and nullifna(attack) is not null and severity is not null group by timestamp, attack, attackid, severity, direction, dstip, srcip, srccountry, action_flag order by totalnum desc)### t1 left join (select name, cve, vuln_type from ips_mdata) t2 on t1.attack=t2.name group by timestamp, type order by totalnum desc) union all (select timestamp, 'Malware Detected' as type, sum(sessions) as totalnum from ###(select $flex_timestamp as timestamp, virus, app, (CASE WHEN utmaction='block' THEN 1 WHEN utmaction='allow' THEN 2 WHEN utmaction='reset' THEN 3 ELSE 0 END) as action_flag, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, srcip, dstip, sum((CASE WHEN (logflag&2>0) THEN 1 ELSE 0 END)) as session_block, sum(CASE WHEN (logflag&1>0) THEN 1 ELSE 0 END) as sessions from $log where $filter and (logflag&(1|32)>0) and nullifna(app) is not null and virus is not null group by timestamp, virus, app, user_src, srcip, dstip, action_flag order by sessions desc)### t group by timestamp, type order by totalnum desc)) t group by hodex, type order by hodex
Dataset Name |
Description |
Log Category |
---|---|---|
threat-CC-Domain-DNS-Resolutions-by-Severity |
DNS Resolutions for C&C Domain by Severity |
dns |
select sevid, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(botnetdomain, ipstr(botnetip)) as domain, qname, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp, domain, qname, action, srcip, user_src, sevid order by sevid desc)### t group by sevid order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-CC-Domain-DNS-Resolutions-by-Action |
DNS Resolutions for C&C Domain by Action |
dns |
select action, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(botnetdomain, ipstr(botnetip)) as domain, qname, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp, domain, qname, action, srcip, user_src, sevid order by sevid desc)### t group by action order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-CC-Domain-DNS-Resolution-Users-by-Attempts |
Top DNS Resolution for C&C Domain Users by Attempts |
dns |
select user_src, sum(total_num) as total_num from ###(select $flex_timestamp as timestamp, coalesce(botnetdomain, ipstr(botnetip)) as domain, qname, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp, domain, qname, action, srcip, user_src, sevid order by sevid desc)### t group by user_src order by total_num desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-CC-Sites-Connections-by-Severity |
Connections to C&C Sites by Severity |
attack |
select severity, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, severity, service, dstip, srcip, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and subtype = 'ips' and nullifna(attack) is not null and severity is not null group by timestamp, attack, user_src, severity, service, dstip, srcip, action_flag order by totalnum desc)### t group by severity order by severity desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-CC-Sites-Connections-by-Action |
Connections to C&C Sites by Action |
attack |
select ( case when action_flag = 1 then & #039;Allow' when action_flag=2 then 'Reset' else 'Block' end) as action, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, severity, service, dstip, srcip, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and subtype = 'ips' and nullifna(attack) is not null and severity is not null group by timestamp, attack, user_src, severity, service, dstip, srcip, action_flag order by totalnum desc)### t group by action order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-CC-Sites-Connections-by-Risk-Level |
Top Connections to C&C Sites by Risk Level |
attack |
select severity, attack, sum( case when action_flag != 3 then totalnum else 0 end ) as total_allow, sum( case when action_flag = 3 then totalnum else 0 end ) as total_block, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, severity, service, dstip, srcip, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and subtype = 'ips' and nullifna(attack) is not null and severity is not null group by timestamp, attack, user_src, severity, service, dstip, srcip, action_flag order by totalnum desc)### t group by severity, attack order by severity desc, totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-CC-Sites-Users-by-Occurrences |
Top Connection to C&C Sites Users by Occurrences |
attack |
select user_src, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, severity, service, dstip, srcip, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and subtype = 'ips' and nullifna(attack) is not null and severity is not null group by timestamp, attack, user_src, severity, service, dstip, srcip, action_flag order by totalnum desc)### t group by user_src order by totalnum desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Top-Successful-CC-Sites-Connections-by-Risk-Level |
Top Successful Connections to C&C Sites by Risk Level |
attack |
select severity, attack, service, count(distinct srcip) as sources, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, severity, service, dstip, srcip, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and subtype = 'ips' and nullifna(attack) is not null and severity is not null group by timestamp, attack, user_src, severity, service, dstip, srcip, action_flag order by totalnum desc)### t where action_flag = 1 group by severity, attack, service order by severity desc
Dataset Name |
Description |
Log Category |
---|---|---|
threat-Third-Stage-Timeline |
Cyber Kill Chain Third Stage Timeline |
traffic |
select $flex_timestamp(timestamp) as hodex, type, sum(totalnum) as totalnum from ( ( select timestamp, & #039;DNS Resolutions for C&C Domains' as type, sum(total_num) as totalnum from ###(select $flex_timestamp as timestamp, coalesce(botnetdomain, ipstr(botnetip)) as domain, qname, cast('Botnet C&C' as char(32)) as malware_type, (case when action='block' then 'Blocked' when action='redirect' then 'Redirected' else 'Passed' end) as action, srcip, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, (CASE WHEN level IN ('critical', 'alert', 'emergency') THEN 5 WHEN level='error' THEN 4 WHEN level='warning' THEN 3 WHEN level='notice' THEN 2 ELSE 1 END) as sevid, coalesce(botnetdomain, ipstr(botnetip)) as sources_s, count(*) as total_num from $log-dns where $filter and (botnetdomain is not null or botnetip is not null) group by timestamp, domain, qname, action, srcip, user_src, sevid order by sevid desc)### t group by timestamp, type order by totalnum desc) union all (select timestamp, 'Connections to C&C Sites' as type, sum(totalnum) as totalnum from ###(select $flex_timestamp as timestamp, attack, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_src, severity, service, dstip, srcip, (case when action in ('clear_session', 'pass_session') then 1 when action in ('reset', 'reset_client', 'reset_server') then 2 else 3 end) as action_flag, count(*) as totalnum from $log-attack where $filter and subtype = 'ips' and nullifna(attack) is not null and severity is not null group by timestamp, attack, user_src, severity, service, dstip, srcip, action_flag order by totalnum desc)### t group by timestamp, type order by totalnum desc)) t group by hodex, type order by hodex