Skip to main content
Skip table of contents

Endpoint Detection Visualizations

Severity Resources & Threat Breakdown

The Severity Resources & Threat Breakdown report provides visualization broken by Severity and Threat Category for resources. Most inner group shows the severity; middle circle reflect the assets and severity; the outer circle show the Threat category.

example visualization

  1. In AMP, go to the Log Search screen to access ChaosSearch.

  2. Click on Visualizations

    chaossearch nav menu

  3. Click the Create new visualization button.

    create new visualization

  4. In the New Visualization pop up, select the Pie visualization option.

    select pie visualization

  5. Choose a source.

  6. Log Search will refresh to display the query screen. From here, the visualization can be configured.

    visualization editor

  7. Click Add filter.

    add filter button

  8. Populate the following filters (Case sensitive):

    Field

    Operator

    Value

    Note

    type

    is

    carbon-black


    event.type

    is one of

    WATCHLIST, CB_ANALYTICS


    Data_type

    Is

    armor-security-logs


    event.severity

    Is one of

    8, 9, 10

    Optional if you want to filter higher severities

  9. Two buckets are needed to configure this visualization. Under Buckets, click the Add button, making sure to select split slices.

  10. In the Aggregation drop down, select Terms.

  11. In the Field box, enter "event.severity" or search for it.

  12. Order by, Order and Size should all remain with their default values. Properly configured, the first bucket will look like the screenshot below:

  13. To add the second bucket, click the Add button underneath Buckets, making sure to select split slices.

  14. In the Sub aggregation dropdown, select Terms.

  15. In the Field, enter "external_id" to select it. (External Id is the same as CoreInstanceId)

  16. Order by, Order and Size will be set to default. Properly configured, the second bucket will look like the screenshot below:

    bucket configuration

  17. To add the second bucket, click the Add button underneath Buckets, making sure to select split slices.

  18. In the Sub aggregation dropdown, select Terms.

  19. In the Field, enter "threat.blocked_threat_category" to select it.

  20. Order by, Order and Size will be set to default. Properly configured, the second bucket will look like the screenshot below:

    bucket configuration

  21. Optional step if you like to display labels, click Options tab:

  22. When both buckets are configured, click the Apply Changes button.

    apply changes button

  23. Set the date range for the visualization.

    1. If the range encompasses more than one report, an additional filter with the report id can be added.

      date range filter

  24. Save the visualization by clicking Save in the top left of the screen.

    save button

    Users can view previous visualizations by clicking Visualizations and selecting the desired visualization from the list.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close