topic Re: having stats count and stats values combined in Dashboards & Visualizations

having stats count and stats values combined

Merryvor — Fri, 06 Sep 2024 16:13:17 GMT

Hello,

I'm trying to obtain a table like this :

FQDN	uri	list of attack_types	attack_number
www.test.com	/index	Information Leakage Path Traversal	57
www.test.com	/test	Path Traversal	30
prod.com	/sample	Abuse of Functionality Forceful Browsing Command Execution	10

I can obtain the table without the list of attack_types, but I can't figure out how to add the values function.

| stats count as attack_number by FQDN,uri | stats values(attack_type) as "Types of attack"

For each FQDN/uri I want to have the number of attacks, and all the attack_types seen.

It seems obvious, but I'm missing it.

Can someone help me ?

bowesmana — Fri, 06 Sep 2024 16:15:12 GMT

Just put the

values(attack_type) as "Types of attack"

into the first stats.

You can't do 2 stats like that as you don't have the attack_type anymore after the first stats

Merryvor — Fri, 06 Sep 2024 16:22:14 GMT

I actually tried this before

| stats count as attack_number by FQDN,uri values(attack_type) as "Types of attack"

but it didn't return anything.

However this is working :

| stats values(attack_type) as "Types of attack" count as attack_number by FQDN,uri

I guess this way the by clause applies to both count and values function.

seems logic now that I see it !

bowesmana — Fri, 06 Sep 2024 16:29:52 GMT

Yes, you're right - the logic for stats is stats - followed by as many aggregations you want and then the by clause.