Need your help..! is there any possibility that we can create a dashboard for AV related issues or notables...?
was using the below query but could get the exact results. requesting you to help me on this to create a dashboard for AV related alerts for the servers.
| tstats summariesonly=true max(_time) AS time values(Malware_Attacks.file_name) AS fileName values(Malware_Attacks.signature) AS signature from datamodel=Malware.Malware_Attacks by Malware_Attacks.event_description, Malware_Attacks.dest Malware_Attacks.action | makemv delim="|" fileName| makemv delim="|" signature| rename Malware_Attacks.event_description AS event_description| rename Malware_Attacks.dest AS dest| rename Malware_Attacks.action as action| regex event_description!="blocked"| regex event_description!="deleted"| regex event_description!="Cleaned"| regex event_description!="handled"| where event_description!="Exploit Prevention Files/Process/Registry violation detected" OR threat_handled!=1| where event_description!="Infected file found, access denied" OR threat_handled!=1| search action!=handled event_description!=DLL* event_description!="Script security violation detected, AMSI would block"| table time event_description dest fileName signature