Hi, Below is the dashboard query which works fine for EC2 Port Probe events but rest of the events are not displayed in the dashlet. when we check open in search option, we find events in the event...
See more...
Hi, Below is the dashboard query which works fine for EC2 Port Probe events but rest of the events are not displayed in the dashlet. when we check open in search option, we find events in the event column and not in statistics after changing the mode from fast to verbose. please help here. index="aws_generic" source="aws.guardduty" detail.type=Discovery:S3/AnomalousBehavior* | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") | rex field=host (?<service>.*):(?<cloudprovider>.*):(?<region>.*):(?<cluster>.*):(?<role>.*):(?<stagingarea>.*) | stats sparkline(count) as history max(newtime) as "event time" by stagingarea detail.region detail.type detail.severity detail.description detail.accountId detail.id | eval times=mvindex(times, 0, 2) | sort - "event time" detail.severity | table "event time","detail.accountId","detail.region","detail.severity","history","detail.type","detail.description" | rename "event time" as "Event Time","detail.accountId" as "AWS Account ID","detail.region" as "AWS Region","detail.type" as "Finding Type","detail.severity" as "Severity","history" as "Event History","detail.description" as "Description"