    Data grouping in view/report


      Hi all,


      I was jut wondering if the following is possible to accomplish with McAfee siem as I can't see an immediate solution.... I'd like to do a network traffic log analysis where the result will be number of events grouped by src ip, dst ip and dst port. See screen shot for clarification.  Currently I'm doing that with an open source reporting tool but would be happier if I could do it with siem.


      Any ideas?

        • 1. Re: Data grouping in view/report

          You can use the binding in the views to have everything pivot off of one of the attributes like Source IP.  This way if you click on any source IP, you will see all the destination IPs and Ports.  Additionally, you can add an event table component with the fields you mentioned outside of the % field.  Screen Shot 2014-04-01 at 11.11.54 AM.png

          • 2. Re: Data grouping in view/report

            Thank you for your answer. I'm aware of that, but that is not solution I'm looking for. I'd like to get an output that I seem only to be able to get directly from the database. Something like:

            select count(*),SrcIP,DstIP,DstPort from Alert where id>(select max(id)-10000 from alert) and DstPort>0 group by SrcIP,DstIP,DstPort order by count(*) desc limit 10

            gives me the result. Can this be done in GUI?



            Kind regards