I trying create a view. on that view I need to use pie chart with query like this
((Normalized ID = 674234368,537919488,547356672) and (destination ip = 10.10.10.0/24,10.30.10.0/24,10.1.1.21)) or (normalized ID = 805306368,675282944))
Can you help me with logical operation, on the query wizard ?
Hmm...I would probably write a correlation rule (assuming you have an ACE or one of the multi-function units), then filter the view to just show the signature ID of the correlation hit.