Please check out this awesome video by Kara for a training session on views. Creating views within the ESM
To your specific question though:
1. Create a new view or edit an existing one.
2. Drag out the component you would like to display the data (bar/pie/table).
3. Select Source IPs, click Next.
4. Click Filters. Type Source IP into the bottom box if you don't see the field.
5. Click the Filter Display list icon at the end of the field.
6. Click the Watchlists tab and select your watchlist.
7. Click OK and finish.
8. You can repeat with another component and Destination IPs or use OR in your filter.
Appreciate your quick response. I am stuck at filter option. Can I fulfill below conditions using filter to display resultsin single window ?
1) Display Source IP if destination matches with WL
2) Display Destination IP if Source IP matches with WL
What I need is only IPs to be displayed over there. Thanks again
Yes. This is what my second screenshot is showing you. Use the OR flags at the end of the fields.
I tried that and it is giving me the list of IPs which are there in watchlist
ex: it is displaying the source IP name which matches with WL where as I need destination IP ( which is ours) in this case.
In that case, while in the View Editing mode, you can go to the top left drill down menu on the component filtering for your watchlist and drill down to Event Drilldown | Network | Destination IPs and another component will be created and bound to the first. All of the IP's will be in the list and you can select an IP from the original component to drill down to the specific Destination IP addresses. You can drill down to additional fields in the same way to build out your dashboard.
It worked. Thanks a lot
It is displaying all aggregated events in the dashboard instead of only events which has match with my WL.So, the count it is showing is wrong. Can you please help me on how to get only required events ?
Ex: It is showing event count as 50. When I drill down, there is only one event which has match with WL.
When I drill down to the first row 312, it is showing me all the events as you see below ( of course one of those events is actually what I need where it matches with WL).
Please let me know. Thanks in advance.