RSA Admin

Report to show count of unique combinations

Discussion created by RSA Admin Employee on Sep 5, 2008
Latest reply on Sep 5, 2008 by RSA Admin

Hi folks,

I've been having some difficulties trying to setup a report that will only show a count of unique combinations of two fields.  Doing a count works for one field, but I can't seem to combine it to show combinations of two fields.

 

For instance, I would like to create a report that will dump all incoming firewall traffic, but show a distinct count of how many attacks were from the same source on the same port.  I can do a count(ForeignAddress) to get a count of how many attacks came from each source, and I can do a count(LocalPort) to see how many attacks were directed at a certain port, but I would like to do a count of both in tandem with each other.

 

Here is some sample data:

DATE             FOREIGNADDRESS         PORT 

2008/09/04     1.1.1.1                      25

2008/09/04     1.1.1.1                      25

2008/09/04     1.1.1.1                      443

2008/09/04     2.2.2.2                      53

2008/09/04     2.2.2.2                      53 

2008/09/04     3.3.3.3                      25

2008/09/04     3.3.3.3                      25

 

I would want the report to show:

FOREIGNADDRESS         PORT           COUNT

1.1.1.1                       25                2

1.1.1.1                       443              1

2.2.2.2                       53                2

3.3.3.3                       25                2

 

Is this something that is doable?

Thanks in advance!

Bash

Outcomes