From b1709f3ea3c829b9e3955c1d369d5e85eb88513f Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@gmail.com>
Date: Wed, 21 Dec 2022 15:28:41 -0500
Subject: [PATCH] Improve Firewall dashboard

---
 salt/soc/files/soc/dashboards.queries.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json
index 8dd5d4a74..9fdad60eb 100644
--- a/salt/soc/files/soc/dashboards.queries.json
+++ b/salt/soc/files/soc/dashboards.queries.json
@@ -60,5 +60,5 @@
             { "name": "ICS OPC UA", "description": "OPC UA (Unified Architecture) network metadata", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
             { "name": "ICS Profinet", "description": "Profinet (Process Field Network) network metadata", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
             { "name": "ICS S7", "description": "S7 (Siemens) network metadata", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
-            { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}
+            { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}
 ]