Although the synthetic level of trace events are higher level than the raw events, they are still not enough  to track a system problem or a network attack. Specially for a multiphase attack that system faces with so many hours of attack and thus a huge volume of "Abstract" events!

So what we need is to have a higher level view that shows a overview of whole trace. Statistics view can be used for this manner. Statistics view should show number of system metrics for whole trace and also for a specific range of trace. These metrics can be number of low level events, number of high level events per resource (i.e. per process or per file), as well as for a group of resources or for a machine. For example, assume that we have a "stat view" that shows a diagram of "number of TCP connections"  per whole trace  and per any time ranges of the trace. By having this chart and other similar charts, we can just jump to the abnormal parts of the trace and study what we have there by reading the abstract/row events.

Last week I was working on the statistics view and was trying to develop a prototype of that. Of course this statistics view uses the "states system".