System-created dashboard: Please clone before editing.
-1w now 5 10 20 50 10 3 5 10 3 >=0
Malicious Activity by Client index=ib_dns_summary report=si_dns_rpz_hits | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA) | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME) | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY) | stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA | stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME | eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT | sort -CLIENT_COUNT_BY_DOMAIN | where TOTAL_CLIENT_COUNT $hit_count$ | dedup $topn_domains$ CLIENT | eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT | dedup CLIENT | sort -TOTAL_CLIENT_COUNT | head $topn_clients$ | convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE | lookup dnslookup clientip AS CLIENT | fillnull value="unknown" clienthost | eval CLIENT = CLIENT." / ".clienthost | rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active" | table "Client ID" "# Hits" "Domains" "Last Active" | fields "Client ID" "# Hits" $time.earliest$ $time.latest$ Malicious Activity by Client index=ib_dns_summary report=si_dns_rpz_hits | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA) | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME) | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY) | stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA | stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME | eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT | sort -CLIENT_COUNT_BY_DOMAIN | where TOTAL_CLIENT_COUNT $hit_count$ | dedup $topn_domains$ CLIENT | eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT | dedup CLIENT | sort -TOTAL_CLIENT_COUNT | head $topn_clients$ | convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE | lookup dnslookup clientip AS CLIENT | fillnull value="unknown" clienthost | eval CLIENT = CLIENT." / ".clienthost | rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active" | table "Client ID" "# Hits" "Domains" "Last Active" $time.earliest$ $time.latest$
Top DNS Firewall Hits index=ib_dns_summary report=si_dns_rpz_hits | fields RPZ_QNAME TOTAL_COUNT DOMAIN_NAME | stats sum(TOTAL_COUNT) as RPZ_HIT_COUNT by RPZ_QNAME, DOMAIN_NAME | where RPZ_HIT_COUNT $hit_count$ | sort -RPZ_HIT_COUNT | head $topn_clients$ | eventstats sum(RPZ_HIT_COUNT) as ALL_HIT_COUNT | eval RPZ_HIT_PCT = round(RPZ_HIT_COUNT * 100 / ALL_HIT_COUNT, 2) | eval FEED_ZONE = substr(RPZ_QNAME, len(DOMAIN_NAME) + 2, len(RPZ_QNAME)) | lookup rpz_feed_tsig_key_lookup RPZ_FEED_ZONE AS FEED_ZONE OUTPUT TSIG_KEY | eval TSIG_KEY=if(isnull(TSIG_KEY),"None",TSIG_KEY) | addthreatstopdetails TSIG_KEY rpzorip RPZ_QNAME | rename RPZ_QNAME as "RPZ Rule", RPZ_HIT_PCT as "Percentage", RPZ_HIT_COUNT as "# Hits", public_description as "Description" | table "RPZ Rule" "Percentage" "# Hits" "Description" $time.earliest$ $time.latest$