Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Best Practices

image001.png

DNS RPZ Hits by Clients (Drilldown)

 RPZ Hits by Client Report for Drilldown. HTH.

 Screen Shot 2017-10-24 at 17.39.49.png

 

<form>
  <label>DNS RPZ Hits by Clients (Drilldown)</label>
  <description></description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1w</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="topn">
      <label>Top N</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <default>100</default>
      <initialValue>100</initialValue>
    </input>
    <input type="multiselect" token="members">
      <label>Members</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>orig_host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <search>
        <query>index=ib_dns_summary report=si_dns_rpz_hits
               | stats count by orig_host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>orig_host</fieldForLabel>
      <fieldForValue>orig_host</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="text" token="client">
      <label>Client (e.g. *10.120.20.*)</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="client_str">*</set>
        </condition>
        <condition value="*">
          <set token="client_str">(CLIENT="$value$")</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="dns_view">
      <label>DNS View</label>
      <choice value="All">All</choice>
      <search>
        <query>index=ib_dns_summary report=si_dns_rpz_hits | stats count by display_name</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>display_name</fieldForLabel>
      <fieldForValue>display_name</fieldForValue>
      <change>
        <condition value="All">
          <set token="dns_view_str">*</set>
        </condition>
        <condition value="*">
          <set token="dns_view_str">(display_name="$value$")</set>
        </condition>
      </change>
      <default>All</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits 
            $members$
            $client_str$
            $dns_view_str$ 
    		| stats count by CLIENT
            | head $topn$ 
            | rename CLIENT as "Client ID", count as "Total Client Hits" 
            | table "Client ID", "Total Client Hits"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <progress>
            <condition>
              <unset token="conditional_value"></unset>
            </condition>
          </progress>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">row</option>
        <drilldown>
          <set token="conditional_value">$row.Client ID$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$conditional_value$">
        <title>RPZ Events for Client ID=$conditional_value$</title>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits DOMAIN_NAME=* CLIENT=$conditional_value$ 
            | stats count by DOMAIN_NAME
            | rename DOMAIN_NAME as "Domain Name", count as "Total Client Hits"
            | table "Domain Name", "Total Client Hits"
            | sort "Total Client Hits" desc</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

Showing results for 
Search instead for 
Did you mean: