01-19-2016 11:25 AM
This search shows which networks were blocked by DNS Firewall and a description why it was blocked.
It helps to identify false positives. E.g. on the attached screenshot you can see a lot of networks (/10-/16) were blocked on cnc-driveby feed. It looks suspitious.
Actually it is not a report/dashboard but provides table view and it is very simple to convert it to a report/dashboard.
And also it shows how easily you can dig/mine/analyse data in Splunk.
index=ib_dns_summary source="si-search-dns-rpz-hits" | rex field=RPZ_QNAME "^(?<CIDR>[1-9]|1[0-9]|2[0-9])\.(?<ip4>\d+)\.(?<ip3>\d+\.)(?<ip2>\d+\.)(?<ip1>\d+\.)[^\.]+\.(?<feed>.*)" | search CIDR>0 | eval NET=ip1.ip2.ip3.ip4."/".CIDR | table feed,RPZ_QNAME, NET, CIDR, TOTAL_COUNT | stats sum(TOTAL_COUNT) as Hits by feed,RPZ_QNAME, NET, CIDR| sort CIDR, -TOTAL_COUNT | addthreatstopdetails rpzorip RPZ_QNAME | table feed,RPZ_QNAME, NET, CIDR, Hits, short_description, public_description
01-25-2016 11:09 AM
The report checks if customer's networks (registered in IPAM) are blacklisted in ThreatStop feeds
<dashboard> <label>IPAM check blacklisting</label> <row> <panel> <table> <search> <query>index=ib_ipam sourcetype="ib:ipam:network" | dedup NETWORK | rex field=address "^(?<ip1>\d+\.)(?<ip2>\d+\.)(?<ip3>\d+\.)(?<ip4>\d+)$" | eval REQ=cidr.".".ip4.".".ip3.ip2.ip1."rpz-ip.cnc.rpz.infoblox.local" | addthreatstopdetails rpzorip REQ | search short_description !="UNKNOWN" | table NETWORK, short_description , public_description</query> <earliest>0</earliest> <latest></latest> </search> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">10</option> </table> </panel> </row> </dashboard>