Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
DNS Firewall Executive Threat Report
Options
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-27-2016 07:59 AM
2015 
2
<form>
<label>DNS Firewall Executive Threat Report</label>
<description>System-created dashboard: Please clone before editing.</description>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time">
<label>Time</label>
<default>
<earliest>-1w</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="topn_clients">
<label>Top N Clients/Rules</label>
<choice value="5">5</choice>
<choice value="10">10</choice>
<choice value="20">20</choice>
<choice value="50">50</choice>
<default>10</default>
</input>
<input type="dropdown" token="topn_domains">
<label>Top N Domains</label>
<choice value="3">3</choice>
<choice value="5">5</choice>
<choice value="10">10</choice>
<default>3</default>
</input>
<input type="text" token="hit_count">
<label>Hit Count (eg: >10)</label>
<default>>=0</default>
</input>
</fieldset>
<row>
<panel>
<title>Malicious Activity by Client</title>
<chart>
<search>
<query>index=ib_dns_summary report=si_dns_rpz_hits
| eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)
| eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)
| eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)
| stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA
| stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME
| eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT
| sort -CLIENT_COUNT_BY_DOMAIN
| where TOTAL_CLIENT_COUNT $hit_count$
| dedup $topn_domains$ CLIENT
| eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT
| dedup CLIENT
| sort -TOTAL_CLIENT_COUNT
| head $topn_clients$
| convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE
| eval CLIENT = CLIENT + " "
| rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active"
| table "Client ID" "# Hits" "Domains" "Last Active"
| fields "Client ID" "# Hits"</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">bar</option>
<option name="charting.drilldown">none</option>
<option name="charting.data.preview">true</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisTitleX.text">Client ID</option>
<option name="charting.axisTitleY.text"># Hits</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Malicious Activity by Client</title>
<table>
<search>
<query>index=ib_dns_summary report=si_dns_rpz_hits
| eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)
| eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)
| eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)
| stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA
| stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME
| eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT
| sort -CLIENT_COUNT_BY_DOMAIN
| where TOTAL_CLIENT_COUNT $hit_count$
| dedup $topn_domains$ CLIENT
| eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT
| dedup CLIENT
| sort -TOTAL_CLIENT_COUNT
| head $topn_clients$
| convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE
| eval CLIENT = CLIENT + " "
| rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active"
| table "Client ID" "# Hits" "Domains" "Last Active"</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="rowNumbers">true</option>
<option name="drilldown">off</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Top DNS Firewall Hits</title>
<table>
<search>
<query>index=ib_dns_summary report=si_dns_rpz_hits
| fields RPZ_QNAME TOTAL_COUNT
| stats sum(TOTAL_COUNT) as RPZ_HIT_COUNT by RPZ_QNAME
| where RPZ_HIT_COUNT $hit_count$
| sort -RPZ_HIT_COUNT
| head $topn_clients$
| eventstats sum(RPZ_HIT_COUNT) as ALL_HIT_COUNT
| eval RPZ_HIT_PCT = round(RPZ_HIT_COUNT * 100 / ALL_HIT_COUNT, 2)
| addthreatstopdetails rpzorip RPZ_QNAME
| rename RPZ_QNAME as "RPZ Rule", RPZ_HIT_PCT as "Percentage", RPZ_HIT_COUNT as "# Hits", public_description as "Description"
| table "RPZ Rule" "Percentage" "# Hits" "Description"</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="rowNumbers">true</option>
<option name="drilldown">off</option>
</table>
</panel>
</row>
</form>
If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.
Labels:
