Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
DNS Firewall Executive Threat Report
Options
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-27-2016 07:59 AM
<form> <label>DNS Firewall Executive Threat Report</label> <description>System-created dashboard: Please clone before editing.</description> <fieldset submitButton="true" autoRun="true"> <input type="time" token="time"> <label>Time</label> <default> <earliest>-1w</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="topn_clients"> <label>Top N Clients/Rules</label> <choice value="5">5</choice> <choice value="10">10</choice> <choice value="20">20</choice> <choice value="50">50</choice> <default>10</default> </input> <input type="dropdown" token="topn_domains"> <label>Top N Domains</label> <choice value="3">3</choice> <choice value="5">5</choice> <choice value="10">10</choice> <default>3</default> </input> <input type="text" token="hit_count"> <label>Hit Count (eg: >10)</label> <default>>=0</default> </input> </fieldset> <row> <panel> <title>Malicious Activity by Client</title> <chart> <search> <query>index=ib_dns_summary report=si_dns_rpz_hits | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA) | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME) | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY) | stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA | stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME | eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT | sort -CLIENT_COUNT_BY_DOMAIN | where TOTAL_CLIENT_COUNT $hit_count$ | dedup $topn_domains$ CLIENT | eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT | dedup CLIENT | sort -TOTAL_CLIENT_COUNT | head $topn_clients$ | convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE | eval CLIENT = CLIENT + " " | rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active" | table "Client ID" "# Hits" "Domains" "Last Active" | fields "Client ID" "# Hits"</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">bar</option> <option name="charting.drilldown">none</option> <option name="charting.data.preview">true</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisTitleX.text">Client ID</option> <option name="charting.axisTitleY.text"># Hits</option> </chart> </panel> </row> <row> <panel> <title>Malicious Activity by Client</title> <table> <search> <query>index=ib_dns_summary report=si_dns_rpz_hits | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA) | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME) | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY) | stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA | stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME | eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT | sort -CLIENT_COUNT_BY_DOMAIN | where TOTAL_CLIENT_COUNT $hit_count$ | dedup $topn_domains$ CLIENT | eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT | dedup CLIENT | sort -TOTAL_CLIENT_COUNT | head $topn_clients$ | convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE | eval CLIENT = CLIENT + " " | rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active" | table "Client ID" "# Hits" "Domains" "Last Active"</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="rowNumbers">true</option> <option name="drilldown">off</option> </table> </panel> </row> <row> <panel> <title>Top DNS Firewall Hits</title> <table> <search> <query>index=ib_dns_summary report=si_dns_rpz_hits | fields RPZ_QNAME TOTAL_COUNT | stats sum(TOTAL_COUNT) as RPZ_HIT_COUNT by RPZ_QNAME | where RPZ_HIT_COUNT $hit_count$ | sort -RPZ_HIT_COUNT | head $topn_clients$ | eventstats sum(RPZ_HIT_COUNT) as ALL_HIT_COUNT | eval RPZ_HIT_PCT = round(RPZ_HIT_COUNT * 100 / ALL_HIT_COUNT, 2) | addthreatstopdetails rpzorip RPZ_QNAME | rename RPZ_QNAME as "RPZ Rule", RPZ_HIT_PCT as "Percentage", RPZ_HIT_COUNT as "# Hits", public_description as "Description" | table "RPZ Rule" "Percentage" "# Hits" "Description"</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="rowNumbers">true</option> <option name="drilldown">off</option> </table> </panel> </row> </form>
If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.
Labels: