- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
DNS Firewall reports that captures and counts hits by 2nd level domain
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-31-2017 06:01 AM
This dashboard captures the 2 level domain name in the DNS firewall messges and counts of them. Useful in pre-implmentation to gage the affect of blocking mode and in production to see if a particular threat by domain name is present.
Dashbaord XML
<form>
<label>L2 Domain Blocked on DNS Firewall</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="datetime">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=ib_dns_summary source="si-search-dns-rpz-hits"
| rex field=DOMAIN_NAME "^.*(\.|^)(?<l2domain>[^\.]+\..*)"
| table l2domain, TOTAL_COUNT
| stats sum(TOTAL_COUNT) as Matches by l2domain
| sort by Matches desc</query>
<earliest>$datetime.earliest$</earliest>
<latest>$datetime.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>