Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Reporting

Reply
Highlighted

DNS Top RPZ Hits by Clients Report

Adviser
Posts: 244
1673     1
<form>
  <label>DNS Top RPZ Hits by Clients</label>
  <description>System-created dashboard: Please clone before editing.</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="topn">
      <label>Top N</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <default>10</default>
      <initialValue>10</initialValue>
    </input>
    <input type="multiselect" token="members">
      <label>Members</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>orig_host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <search>
        <query>index=ib_dns_summary report=si_dns_rpz_hits
               | stats count by orig_host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>orig_host</fieldForLabel>
      <fieldForValue>orig_host</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="text" token="client">
      <label>Client (eg: *10.120.20.*)</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="client_str"> * </set>
        </condition>
        <condition value="*">
          <set token="client_str">(CLIENT="$value$")</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="dns_view">
      <label>DNS View</label>
      <choice value="All">All</choice>
      <search>
        <query>index=ib_dns_summary report=si_dns_rpz_hits
               | stats count by display_name</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>display_name</fieldForLabel>
      <fieldForValue>display_name</fieldForValue>
      <change>
        <condition value="All">
          <set token="dns_view_str"> * </set>
        </condition>
        <condition value="*">
          <set token="dns_view_str">(display_name="$value$")</set>
        </condition>
      </change>
      <default>All</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits 
            $members$
            $client_str$
            $dns_view_str$ 
            | stats avg(COUNT) as QCOUNT by _time, VIEW, CLIENT, orig_host 
            | stats sum(QCOUNT) as QCOUNT by _time, CLIENT 
            | eval QCOUNT=round(QCOUNT) 
            | convert ctime(_time) as Time 
            | sort -QCOUNT 
            | head $topn$ 
            | rename CLIENT as "Client ID", QCOUNT as "Total Client Hits" 
            | table "Client ID", "Total Client Hits", Time</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <progress>
            <condition>
              <unset token="conditional_value"></unset>
            </condition>
          </progress>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="count">10</option>
        <drilldown>
          <set token="conditional_value">$row.Client ID$</set>   
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$conditional_value$">
        <title>DHCP Lease History for Client ID=$conditional_value$</title>
        <search>
          <query>sourcetype=ib:dhcp:lease_history index=ib_dhcp_lease_history dhcpd OR dhcpdv6 r-l-e 
            | eval Protocol=if(PROTO=="dhcpdv6","IPV6","IPV4") 
            | eval LEASE_START=strftime(START_EPOCH,"%Y-%m-%d %H:%M:%S") 
            | eval LEASE_END=strftime(END_EPOCH,"%Y-%m-%d %H:%M:%S")  
            | eval FINGER_PRINT=if(isnull(OS_NUMBER),FP,SFP) 
            | where LEASE_IP="$conditional_value$"  
            | rename host as "Member", ACTION as "Action", LEASE_IP as "Lease IP", MAC_DUID as "MAC/DUID", MEMBER_IP as "Member IP", OPTION12HOST as "Host Name", LEASE_START as "Lease Start", LEASE_END as "Lease End", FINGER_PRINT as "Fingerprint" 
            | convert ctime(_time) as Time 
            | table Time, Member, "Member IP", Protocol, Action, "Lease IP", "MAC/DUID", "Host Name", "Lease Start", "Lease End", "Fingerprint"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$conditional_value$">
        <title>User History for IP Address=$conditional_value$</title>
        <search>
          <query>sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security 
            | eval TIMEOUT_KEY="ad_user_default_timeout"  
            | eval TIMEOUT_VALUE=if(isnull(TIMEOUT_VAL),18000,TIMEOUT_VAL*60) 
            | where ip_address="$conditional_value$" 
            | eval last_activeEpoch=if(isnum(last_active), last_active, strptime(last_active, "%Y-%m-%d %H:%M:%S")) 
            | eventstats latest(last_activeEpoch) as l_last_active by user_name, ip_address, login_time 
            | eval status=if((last_activeEpoch=l_last_active) AND (status=="ACTIVE") AND ((last_activeEpoch+TIMEOUT_VALUE)&lt;now()),"TIMEOUT",status) 
            | sort -_time | eval last_active=if(isnum(last_active), strftime(last_active, "%Y-%m-%d %H:%M:%S"), last_active) 
            | eval last_updated=if(isnum(last_updated), strftime(last_updated, "%Y-%m-%d %H:%M:%S"), last_updated) 
            | eval logout_time=if(isnum(logout_time), strftime(logout_time, "%Y-%m-%d %H:%M:%S"), logout_time) 
            | eval login_time=if(isnum(login_time), strftime(login_time, "%Y-%m-%d %H:%M:%S"), login_time) 
            | rename timestamp as Time, user_name as "User Name", login_time as "First Seen", logout_time as "Logout Time", last_active as "Last Seen", last_updated as "Last Updated", ip_address as "IP Address", domain as "Domain", status as "User Status",  
            | table "Last Updated" "User Name" "Domain" "IP Address" "First Seen" "Logout Time" "Last Seen" "User Status"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.
Showing results for 
Search instead for 
Do you mean 

Recommended for You