Reply

DNS Top RPZ Hits w/o Time field

Adviser
Posts: 136
1404     0

This report is a clone of "DNS Top RPZ Hits". I removed a time column which always irritated me.

 

Report ID: pvm_dns_top_rpz_hits

<form>
  <label>1_DNS Top RPZ Hits Clone</label>
  <description></description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="topn">
      <label>Top N</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <default>10</default>
      <initialValue>10</initialValue>
    </input>
    <input type="text" token="client">
      <label>Client (eg: 10.120.20.*)</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="client_str">*</set>
        </condition>
        <condition value="*">
          <set token="client_str">CLIENT="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="text" token="domain_name">
      <label>Domain Name</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="domain_name_str">*</set>
        </condition>
        <condition value="*">
          <set token="domain_name_str">DOMAIN_NAME="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="dns_view">
      <label>DNS View</label>
      <choice value="All">All</choice>
      <search>
        <query>index=ib_dns_summary report=si_dns_rpz_hits
               | stats count by display_name</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>display_name</fieldForLabel>
      <fieldForValue>display_name</fieldForValue>
      <change>
        <condition value="All">
          <set token="dns_view_str">*</set>
        </condition>
        <condition value="*">
          <set token="dns_view_str">display_name="$value$"</set>
        </condition>
      </change>
      <default>All</default>
    </input>
    <input type="multiselect" token="members">
      <label>Members</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>orig_host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <search>
        <query>index=ib_dns_summary report=si_dns_rpz_hits
               | stats count by orig_host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>orig_host</fieldForLabel>
      <fieldForValue>orig_host</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="mitigation_action">
      <label>Mitigation Action</label>
      <default>All</default>
      <choice value="All">All</choice>
      <choice value="PT">Passthru</choice>
      <choice value="NX">Block (No Such Domain)</choice>
      <choice value="ND">Block (No Data)</choice>
      <choice value="SB">Substitute</choice>
      <choice value="AA">Substitute (A/AAAA)</choice>
      <choice value="A1">Substitute (A)</choice>
      <choice value="A4">Substitute (AAAA)</choice>
      <choice value="DN">Substitute (Domain Name)</choice>
      <choice value="None">None</choice>
      <change>
        <condition value="All">
          <set token="mitigation_action_str">*</set>
        </condition>
        <condition value="*">
          <set token="mitigation_action_str">MITIGATION_ACTION="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="text" token="rpz_zone">
      <label>RPZ Zone (suffix matching)</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="rpz_zone_str">*</set>
        </condition>
        <condition value="*">
          <set token="rpz_zone_str">RPZ_QNAME="*$value$"</set>
        </condition>
      </change>
    </input>
    <input type="text" token="rpz_entry">
      <label>RPZ Entry</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="rpz_entry_str">*</set>
        </condition>
        <condition value="*">
          <set token="rpz_entry_str">RPZ_QNAME="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="severity">
      <label>Severity</label>
      <default>All</default>
      <choice value="All">All</choice>
      <choice value="8">Critical</choice>
      <choice value="4">Informational</choice>
      <choice value="7">Major</choice>
      <choice value="6">Warning</choice>
      <change>
        <condition value="All">
          <set token="severity_str">*</set>
        </condition>
        <condition value="*">
          <set token="severity_str">RPZ_SEVERITY="$value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits             $client_str$             $domain_name_str$             $dns_view_str$             $members$             $mitigation_action_str$             $rpz_zone_str$             $rpz_entry_str$             $severity_str$                         | eval DNS_VIEW =if(isnull(display_name), "NULL",display_name)             | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)             | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)             | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)             | where MITIGATION_ACTION != "ER"              | stats sum(COUNT) as QCOUNT by  CLIENT, DOMAIN_NAME, DNS_VIEW, orig_host, TOTAL_COUNT, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME             | stats sum(TOTAL_COUNT) as TOTAL_COUNT, sum(QCOUNT) as QCOUNT by CLIENT, DOMAIN_NAME, DNS_VIEW, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME              | convert ctime(_time) as Time             | sort -QCOUNT             | head $topn$             | eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX", "Block (No Such Domain)", MITIGATION_ACTION == "ND", "Block (No Data)", MITIGATION_ACTION == "SB", "Substitute", MITIGATION_ACTION == "A1", "Substitute (A)", MITIGATION_ACTION == "A4", "Substitute (AAAA)", MITIGATION_ACTION == "AA", "Substitute (A/AAAA)", MITIGATION_ACTION == "DN", "Substitute (Domain Name)", MITIGATION_ACTION == "ER", "Error")             | eval RPZ_SEVERITY=case(RPZ_SEVERITY == "4", "INFORMATIONAL", RPZ_SEVERITY == "6", "WARNING", RPZ_SEVERITY == "7", "MAJOR", RPZ_SEVERITY == "8", "CRITICAL", RPZ_SEVERITY == "", "")             | rename CLIENT as "Client ID", QCOUNT as "Total Client Hits", DOMAIN_NAME as "Domain Name", TOTAL_COUNT as "Total Rule Hits", RPZ_QNAME as "RPZ Entry", RPZ_SEVERITY as "RPZ Severity", MITIGATION_ACTION as "Mitigation Action", RECORD_DATA as "Substitute Addresses"             | table "Client ID", "Total Client Hits", "Domain Name", "RPZ Entry", "RPZ Severity", "Total Rule Hits", "Mitigation Action", "Substitute Addresses"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <progress>
            <condition>
              <unset token="conditional_value"></unset>
            </condition>
          </progress>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">heatmap</option>
        <option name="drilldown">row</option>
        <option name="count">10</option>
        <drilldown>
          <condition field="Domain Name">
            <set token="rpz_entry_or_domain_field">domain</set>
            <set token="rpz_entry_or_domain_value">$row.Domain Name$</set>
            <unset token="conditional_value"></unset>
          </condition>
          <condition field="RPZ Entry">
            <set token="rpz_entry_or_domain_field">rpz</set>
            <set token="rpz_entry_or_domain_value">$row.RPZ Entry$</set>
            <unset token="conditional_value"></unset>
          </condition>
          <condition field="*">
            <set token="conditional_value">$row.Client ID$</set>
            <unset token="rpz_entry_or_domain_field"></unset>
            <unset token="rpz_entry_or_domain_value"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$conditional_value$">
        <title>DHCP Lease History for Client ID=$conditional_value$</title>
        <search>
          <query>sourcetype=ib:dhcp:lease_history index=ib_dhcp_lease_history dhcpd OR dhcpdv6 r-l-e LEASE_IP="$conditional_value$"
                 | eval Protocol=if(PROTO=="dhcpdv6","IPV6","IPV4")
                 | eval LEASE_START=strftime(START_EPOCH,"%Y-%m-%d %H:%M:%S")
                 | eval LEASE_END=strftime(END_EPOCH,"%Y-%m-%d %H:%M:%S")
                 | eval FINGER_PRINT=if(isnull(OS_NUMBER),FP,SFP)
                 | rename host as "Member", ACTION as "Action", LEASE_IP as "Lease IP", MAC_DUID as "MAC/DUID", MEMBER_IP as "Member IP", OPTION12HOST as "Host Name", LEASE_START as "Lease Start", LEASE_END as "Lease End", FINGER_PRINT as "Fingerprint"
                 | convert ctime(_time) as Time
                 | table Time, Member, "Member IP", Protocol, Action, "Lease IP", "MAC/DUID", "Host Name", "Lease Start", "Lease End", "Fingerprint"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$conditional_value$">
        <title>User History for IP Address=$conditional_value$</title>
        <search>
          <query>sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security ip_address="$conditional_value$"
                 | eval TIMEOUT_VALUE=if(isnull(TIMEOUT_VAL),18000,TIMEOUT_VAL*60)
                 | eventstats latest(last_activeEpoch) as l_last_active by user_name, ip_address, login_time 
                 | eval status=if((last_activeEpoch=l_last_active) AND (status=="ACTIVE") AND ((last_activeEpoch+TIMEOUT_VALUE)&lt;now()),"TIMEOUT",status)
                 | sort -_time
                 | rename timestamp as Time, user_name as "User Name", login_time as "First Seen", logout_time as "Logout Time", last_active as "Last Seen", last_updated as "Last Updated", ip_address as "IP Address", domain as "Domain", status as "User Status",
                 | table "Last Updated" "User Name" "Domain" "IP Address" "First Seen" "Logout Time" "Last Seen" "User Status"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$rpz_entry_or_domain_field$">
        <title>RPZ Threat Details</title>
        <search>
          <query>| fetchthreatstopdetails $rpz_entry_or_domain_field$ $rpz_entry_or_domain_value$ | eval rpz_rule="$rpz_entry_or_domain_value$" + name
                 | convert ctime(first_identified) as "First Identified" 
                 | rename rpz_rule as "RPZ Rule", short_description as "Short Description", public_description as "Description" 
                 | table "RPZ Rule", "First Identified", "Short Description", "Description"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
Showing results for 
Search instead for 
Do you mean 

Recommended for You