Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Reporting

Reply
Highlighted

DNS Top Tunneling Activity Report

Adviser
Posts: 244
1461     1
<form>
  <label>DNS Top Tunneling Activity</label>
  <description>System-created dashboard: Please clone before editing.</description>
  <fieldset submitButton="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1w</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="topn">
      <label>Top N</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <default>10</default>
    </input>
    <input type="multiselect" token="members">
      <label>Members</label>
      <choice value="*">All</choice>
      <search>
        <query>index=ib_security_summary report=si_dns_tunneling_activity
               | stats count by orig_host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>orig_host</fieldForLabel>
      <fieldForValue>orig_host</fieldForValue>
      <default>*</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>orig_host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="src_ip_address">
      <label>Source IP Address</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="src_ip_str"> * </set>
          <set token="client_str"> * </set>
        </condition>
        <condition value="*">
          <set token="src_ip_str">SOURCE_IP=$value$</set>
          <set token="client_str">CLIENT=$value$</set>
        </condition>
      </change>
    </input>
    <input type="text" token="src_port">
      <label>Source Port (eg: >=0)</label>
      <default>&gt;=0</default>
      <prefix>| where SOURCE_PORT</prefix>
    </input>
    <input type="dropdown" token="nat_status">
      <label>NAT Status</label>
      <choice value="none">None</choice>
      <choice value="Yes">Yes</choice>
      <choice value="No">No</choice>
      <default>none</default>
      <change>
        <condition value="none">
          <set token="nat_status_str">| noop </set>
        </condition>
        <condition value="*">
          <set token="nat_status_str">| where (NAT_STATUS == "$value$")</set>
        </condition>
      </change>
    </input>
    <input type="link" token="view" searchWhenChanged="true">
      <label>View</label>
      <choice value="chart">Bar Chart</choice>
      <choice value="table">Table</choice>
      <choice value="both">Both</choice>
      <default>chart</default>
      <change>
        <condition value="table">
          <set token="show_table">true</set>
          <unset token="show_chart"></unset>
        </condition>
        <condition value="chart">
          <set token="show_chart">true</set>
          <unset token="show_table"></unset>
        </condition>
        <condition value="both">
          <set token="show_chart">true</set>
          <set token="show_table">true</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <search id="base_search">
    <query>index=ib_security_summary report=si_dns_tunneling_activity
      $members$
      $src_ip_str$
      | where isnotnull(DNST_CATEGORY)
      | append
      [ search index=ib_dns_summary report=si_dns_rpz_hits
      $members$
      $client_str$
      | eval JOIN_FIELD=1
      | join JOIN_FIELD
      [ | inputlookup analytics_rpz_lookup
      | eval JOIN_FIELD=1                        ]
      | where like(RPZ_QNAME, "%" + ANALYTICS_RPZ)
      | table TOTAL_COUNT, CLIENT, MITIGATION_ACTION, ANALYTICS_RPZ, _time
      | where MITIGATION_ACTION != "ER"
      | eval DNST_CATEGORY="Detected by Analytics Engine"
      | eval RULE_DESCRIPTION=ANALYTICS_RPZ
      | stats sum(TOTAL_COUNT) as ACTIVE_COUNT by CLIENT, DNST_CATEGORY, RULE_DESCRIPTION, ANALYTICS_RPZ, _time
      | eval SOURCE_IP=CLIENT                    ]
      | eval SOURCE_PORT = if(isnull(SOURCE_PORT) OR  (len(SOURCE_PORT)==0), 0, SOURCE_PORT)
      $src_port$
      | eval NAT_STATUS = if(isnull(NAT_STATUS) OR  (len(NAT_STATUS)==0) OR NAT_STATUS==0, "No", "Yes")
      $nat_status_str$
      | eval BLOCK_START = if(isnull(BLOCK_START) OR  (len(BLOCK_START)==0) OR BLOCK_START==0, 0, BLOCK_START)
      | eval BLOCK_END = if(isnull(BLOCK_END) OR  (len(BLOCK_END)==0) OR BLOCK_END==0, 0, BLOCK_END)
      | eval SOURCE_IP = if (NAT_STATUS=="Yes",SOURCE_IP+":["+BLOCK_START+"-"+BLOCK_END+"]", SOURCE_IP)</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <row>
    <panel isVisible="$show_chart$">
      <chart depends="$show_chart$">
        <search base="base_search">
          <query>| stats sum(ACTIVE_COUNT) as ACTIVE_COUNT_SUM latest(_time) as LATEST_TIME by SOURCE_IP
          | sort -ACTIVE_COUNT_SUM
          | head $topn$ 
          | eventstats sum(ACTIVE_COUNT_SUM) as EVENTS_TOTAL
          | eval Percentage=round(ACTIVE_COUNT_SUM*100/EVENTS_TOTAL, 2) 
          | eval SOURCE_IP=SOURCE_IP + " (" + Percentage + "%)"
          | rename SOURCE_IP as "Client IP", ACTIVE_COUNT_SUM as "Event Count"
          | table "Client IP", "Event Count"
          </query>
          <progress>
            <condition>
              <unset token="conditional_value"></unset>
            </condition>
          </progress>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisTitleX.text">Client IP</option>
        <option name="charting.axisTitleY.text">Event Count</option>
        <drilldown>
          <set token="conditional_value">$row.Client IP$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel isVisible="$show_table$">
      <table depends="$show_table$">
        <search base="base_search">
          <query>| stats sum(ACTIVE_COUNT) as ACTIVE_COUNT_SUM latest(_time) as LATEST_TIME by SOURCE_IP
          | sort -ACTIVE_COUNT_SUM
          | head $topn$ 
          | eventstats sum(ACTIVE_COUNT_SUM) as EVENTS_TOTAL
          | eval Percentage=round(ACTIVE_COUNT_SUM*100/EVENTS_TOTAL, 2) 
          | eval SOURCE_IP=SOURCE_IP + " (" + Percentage + "%)"
          | rename SOURCE_IP as "Client IP", ACTIVE_COUNT_SUM as "Event Count"
          | table "Client IP", "Event Count"</query>
          <progress>
            <condition>
              <unset token="conditional_value"></unset>
            </condition>
          </progress>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="count">10</option>
        <drilldown>
          <set token="conditional_value">$row.Client IP$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$conditional_value$">
        <title>Rule hits for Client IP = $conditional_value$</title>
        <search base="base_search">
          <query>| eval PASSED_IP="$conditional_value$"
            | rex field=PASSED_IP "(?&lt;IP&gt;.*?)( |$)" 
            | where SOURCE_IP=IP | stats sum(ACTIVE_COUNT) as ACTIVE_COUNT_SUM latest(_time) as LATEST_TIME values(DNST_CATEGORY) as DNST_CATEGORIES by DNST_CATEGORY
            | sort -ACTIVE_COUNT_SUM | convert ctime(LATEST_TIME) as "Last Seen"
            | eventstats sum(ACTIVE_COUNT_SUM) as EVENTS_TOTAL
            | eval Percentage=round(ACTIVE_COUNT_SUM*100/EVENTS_TOTAL, 2)
            | rename DNST_CATEGORY as "Category", ACTIVE_COUNT_SUM as "Event Count"
            | table "Category", "Event Count", "Last Seen"
          </query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.
Showing results for 
Search instead for 
Do you mean 

Recommended for You