Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Reporting

Reply
Highlighted

FireEye Alerts Report

Adviser
Posts: 244
2461     1
<form>
  <label>FireEye Alerts</label>
  <description>System-created dashboard: Please clone before editing.</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="fireeye_appliance">
      <label>FireEye Appliance</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="fireeye_appliance_str"> * </set>
        </condition>
        <condition value="*">
          <set token="fireeye_appliance_str">(APP_ID="$value$")</set>
        </condition>
      </change>
    </input>
    <input type="text" token="alert_id">
      <label>Alert ID</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="alert_id_str"> * </set>
        </condition>
        <condition value="*">
          <set token="alert_id_str">(ALERT_ID="$value$")</set>
        </condition>
      </change>
    </input>
    <input type="text" token="rpz_entry">
      <label>RPZ Entry</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="rpz_entry_str"> * </set>
        </condition>
        <condition value="*">
          <set token="rpz_entry_str">(RPZ_RULE="$value$")</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="mitigation_action">
      <label>Mitigation Action</label>
      <choice value="All">All</choice>
      <choice value="PT">Passthru</choice>
      <choice value="NX">Block (No Such Domain)</choice>
      <choice value="ND">Block (No Data)</choice>
      <choice value="DN">Substitute (Domain Name)</choice>
      <choice value="None">None</choice>
      <change>
        <condition value="All">
          <set token="mitigation_action_str"> * </set>
        </condition>
        <condition value="*">
          <set token="mitigation_action_str">(MITIGATION_ACTION="$value$")</set>
        </condition>
      </change>
      <default>All</default>
    </input>
    <input type="dropdown" token="log_severity">
      <label>Log Severity</label>
      <choice value="All">All</choice>
      <choice value="Critical">Critical</choice>
      <choice value="Invalid">Invalid</choice>
      <choice value="Major">Major</choice>
      <choice value="Minor">Minor</choice>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="log_severity_str">| noop </set>
        </condition>
        <condition value="*">
          <set token="log_severity_str">| where (LOG_SEVERITY="$value$")</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="alert_type">
      <label>Alert Type</label>
      <choice value="All">All</choice>
      <choice value="Infection Events">Infection Events</choice>
      <choice value="Web Infection">Web Infection</choice>
      <choice value="Malware Object">Malware Object</choice>
      <choice value="Domain Match">Domain Match</choice>
      <choice value="Callback Events">Callback Events</choice>
      <change>
        <condition value="All">
          <set token="alert_type_str">| noop </set>
        </condition>
        <condition value="*">
          <set token="alert_type_str">| where (ALERT_TYPE="$value$")</set>
        </condition>
      </change>
      <default>All</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>sourcetype=ib:dns:reserved index=ib_dns info fireeye-rpt
                    $fireeye_appliance_str$
                    $alert_id_str$
                    $rpz_entry_str$
                    $mitigation_action_str$
                    | eval TYPE=case(ALERT_TYPE == "web-infection", "Web Infection", ALERT_TYPE == "malware-object", "Malware Object", ALERT_TYPE == "domain-match", "Domain Match", ALERT_TYPE == "malware-callback", "Callback Events", ALERT_TYPE == "infection-match", "Infection Events")
                    | eval SEVERITY=case(LOG_SEVERITY == "majr", "Major", LOG_SEVERITY == "crit", "Critical", LOG_SEVERITY == "minr", "Minor")
                    | eval ALERT_TYPE=if(isnull(TYPE), ALERT_TYPE,TYPE)
                    | eval LOG_SEVERITY=if(isnull(SEVERITY), LOG_SEVERITY,SEVERITY)
                    $log_severity_str$
                    $alert_type_str$
                    | rename ALERT_ID as "Alert ID", LOG_SEVERITY as "Log Severity", ALERT_TYPE as "Alert Type", RPZ_RULE as "RPZ Entry", ACTION as "Mitigation Action", APP_ID as "FireEye Appliance"
                    | rename _time as Time
                    | eval Time=strftime(Time, "%Y-%m-%d %H:%M:%S %Z")
                    | table Time, "Alert ID", "Log Severity", "Alert Type", "FireEye Appliance", "RPZ Entry", "Mitigation Action"</query>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">off</option>
      </table>
    </panel>
  </row>
</form>
If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.
Showing results for 
Search instead for 
Do you mean 

Recommended for You