Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Reporting

Reply
Highlighted

Malicious Activity by Client Report

Adviser
Posts: 244
1408     1
<form>
  <label>Malicious Activity by Client</label>
  <description>System-created dashboard: Please clone before editing.</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1w</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="topn_clients">
      <label>Top N Clients</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <default>10</default>
    </input>
    <input type="dropdown" token="topn_domains">
      <label>Top N Domains</label>
      <choice value="3">3</choice>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <default>3</default>
    </input>
    <input type="text" token="hit_count">
      <label>Hit Count (eg: &gt;10)</label>
      <default>&gt;=0</default>
    </input>
    <input type="link" token="vtype" searchWhenChanged="true">
      <label>View</label>
      <choice value="bar">Bar Chart</choice>
      <choice value="table">Table</choice>
      <choice value="both">Both</choice>
      <default>bar</default>
      <change>
        <condition value="table">
          <set token="show_table">true</set>
          <unset token="show_bar"></unset>
        </condition>
        <condition value="bar">
          <set token="show_bar">true</set>
          <unset token="show_table"></unset>
        </condition>
        <condition value="both">
          <set token="show_bar">true</set>
          <set token="show_table">true</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <search id="base_search">
    <query>index=ib_dns_summary report=si_dns_rpz_hits
                      | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)
                      | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)
                      | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)
                      | stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA
                      | stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME
                      | eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT
                      | sort -CLIENT_COUNT_BY_DOMAIN
                      | where TOTAL_CLIENT_COUNT $hit_count$
                      | dedup $topn_domains$ CLIENT
                      | eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT
                      | dedup CLIENT
                      | sort -TOTAL_CLIENT_COUNT
                      | head $topn_clients$
                      | convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE
                      | eval CLIENT = CLIENT + "               "
                      | rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active"
                      | table "Client ID" "# Hits" "Domains" "Last Active"</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <row>
    <panel isVisible="$show_bar$">
      <chart depends="$show_bar$">
        <search base="base_search">
          <query>| fields "Client ID" "# Hits"</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.data.preview">true</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisTitleX.text">Client ID</option>
        <option name="charting.axisTitleY.text"># Hits</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel isVisible="$show_table$">
      <table depends="$show_table$">
        <search base="base_search">
          <query>| noop</query>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">off</option>
      </table>
    </panel>
  </row>
</form>
If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.
Showing results for 
Search instead for 
Do you mean 

Recommended for You