Reply

PCI Compliance Dashboard

[ Edited ]
maxonic
Techie
Posts: 3
7826     4

This report maps some of the data contained in the Infoblox database to the PCI DSS and provides a dashboard to easily identify any compliance issues. Additionally it implments two customizable guages to report on

  • Percent of known grid-wide bad DNS queries
  • Percent of discovered devices making queries to known bad domains

 

screencapture-demogm1-infoblox-com-ui-T3dVLco5y5awaLZejjiIEQ-T3dc4-VLc9c-1470780243920.png

 

<form>
<label>System PCI Compliance Dashboard </label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>
<br/>
<br/>
<h2>DSS Section 5 and 6 - Mantain a Vulnerability Management Program</h2>
<br/>
<br/>
</html>
</panel>
</row>
<row>
<panel>
<title>DNS Vulnerability Level</title>
<chart>
<search>
<query>index=ib_dns_summary (report="si_dns_requested_domain" OR report="si_dns_rpz_hits") | stats count as Total_Requests count(eval(report=="si_dns_requested_domain")) as DNS_Requests | eval Vulnerability_Level = 100*(Total_Requests - DNS_Requests)/Total_Requests | fields Vulnerability_Level</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.chart">fillerGauge</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.chart.rangeValues">[0,5,10,100]</option>
<option name="charting.gaugeColors">["0x84E900","0xFFE800","0xBF3030"]</option>
</chart>
</panel>
<panel>
<title>Malware Penetration Rate</title>
<chart>
<search>
<query>index=ib_dns_summary report=si_dns_top_clients OR report=si_dns_rpz_hits| eventstats dc(CLIENT) as Total_Clients | search NOT report=si_dns_top_clients | dedup CLIENT | stats count as RPZ_Clients by Total_Clients | eval Percentage=100*RPZ_Clients / Total_Clients | fields Percentage</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">radialGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.chart.rangeValues">[0,5,10,100]</option>
<option name="charting.gaugeColors">["0x84E900","0xFFE800","0xBF3030"]</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<title>Malicious Activity by Client</title>
<search>
<query>index=ib_dns_summary report=si_dns_rpz_hits | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA) | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME) | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY) | stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA | stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME | eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT | sort -CLIENT_COUNT_BY_DOMAIN | where TOTAL_CLIENT_COUNT &gt;=0 | dedup 3 CLIENT | eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT | dedup CLIENT | sort -TOTAL_CLIENT_COUNT | convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE | eval CLIENT = CLIENT + " " | rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active" | table "Client ID" "# Hits" "Domains" "Last Active" | noop</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
<panel>
<table>
<title>Threat Protection Counts</title>
<search>
<query>source=ib:ddos:events index=ib_security | bucket span=5m _time | eval SUM_COUNT=ACOUNT+DCOUNT | stats sum(eval(if(SEVERITY=="CRITICAL",SUM_COUNT,0))) as sumcrit, sum(eval(if(SEVERITY=="MAJOR",SUM_COUNT,0))) as summaj, sum(eval(if(SEVERITY=="WARNING",SUM_COUNT,0))) as sumwarn, sum(eval(if(SEVERITY=="INFORMATIONAL",SUM_COUNT,0))) as suminf by CATEGORY | eval sumtot=sumcrit+summaj+sumwarn+suminf | sort -sumtot | rename CATEGORY as "Category", sumcrit as "Critical Event Count", summaj as "Major Event Count", sumwarn as "Warning Event Count", suminf as "Informational Event Count", sumtot as "Total Event Count" | table "Category", "Critical Event Count", "Major Event Count", "Warning Event Count", "Informational Event Count", "Total Event Count"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<br/>
<br/>
<h2>DSS Section 10 and 11 - Regularly Monitor and Test Networks</h2>
<br/>
<br/>
</html>
</panel>
</row>
<row>
<panel>
<table>
<title>Device Fingerprint Changes</title>
<search>
<query>sourcetype=ib:dhcp:lease_history index=ib_dhcp_lease_history dhcpd OR dhcpdv6 r-l-e ACTION = "Issued" OR ACTION = "Renewed" | where isnotnull(FP_VIEW) and isnotnull(FP_NW) and isnotnull(FP_CIDR) and isnotnull(FP_RANGE) | lookup os_number_fingerprint_lookup OS_NUMBER output SFP | eval FINGER_PRINT=if(isnull(OS_NUMBER) OR OS_NUMBER==0,FP,SFP) | lookup fingerprint_device_class_lookup FINGER_PRINT output DEVICE_CLASS | eval DEVICE_CLASS=if(isnull(DEVICE_CLASS), "Modified or Deleted", DEVICE_CLASS) | streamstats current=false last(FINGER_PRINT) as LAST_FINGER_PRINT last(LEASE_IP) as LAST_LEASE_IP last(ACTION) as LAST_ACTION last(_time) as LAST_TIME last(DEVICE_CLASS) as LAST_DEVICE_CLASS last(FP_NW) as LAST_NW by MAC_DUID | where LAST_DEVICE_CLASS != DEVICE_CLASS | rename LAST_FINGER_PRINT as "Current Device Type" FINGER_PRINT as "Previous Device Type" MAC_DUID as "MAC/DUID" LAST_LEASE_IP as "Lease IP" LAST_ACTION as "Action" LAST_DEVICE_CLASS as "Current Device Class" DEVICE_CLASS as "Previous Device Class" | convert ctime(LAST_TIME) as Time | sort -Time | table Time, "MAC/DUID", "Current Device Type" "Current Device Class" "Previous Device Type" "Previous Device Class" "Lease IP" "Action"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>DHCP Lease History</title>
<search>
<query>sourcetype=ib:dhcp:lease_history index=ib_dhcp_lease_history (host="*") * * * * * * dhcpd OR dhcpdv6 r-l-e | eval Protocol=if(PROTO=="dhcpdv6","IPV6","IPV4") | noop | eval LEASE_START=strftime(START_EPOCH, "%Y-%m-%d %H:%M:%S") | noop | eval LEASE_END=strftime(END_EPOCH, "%Y-%m-%d %H:%M:%S") | noop | eval FINGER_PRINT=if(isnull(OS_NUMBER) OR OS_NUMBER==0,FP,SFP) | noop | eval DEVICE_CLASS=if(isnull(DEVICE_CLASS), "Modified or Deleted", DEVICE_CLASS) | rename host as "Member", ACTION as "Action", LEASE_IP as "Lease IP", MAC_DUID as "MAC/DUID", MEMBER_IP as "Member IP", OPTION12HOST as "Host Name", LEASE_START as "Lease Start", LEASE_END as "Lease End", FINGER_PRINT as "Fingerprint" | convert ctime(_time) as Time | table Time, Member, "Member IP", Protocol, Action, "Lease IP", "MAC/DUID", "Host Name", "Lease Start", "Lease End", "Fingerprint"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<progress>
<condition>
<unset token="conditional_value"></unset>
</condition>
</progress>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<drilldown>
<set token="conditional_value">$row.Lease IP$</set>
</drilldown>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<table depends="$conditional_value$">
<title>User Login History</title>
<search>
<query>sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security | eval TIMEOUT_KEY="ad_user_default_timeout" | lookup users_timeout_value_lookup TIMEOUT_KEY output TIMEOUT_VAL | eval TIMEOUT_VALUE=if(isnull(TIMEOUT_VAL),18000,TIMEOUT_VAL*60) | where ip_address="$conditional_value$" | eval last_activeEpoch=if(isnum(last_active), last_active, strptime(last_active, "%Y-%m-%d %H:%M:%S")) | eventstats latest(last_activeEpoch) as l_last_active by user_name, ip_address, login_time | eval status=if((last_activeEpoch=l_last_active) AND (status=="ACTIVE") AND ((last_activeEpoch+TIMEOUT_VALUE)&lt;now()),"TIMEOUT",status) | sort -_time | eval last_active=if(isnum(last_active), strftime(last_active, "%Y-%m-%d %H:%M:%S"), last_active) | eval last_updated=if(isnum(last_updated), strftime(last_updated, "%Y-%m-%d %H:%M:%S"), last_updated) | eval logout_time=if(isnum(logout_time), strftime(logout_time, "%Y-%m-%d %H:%M:%S"), logout_time) | eval login_time=if(isnum(login_time), strftime(login_time, "%Y-%m-%d %H:%M:%S"), login_time) | rename timestamp as Time, user_name as "User Name", login_time as "First Seen", logout_time as "Logout Time", last_active as "Last Seen", last_updated as "Last Updated", ip_address as "IP Address", domain as "Domain", status as "User Status", | table "Last Updated" "User Name" "Domain" "IP Address" "First Seen" "Logout Time" "Last Seen" "User Status"</query>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<table depends="$conditional_value$">
<title>Subscription Data for Lease IP = $conditional_value$</title>
<search>
<query>sourcetype=ib:reserved1 source=ib:ecosystem_subscription:subscription_data index=ib_ecosystem_subscription
| eval last_updated=if(isnum(last_discovered_timestamp), strftime(last_discovered_timestamp,"%Y-%m-%d %H:%M:%S"), last_discovered_timestamp) | convert ctime(_time) as Time
| where ip_address="$conditional_value$"
| sort -Time
| rename username as "User Name",domainname as "Domain",cisco_ise_ssid as "SSID", port_vlan_name as "VLAN Name", port_vlan_number as "VLAN ID", os as "Device OS", cisco_ise_session_state as "Session State", cisco_ise_security_group as "Security Group", last_discovered_timestamp as "Discovered At", cisco_ise_quarantine_status as "Quarantine Status", ip_address as "IP Address", guid as "Grid ID", | table "User Name", "Domain", "SSID", "VLAN Name", "VLAN ID", "Device OS", "Session State", "Security Group", "Discovered At", "Quarantine Status", "IP Address", "Grid ID",</query>
</search>
</table>
</panel>
</row>
<row>
<panel>
<html>
<div style="text-align: right;margin-top:0;;margin-bottom:0">
<h1>Developed by <a href="http://www.maxonic.com" target="_blank"><img src="http://maxonic.com/wp-content/uploads/maxonic_logo_small.png"/></a>
</h1>
</div>
</html>
</panel>
</row>
</form>

Re: PCI Compliance Dashboard

Adviser
Posts: 85
7827     4

Great job! Can I humbly suggest that in the future you post a screenshot of your dashboards? I think it would be really helpful for others to visualize.

Re: PCI Compliance Dashboard

wm_chyang
Techie
Posts: 1
7827     4

Hi Folks,

 

What's the procedure for utilizing this code?

As mentioned above, screenshots would be nice.

 

Regards,

Chris

Showing results for 
Search instead for 
Do you mean 

Recommended for You