Reply
Highlighted
Accepted Solution

RPZ with IP and discovered hostname ?

AObszynski
Techie
Posts: 7
5744     0

Can somebody help with such report/search?

 

Re: RPZ with IP and discovered hostname ?

[ Edited ]
Adviser
Posts: 135
5745     0

The solution is not performance friendly (we don't have a lookup table). You need to clone the report and change a search string for the table. I also got rid of Time field.

 

DNS TOP RPZ Hits with Discovered Name.png

 

index=ib_dns_summary report=si_dns_rpz_hits             $client_str$             $domain_name_str$             $dns_view_str$             $members$             $mitigation_action_str$             $rpz_zone_str$             $rpz_entry_str$             $severity_str$                     | eval DNS_VIEW =if(isnull(display_name), "NULL",display_name)             | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)             | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)             | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)             | where MITIGATION_ACTION != "ER"              | stats sum(COUNT) as QCOUNT by _time, CLIENT, DOMAIN_NAME, DNS_VIEW, orig_host, TOTAL_COUNT, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME             | stats sum(TOTAL_COUNT) as TOTAL_COUNT, sum(QCOUNT) as QCOUNT by CLIENT, DOMAIN_NAME, DNS_VIEW, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME             | sort -QCOUNT             | head $topn$             | eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX", "Block (No Such Domain)", MITIGATION_ACTION == "ND", "Block (No Data)", MITIGATION_ACTION == "SB", "Substitute", MITIGATION_ACTION == "A1", "Substitute (A)", MITIGATION_ACTION == "A4", "Substitute (AAAA)", MITIGATION_ACTION == "AA", "Substitute (A/AAAA)", MITIGATION_ACTION == "DN", "Substitute (Domain Name)", MITIGATION_ACTION == "ER", "Error")             | eval RPZ_SEVERITY=case(RPZ_SEVERITY == "4", "INFORMATIONAL", RPZ_SEVERITY == "6", "WARNING", RPZ_SEVERITY == "7", "MAJOR", RPZ_SEVERITY == "8", "CRITICAL", RPZ_SEVERITY == "", "")     | rename CLIENT as "Client ID", QCOUNT as "Total Client Hits", DOMAIN_NAME as "Domain Name", TOTAL_COUNT as "Total Rule Hits", RPZ_QNAME as "RPZ Entry", RPZ_SEVERITY as "RPZ Severity", MITIGATION_ACTION as "Mitigation Action", RECORD_DATA as "Substitute Addresses"     |  join  type=left "Client ID" [search index=ib_discovery source="ib:discovery:ipaddr_activity"| stats latest(_time) by IPADDR, DISCOVERED_NAME, NETWORK_VIEW| rename IPADDR as "Client ID"| table "Client ID", DISCOVERED_NAME, NETWORK_VIEW]     | table "Client ID", DISCOVERED_NAME, NETWORK_VIEW, "Total Client Hits", "Domain Name", "RPZ Entry", "RPZ Severity", "Total Rule Hits", "Mitigation Action", "Substitute Addresses"

 

Re: RPZ with IP and discovered hostname ?

jwolach
Techie
Posts: 2
5745     0

Hello,

 

Thanks for posting your report.  I tried using your search string however, I'm getting errors because of the tokens. Could you please tell me the best way to add your report with the dropdown selectors in my Reporting Server?

 

Kind regards,
Jeff 

Re: RPZ with IP and discovered hostname ?

Adviser
Posts: 135
5745     0

Hi,

Thanks for posting your report.  I tried using your search string however, I'm getting errors because of the tokens. Could you please tell me the best way to add your report with the dropdown selectors in my Reporting Server?

As I mentioned in my post you have to:

- clone the original report;

- edit the cloned version of the report (e.g. Edit Panels or Edit Source);

- and replace the search string in the table (Edit Serach String).

 

Untitled.png

 

BR,

Vadim

Re: RPZ with IP and discovered hostname ?

jwolach
Techie
Posts: 2
5745     0

Thanks Vadim, I did see that in your original quote however, you talk about cloning the report, when actually it's a Dashboard that you cloned.  I now see where to make the modifications.

 

Kind regards,
Jeff

Re: RPZ with IP and discovered hostname ?

[ Edited ]
Expert
Posts: 179
5745     0

Thankyou for this.  

 

For some reason, when I cut and pasted the code, I kept getting a extra hidden charactor in this statement,

 

eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY) 

 

Between the IT in the third SEVERITY.

Some browsers would show it and some would not, once I got that sorted, it worked fine.

Showing results for 
Search instead for 
Do you mean 

Recommended for You