- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
RPZ with IP and discovered hostname ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-01-2016 04:29 AM
Re: RPZ with IP and discovered hostname ?
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-01-2016 09:16 AM - edited 04-01-2016 09:18 AM
The solution is not performance friendly (we don't have a lookup table). You need to clone the report and change a search string for the table. I also got rid of Time field.
index=ib_dns_summary report=si_dns_rpz_hits $client_str$ $domain_name_str$ $dns_view_str$ $members$ $mitigation_action_str$ $rpz_zone_str$ $rpz_entry_str$ $severity_str$ | eval DNS_VIEW =if(isnull(display_name), "NULL",display_name) | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA) | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME) | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY) | where MITIGATION_ACTION != "ER" | stats sum(COUNT) as QCOUNT by _time, CLIENT, DOMAIN_NAME, DNS_VIEW, orig_host, TOTAL_COUNT, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME | stats sum(TOTAL_COUNT) as TOTAL_COUNT, sum(QCOUNT) as QCOUNT by CLIENT, DOMAIN_NAME, DNS_VIEW, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME | sort -QCOUNT | head $topn$ | eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX", "Block (No Such Domain)", MITIGATION_ACTION == "ND", "Block (No Data)", MITIGATION_ACTION == "SB", "Substitute", MITIGATION_ACTION == "A1", "Substitute (A)", MITIGATION_ACTION == "A4", "Substitute (AAAA)", MITIGATION_ACTION == "AA", "Substitute (A/AAAA)", MITIGATION_ACTION == "DN", "Substitute (Domain Name)", MITIGATION_ACTION == "ER", "Error") | eval RPZ_SEVERITY=case(RPZ_SEVERITY == "4", "INFORMATIONAL", RPZ_SEVERITY == "6", "WARNING", RPZ_SEVERITY == "7", "MAJOR", RPZ_SEVERITY == "8", "CRITICAL", RPZ_SEVERITY == "", "") | rename CLIENT as "Client ID", QCOUNT as "Total Client Hits", DOMAIN_NAME as "Domain Name", TOTAL_COUNT as "Total Rule Hits", RPZ_QNAME as "RPZ Entry", RPZ_SEVERITY as "RPZ Severity", MITIGATION_ACTION as "Mitigation Action", RECORD_DATA as "Substitute Addresses" | join type=left "Client ID" [search index=ib_discovery source="ib:discovery:ipaddr_activity"| stats latest(_time) by IPADDR, DISCOVERED_NAME, NETWORK_VIEW| rename IPADDR as "Client ID"| table "Client ID", DISCOVERED_NAME, NETWORK_VIEW] | table "Client ID", DISCOVERED_NAME, NETWORK_VIEW, "Total Client Hits", "Domain Name", "RPZ Entry", "RPZ Severity", "Total Rule Hits", "Mitigation Action", "Substitute Addresses"
Re: RPZ with IP and discovered hostname ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-21-2016 06:53 AM
Hello,
Thanks for posting your report. I tried using your search string however, I'm getting errors because of the tokens. Could you please tell me the best way to add your report with the dropdown selectors in my Reporting Server?
Kind regards,
Jeff
Re: RPZ with IP and discovered hostname ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-21-2016 09:28 AM
Hi,
Thanks for posting your report. I tried using your search string however, I'm getting errors because of the tokens. Could you please tell me the best way to add your report with the dropdown selectors in my Reporting Server?
As I mentioned in my post you have to:
- clone the original report;
- edit the cloned version of the report (e.g. Edit Panels or Edit Source);
- and replace the search string in the table (Edit Serach String).
BR,
Vadim
Re: RPZ with IP and discovered hostname ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-21-2016 02:47 PM
Thanks Vadim, I did see that in your original quote however, you talk about cloning the report, when actually it's a Dashboard that you cloned. I now see where to make the modifications.
Kind regards,
Jeff
Re: RPZ with IP and discovered hostname ?
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-26-2016 10:54 AM - edited 04-26-2016 10:55 AM
Thankyou for this.
For some reason, when I cut and pasted the code, I kept getting a extra hidden charactor in this statement,
eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)
Between the IT in the third SEVERITY.
Some browsers would show it and some would not, once I got that sorted, it worked fine.