Reporting

Reply
Highlighted
Accepted Solution

Search all ADP rules and RPZ violations for a source IP, Time bounded

[ Edited ]
Anna
Techie
Posts: 1
5208     2

This dashboard allows a search to see if an IP has hit either an ADP or DNS FW rule.  Useful to identify the extent of the issue of an individual client and to rule out ADP and DNS firewall as the cause of a client issue. That proved vital when we implemented ADP and DNS Firewall into blocking mode.   It gave the Network Operations team the security to know that they could quickly identify if this huge change was not responsible for a service issue. 

 

IP with ADP rule hit

ADP_rule_hit_IP_lookup_example.png

 

 

IP with RPZ rule hit

DNS_FW_rule_hit_IP_lookup_example.png

 

<form>
  <label>Barclays - ADP &amp; DNS FW rule hits - IP Lookup</label>
  <description>Search all ADP rules  and RPZ violations for a source IP, Time bounded; pick shortest time frame required.</description>
  <fieldset submitButton="true">
    <input type="text" token="IPADR">
      <label>IP address</label>
    </input>
    <input type="time" token="field2">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>ADP rule hits for this IP</title>
      <table>
        <search>
          <query>source=ib:ddos:ip_rule_stats index=ib_security  (RULE_SID = * ) AND SOURCE_IP=$IPADR$
| lookup dnslookup clientip as SOURCE_IP
| stats count by RULE_SID, RULE_NAME, SOURCE_IP, clienthost
| sort -count
| rename SOURCE_IP as "client", clienthost as "client FQDN", RULE_SID as "SID",RULE_NAME as "Rule Name"  
| table client, "client FQDN", "Rule Name", SID, count</query>
          <earliest>$field2.earliest$</earliest>
          <latest>$field2.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>DNS firewall RPZ hit for this IP</title>
      <table>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits (CLIENT = $IPADR$ )
| lookup dns_viewkey_displayname_lookup VIEW output display_name
| lookup dnslookup clientip as CLIENT
| eval DNS_VIEW =if(isnull(display_name), "NULL",display_name)
| eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)
| eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)
| eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)
| where MITIGATION_ACTION != "ER"
| stats sum(COUNT) as QCOUNT by CLIENT, clienthost, DOMAIN_NAME, DNS_VIEW, orig_host, TOTAL_COUNT, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME
| stats sum(TOTAL_COUNT) as TOTAL_COUNT, sum(QCOUNT) as QCOUNT by CLIENT, clienthost, DOMAIN_NAME, DNS_VIEW, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME
| sort -QCOUNT
| eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX", "Block (No Such Domain)", MITIGATION_ACTION == "ND", "Block (No Data)", MITIGATION_ACTION == "SB", "Substitute", MITIGATION_ACTION == "A1", "Substitute (A)", MITIGATION_ACTION == "A4", "Substitute (AAAA)", MITIGATION_ACTION == "AA", "Substitute (A/AAAA)", MITIGATION_ACTION == "DN", "Substitute (Domain Name)", MITIGATION_ACTION == "ER", "Error")
| eval RPZ_SEVERITY=case(RPZ_SEVERITY == "4", "INFORMATIONAL", RPZ_SEVERITY == "6", "WARNING", RPZ_SEVERITY == "7", "MAJOR", RPZ_SEVERITY == "8", "CRITICAL", RPZ_SEVERITY == "", "")
| rename CLIENT as "Client ID", clienthost as "FQDN", QCOUNT as "Total Client Hits", DOMAIN_NAME as "Domain Name", TOTAL_COUNT as "Total Rule Hits", RPZ_QNAME as "RPZ Entry", RPZ_SEVERITY as "RPZ Severity", MITIGATION_ACTION as "Mitigation Action", RECORD_DATA as "Substitute Addresses"
| table "Client ID", "FQDN", "Total Client Hits", "Domain Name", "RPZ Entry", "RPZ Severity", "Total Rule Hits", "Mitigation Action", "Substitute Addresses"</query>
          <earliest>$field2.earliest$</earliest>
          <latest>$field2.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

 

Re: Search all ADP rules and RPZ violations for a source IP, Time bounded

TomNelson
Techie
Posts: 7
5209     2

Does this use syslog to generate the data?  I put this in my environment and I do not get any data returned.  I do not have ADP implemented (yet) but do have RPZ.

Re: Search all ADP rules and RPZ violations for a source IP, Time bounded

Anna
Techie
Posts: 1
5209     2
No it uses the Rpz data forwarded to the reporting server.

Check your reporting server index definitions to make sure you are collecting against the index.

Sent from my iPhone

Re: Search all ADP rules and RPZ violations for a source IP, Time bounded

TomNelson
Techie
Posts: 7
5209     2

Would you be able to elaborate on what particular index should be enabled to see this data.

Re: Search all ADP rules and RPZ violations for a source IP, Time bounded

Anna
Techie
Posts: 1
5209     2

The serach need data in 

index=ib_security

You need to make sure the security check box is ticked in the Grid Reporting properties and the % assciated with in is non zero. 

 

Re: Search all ADP rules and RPZ violations for a source IP, Time bounded

TomNelson
Techie
Posts: 7
5209     2

Thanks for the reply.  It is unfortunately already checked.  I must be missing something else, I will attempt to investigate.  Thanks!

Re: Search all ADP rules and RPZ violations for a source IP, Time bounded

TomNelson
Techie
Posts: 7
5209     2

I figure I should update this as I figured out my issue.  ADP was not yet enabled on my grid (RPZ feeds were).  Once ADP was enabled this report started working.

 

Excellent Dashboard!

Showing results for 
Search instead for 
Do you mean 

Recommended for You