Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Best Practices

containerblogpic.jpg

Syslog Based RPZ reports

     The canned RPZ reports all use the “Top RPZ hits” summary.   The problem with this data set is if you have a custom white or black list that generates a significant number of RPZ hits, (such as white listing internal domains or SPAM checking servers that have their own built in RPZ like features) the “Top” summary is filled with this noise and you never see the real RPZ hits that you might care about.

 

      This is the top RPZ hits dashboard redone to use the actual syslog messages instead of the top report.   It also will summarize the hits by both query that caused the hit and by the client that sent the query.   As well as compare the hit rate today to the same day last week.



<form>
  <label>DNS Top RPZ Hits V3</label>
  <description>Correct summary over time and using Syslog events.
Added RPZ zone sorting
Added Grouping</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="rpz_zone_str">
      <label>RPZ Zone</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>RPZHit="*</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <choice value="ransomware.rpz.infoblox.local">Ransomware by Name</choice>
      <choice value="base.rpz.infoblox.local">Base by Name</choice>
      <choice value="antimalware.rpz.infoblox.local">Antimalware by Name</choice>
      <choice value="fresh-domain.surbl.rpz.infoblox.local">Fresh Domain Names</choice>
      <choice value="dhs-ais-ip.rpz.infoblox.local">DHS by IP</choice>
      <choice value="antimalware-ip.rpz.infoblox.local">Antimalware by IP</choice>
      <choice value="exploitkit-ip.rpz.infoblox.local">Exploitkit by IP</choice>
      <choice value="bot-ip.rpz.infoblox.local">Bots by IP</choice>
      <choice value="dhs-ais-domain.rpz.infoblox.local">DHS by Name</choice>
      <choice value="tor-exit-node-ip.rpz.infoblox.local">TOR Exit Node by IP</choice>
      <choice value="rpz.infoblox.local">All-Infoblox-Feeds</choice>
      <default>All-Infoblox-Feeds</default>
      <initialValue>All-Infoblox-Feeds</initialValue>
    </input>
    <input type="dropdown" token="topn">
      <label>Top N</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <default>500</default>
      <initialValue>500</initialValue>
    </input>
    <input type="text" token="domain_name">
      <label>Domain Name</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="domain_name_str">*</set>
        </condition>
        <condition value="*">
          <set token="domain_name_str">Query="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="multiselect" token="members">
      <label>Members</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>goodhost="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <search>
        <query>index=ib_dns_summary report=si_dns_rpz_hits
               | stats count by orig_host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>orig_host</fieldForLabel>
      <fieldForValue>orig_host</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="text" token="rpz_entry">
      <label>RPZ Entry</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="rpz_entry_str">*</set>
        </condition>
        <condition value="*">
          <set token="rpz_entry_str">RPZ_QNAME="$value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Grouped By Query Source</title>
      <table>
        <search>
          <query>index=* sourcetype=ib:syslog CEF: $members$ $rpz_zone_str$ $domain_name_str$
            | eval KeepFields = _time + "::" + Query + "::" + QueryType + "::" + RPZHit
            | fields QuerySource,KeepFields
            | stats Count as QueryCount values(*) as * by QuerySource  
            | mvexpand KeepFields
            | eval KeepFields=split(KeepFields,"::")
            | eval Time=mvindex(KeepFields,0)
            | eval Query=mvindex(KeepFields,1)
            | eval QueryType = mvindex(KeepFields,2)
            | eval RPZHit = mvindex(KeepFields,3)
            | fields - KeepFields
            | stats count as QuerySourceQueryCount values(Time) as Time values(QueryType) as QueryType values(RPZHit) as RPZHit values(QueryCount) as QueryCount by QuerySource,Query
            | convert ctime(Time) as Time
            | lookup dnslookup clientip as QuerySource output clienthost as QuerySourceName
            | eval QuerySourceName=coalesce(QuerySourceName,QuerySource)
            | table QuerySourceName,Query,Time,QueryType,RPZHit,QuerySourceQueryCount,QueryCount
            | sort - QueryCount</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <progress>
            <condition>
              <unset token="conditional_value"></unset>
            </condition>
          </progress>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="count">10</option>
        <drilldown>
          <condition field="Domain Name">
            <set token="rpz_entry_or_domain_field">domain</set>
            <set token="rpz_entry_or_domain_value">$row.Domain Name$</set>
            <unset token="conditional_value"></unset>
          </condition>
          <condition field="RPZ Entry">
            <set token="rpz_entry_or_domain_field">rpz</set>
            <set token="rpz_entry_or_domain_value">$row.RPZ Entry$</set>
            <unset token="conditional_value"></unset>
          </condition>
          <condition field="*">
            <set token="conditional_value">$row.Client ID$</set>
            <unset token="rpz_entry_or_domain_field"></unset>
            <unset token="rpz_entry_or_domain_value"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Grouped By Query Name</title>
      <table>
        <search>
          <query>index=* sourcetype=ib:syslog CEF: $members$ $rpz_zone_str$ $domain_name_str$
            | eval KeepFields = _time + "::" + QuerySource + "::" + QueryType + "::" + RPZHit
            | fields Query,KeepFields
            | stats Count as QueryCount values(*) as * by Query  
            | mvexpand KeepFields
            | eval KeepFields=split(KeepFields,"::")
            | eval Time=mvindex(KeepFields,0)
            | eval QuerySource=mvindex(KeepFields,1)
            | eval QueryType = mvindex(KeepFields,2)
            | eval RPZHit = mvindex(KeepFields,3)
            | fields - KeepFields
            | stats count as QuerySourceQueryCount values(Time) as Time values(QueryType) as QueryType values(RPZHit) as RPZHit values(QueryCount) as QueryCount values(QuerySource) as QuerySource by Query
            | convert ctime(Time) as Time
            | lookup dnslookup clientip as QuerySource output clienthost as QuerySourceName
            | eval QuerySourceName=coalesce(QuerySourceName,QuerySource)
            | table Query,QuerySourceName,QueryType,RPZHit,QuerySourceQueryCount,QueryCount
            | sort - QueryCount</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <progress>
            <condition>
              <unset token="conditional_value"></unset>
            </condition>
          </progress>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="count">10</option>
        <drilldown>
          <condition field="Domain Name">
            <set token="rpz_entry_or_domain_field">domain</set>
            <set token="rpz_entry_or_domain_value">$row.Domain Name$</set>
            <unset token="conditional_value"></unset>
          </condition>
          <condition field="RPZ Entry">
            <set token="rpz_entry_or_domain_field">rpz</set>
            <set token="rpz_entry_or_domain_value">$row.RPZ Entry$</set>
            <unset token="conditional_value"></unset>
          </condition>
          <condition field="*">
            <set token="conditional_value">$row.Client ID$</set>
            <unset token="rpz_entry_or_domain_field"></unset>
            <unset token="rpz_entry_or_domain_value"></unset>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Todays Hit Count vs Same Day Last Week</title>
        <search>
          <query>index=* sourcetype=ib:syslog CEF: $members$ $rpz_zone_str$ $domain_name_str$
             | multikv
            | eval ReportKey="Today"
            | append [search index=* sourcetype=ib:syslog CEF: $members$ $rpz_zone_str$ $domain_name_str$ earliest=-192h latest=-144h
            | multikv
            | eval ReportKey="Last Week"
            | eval _time=_time+60*60*24*7]
            | timechart span=30m COUNT by ReportKey</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.data.count">10000</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">90</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisTitleY.text">Hits per Hour</option>
        <option name="charting.chart.overlayFields">"Last Week"</option>
      </chart>
    </panel>
  </row>
 
 

</form>

Showing results for 
Search instead for 
Did you mean: