https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364648#M23802 <P>would add maybe the a panel that shows how changed firewall rule and whether they supposed to have permission to do so.<BR /> also would maybe check changes across time and hosts and see if many changes where apply at the same time or same changes where applied to multiple hosts<BR /> hope it helps</P> Mon, 25 Dec 2017 19:41:00 GMT adonio 2017-12-25T19:41:00Z https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364646#M23800 <P>[UPD] The logs kinda different, so I changed my question.</P> <P>Hi.<BR /> I need some ideas to create Windows Firewall Rules dashboard.<BR /> Right now it's looks:</P> <P><STRONG>Pane 1: List of Firewall Rules</STRONG><BR /> <EM>4945 - A rule was listed when the Windows Firewall started</EM></P> <P><STRONG>Panel 2: Windows Firewall Exception List</STRONG><BR /> <EM>4946 - A change has been made to Windows Firewall exception list. A rule was added<BR /> 4947 - A change has been made to Windows Firewall exception list. A rule was modified<BR /> 4948 - A change has been made to Windows Firewall exception list. A rule was deleted</EM></P> <P><STRONG>Panel 3: Other Changes In Firewall Rules</STRONG><BR /> <EM>4954 - Windows Firewall Group Policy settings has changed. The new settings have been applied<BR /> 4956 - Windows Firewall has changed the active profile</EM></P> <P><STRONG>Panel 4: Local Security Policy</STRONG></P> <PRE><CODE>index=win_firewall sourcetype="WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" host=$host$ | stats count by _time host Application_Path Message User | rename count as Count _time as Time host as Host Application_Path as "Application Path" | fieldformat Time=strftime('Time', "%c") | sort -Time </CODE></PRE> <P><EM>2011 - Firewall Service Block Notifications<BR /> 2008 - Firewall Rule Processing<BR /> 2010 - Network profile changed on an interface</EM></P> Fri, 22 Dec 2017 16:30:18 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364646#M23800 test_qweqwe 2017-12-22T16:30:18Z https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364647#M23801 <P>@test_qweqwe, can you add sample data for one of the events? (Assuming all events have similar structure)</P> Fri, 22 Dec 2017 16:59:45 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364647#M23801 niketn 2017-12-22T16:59:45Z https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364648#M23802 <P>would add maybe the a panel that shows how changed firewall rule and whether they supposed to have permission to do so.<BR /> also would maybe check changes across time and hosts and see if many changes where apply at the same time or same changes where applied to multiple hosts<BR /> hope it helps</P> Mon, 25 Dec 2017 19:41:00 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364648#M23802 adonio 2017-12-25T19:41:00Z https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364649#M23803 <P>can you share sample logs ?</P> Tue, 26 Dec 2017 07:33:00 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364649#M23803 abhijeet01 2017-12-26T07:33:00Z https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364650#M23804 <P>Hi Test_qweqwe,</P> <P>May be below links are helpful to you:</P> <H2>- <A href="https://www.petri.com/monitoring-windows-event-logs-for-security-breaches">https://www.petri.com/monitoring-windows-event-logs-for-security-breaches</A></H2> <P><A href="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56016c77e4b08aeb5c47d68b/1442933879868/Windows+Splunk+Logging+Cheat+Sheet+v1.0.pdf">https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56016c77e4b08aeb5c47d68b/1442933879868/Windows+Splunk+Logging+Cheat+Sheet+v1.0.pdf</A></P> Thu, 28 Dec 2017 13:07:08 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364650#M23804 p_gurav 2017-12-28T13:07:08Z https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364651#M23805 <P>Thanks, it will help me!</P> Thu, 28 Dec 2017 13:12:18 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Which-Events-Code-you-using-to-monitor-Firewall-Activity-on/m-p/364651#M23805 test_qweqwe 2017-12-28T13:12:18Z