How to display palo threat over a month with severity again allowed & blocked actions?

mkshah — Thu, 03 Nov 2022 14:13:40 GMT

Hi ,

how to do i display number of blocked and allowed threats with different severities in a timeframe(e.g monthly).

Something like this output,

Month action critical high medium low

2022-11 allowed 9 22 45 100

blocked 20 400 44345 23423

2022-10 allowed 39 22 4 100

blocked 20 500 4445 23423

I can get to either of below output but not able to get as above,,

----

index=palo-network threat sourcetype="pan:threat" severity!=informational| bucket _time span=1month | eval Date=strftime('_time',"%Y-%m")| stats values(severity) count by _time,action

----

index=palo-network threat sourcetype="pan:threat" severity!=informational | bucket _time span=1month | eval Date=strftime('_time',"%Y-%m") | chart count over action by severity

Thank you.

Re: How to display palo threat over a month with severity again allowed & blocked actions?

yuanliu — Mon, 07 Nov 2022 00:29:31 GMT

You gave an excellent mockup of desired output. What you should have explained is that the rest of columns (critical, high, medium, low) are values of the field named "severity". This finer point may seem obvious to you, but is not always obvious to other people who may be able to help. Pro tip: Always explain your data, generally illustrate sample data in text if possible. (Anonymize as necessary.)

Back to your search. First off, the stats you are really looking for is to combine what you have already tried:

index=palo-network threat sourcetype="pan:threat" severity!=informational | bucket _time span=1month | eval Date=strftime('_time',"%Y-%m") | stats values(severity) count by _time, action, severity

Now, you notice that the output is not in the format you wanted. So, try to massage the output into the desired format - but only after get the stats correct. To do so, you can populate severity levels into a diagonal matrix. (This may not be the most efficient method but is the most visually clear.)

``` your base search above ``` | foreach low medium high critical [eval <<FIELD>> = if(severity == "<<FIELD>>", count, 0)] | stats sum(critical) as critical sum(high) as high sum(medium) as medium sum(low) as low by Date action

Put them together,

index=palo-network threat sourcetype="pan:threat" severity!=informational | bucket _time span=1month | eval Date=strftime('_time',"%Y-%m") | stats count by Date, action, severity | foreach low medium high critical [eval <<FIELD>> = if(severity == "<<FIELD>>", count, 0)] | stats sum(critical) as critical sum(high) as high sum(medium) as medium sum(low) as low by Date action

Hope this helps.

topic How to display palo threat over a month with severity again allowed & blocked actions? in Splunk Search

How to display palo threat over a month with severity again allowed & blocked actions?

Re: How to display palo threat over a month with severity again allowed & blocked actions?