I'm trying to add a custom drilldown panel to the Infosec app for Splunk's Network Activity dashboard.
I want to be able to click on the Blocked or Allowed single value visualization to populate the logs that match that action.
There's already a drilldown in place for the Blocked Connections and Allowed Connections panels :
Set action = (All_Traffic.action=blocked OR All_Traffic.action=dropped)
Set action = All_Traffic.action=allowed
Here are my attempted queries for my stats panel showing the logs that match the action :
| from datamodel:Network_Traffic.All_Traffic $action$
| table action
*I'm seeing an error in the panel window:
"Error in 'from' command: Invalid argument: 'All_Traffic.action=allowed'"
OR
`infosec-indexes` tag=network tag=communicate action=allowed
| stats count by action, vendor_product, message
| fields - count
I'd believe that being able to just pass the action value that's after the equal sign in this would get me the result I'm looking for
"All_Traffic.action=allowed"
Any ideas?
Hi @johnward4, the dashboard may already have the drilldown you are looking for - click on allowed or blocked on the timechart below the single numbers to get to the raw events.
If you are after a different drilldown with querying the data model or using tags, you are on the right track. For the data model query, you can do something like this:
Querying the data model:
| from datamodel:Network_Traffic.All_Traffic
| where action="allowed"
| table _time, src, dest, vendor_product
Querying the accelerated data model:
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src, All_Traffic.dest, All_Traffic.rule
Querying using tags:
`infosec-indexes` tag=network tag=communicate action=allowed
| stats count by action, vendor_product, rule
The queries that don't return results either have incorrect syntax or fields that do not exist. And, yes, you can pass $action$ token value when creating a drilldown.
Hi @johnward4, the dashboard may already have the drilldown you are looking for - click on allowed or blocked on the timechart below the single numbers to get to the raw events.
If you are after a different drilldown with querying the data model or using tags, you are on the right track. For the data model query, you can do something like this:
Querying the data model:
| from datamodel:Network_Traffic.All_Traffic
| where action="allowed"
| table _time, src, dest, vendor_product
Querying the accelerated data model:
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src, All_Traffic.dest, All_Traffic.rule
Querying using tags:
`infosec-indexes` tag=network tag=communicate action=allowed
| stats count by action, vendor_product, rule
The queries that don't return results either have incorrect syntax or fields that do not exist. And, yes, you can pass $action$ token value when creating a drilldown.
@igifrin_splunk correct, the built-in dashboard panels do have existing drilldowns but the value they pass gives me more than what I'm looking for. I'm only interested in the action value.. Here's a portion of the XML for the Network Activity dashboard to show the configuration of their drilldown :
<form hideFilters="true" theme="dark">
<label>Network Traffic</label>
<init>
<set token="action">*</set>
</init>
<fieldset submitButton="false">
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Blocked Connections</title>
<single>
<search>
<query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action=blocked OR All_Traffic.action=dropped)</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xf8be34","0xf8be34"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown>
<set token="action">(All_Traffic.action=blocked OR All_Traffic.action=dropped)</set>
</drilldown>
</single>
</panel>
<panel>
<title>Allowed Connections</title>
<single>
<search>
<query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xdc4e41","0x53a051"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown>
<set token="action">All_Traffic.action=allowed</set>
</drilldown>
</single>
</panel>
<panel>
<title>Traffic Sources</title>
<single>
<search>
<query>| tstats local=false summariesonly=true allow_old_summaries=true dc(All_Traffic.src) from datamodel=Network_Traffic.All_Traffic</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xdc4e41","0x006d9c"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Traffic Destinations</title>
<single>
<search>
<query>| tstats local=false summariesonly=true allow_old_summaries=true dc(All_Traffic.dest) from datamodel=Network_Traffic.All_Traffic</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xdc4e41","0x006d9c"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
Ah, let's try it again - are you trying to list allowed/blocked events when you click on the single value panels? If that's the case, something like this may do the job:
| from datamodel:Network_Traffic.All_Traffic
| eval selected_action=case("$action$" == "All_Traffic.action=allowed", "allowed", "$action$" == "*", "%", "$action$" =="(All_Traffic.action=blocked OR All_Traffic.action=dropped)", "blocked")
| where like(action,selected_action)
If that's not it, please let me know what you would like to see when you click on one of those single value panels.
Here is a sample dashboard:
<form hideFilters="true" theme="dark">
<label>Network Traffic Clone</label>
<init>
<set token="action">*</set>
</init>
<fieldset submitButton="false">
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Blocked Connections</title>
<single>
<search>
<query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action=blocked OR All_Traffic.action=dropped)</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xf8be34","0xf8be34"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown>
<set token="action">(All_Traffic.action=blocked OR All_Traffic.action=dropped)</set>
</drilldown>
</single>
</panel>
<panel>
<title>Allowed Connections</title>
<single>
<search>
<query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xdc4e41","0x53a051"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown>
<set token="action">All_Traffic.action=allowed</set>
</drilldown>
</single>
</panel>
</row>
<row>
<panel>
<title>Events</title>
<event>
<search>
<query>| from datamodel:Network_Traffic.All_Traffic
| eval selected_action=case("$action$" == "All_Traffic.action=allowed", "allowed", "$action$" == "*", "%", "$action$" =="(All_Traffic.action=blocked OR All_Traffic.action=dropped)", "blocked")
| where like(action,selected_action)</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="list.drilldown">none</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>
That worked! Thank you, @igifrin_splunk