All Apps and Add-ons

Infosec: Help with drilldowns from app panel that uses a datamodel

johnward4
Communicator

I'm trying to add a custom drilldown panel to the Infosec app for Splunk's Network Activity dashboard.
I want to be able to click on the Blocked or Allowed single value visualization to populate the logs that match that action.

There's already a drilldown in place for the Blocked Connections and Allowed Connections panels :

Set action = (All_Traffic.action=blocked OR All_Traffic.action=dropped)
Set  action = All_Traffic.action=allowed

Here are my attempted queries for my stats panel showing the logs that match the action :

| from datamodel:Network_Traffic.All_Traffic $action$
| table action

*I'm seeing an error in the panel window:
"Error in 'from' command: Invalid argument: 'All_Traffic.action=allowed'"

OR

`infosec-indexes` tag=network tag=communicate action=allowed
| stats count by action, vendor_product, message
| fields - count

I'd believe that being able to just pass the action value that's after the equal sign in this would get me the result I'm looking for

"All_Traffic.action=allowed" 

Any ideas?

1 Solution

igifrin_splunk
Splunk Employee
Splunk Employee

Hi @johnward4, the dashboard may already have the drilldown you are looking for - click on allowed or blocked on the timechart below the single numbers to get to the raw events.

alt text

If you are after a different drilldown with querying the data model or using tags, you are on the right track. For the data model query, you can do something like this:

Querying the data model:

| from datamodel:Network_Traffic.All_Traffic 
| where action="allowed"
| table _time, src, dest, vendor_product

Querying the accelerated data model:

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src, All_Traffic.dest, All_Traffic.rule

Querying using tags:

`infosec-indexes` tag=network tag=communicate action=allowed
 | stats count by action, vendor_product, rule

The queries that don't return results either have incorrect syntax or fields that do not exist. And, yes, you can pass $action$ token value when creating a drilldown.

View solution in original post

0 Karma

igifrin_splunk
Splunk Employee
Splunk Employee

Hi @johnward4, the dashboard may already have the drilldown you are looking for - click on allowed or blocked on the timechart below the single numbers to get to the raw events.

alt text

If you are after a different drilldown with querying the data model or using tags, you are on the right track. For the data model query, you can do something like this:

Querying the data model:

| from datamodel:Network_Traffic.All_Traffic 
| where action="allowed"
| table _time, src, dest, vendor_product

Querying the accelerated data model:

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src, All_Traffic.dest, All_Traffic.rule

Querying using tags:

`infosec-indexes` tag=network tag=communicate action=allowed
 | stats count by action, vendor_product, rule

The queries that don't return results either have incorrect syntax or fields that do not exist. And, yes, you can pass $action$ token value when creating a drilldown.

0 Karma

johnward4
Communicator

@igifrin_splunk correct, the built-in dashboard panels do have existing drilldowns but the value they pass gives me more than what I'm looking for. I'm only interested in the action value.. Here's a portion of the XML for the Network Activity dashboard to show the configuration of their drilldown :

<form hideFilters="true" theme="dark">
  <label>Network Traffic</label>
  <init>
    <set token="action">*</set>
  </init>
  <fieldset submitButton="false">
    <input type="time" token="field1" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Blocked Connections</title>
      <single>
        <search>
          <query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action=blocked OR All_Traffic.action=dropped)</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xf8be34","0xf8be34"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="action">(All_Traffic.action=blocked OR All_Traffic.action=dropped)</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>Allowed Connections</title>
      <single>
        <search>
          <query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xdc4e41","0x53a051"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="action">All_Traffic.action=allowed</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>Traffic Sources</title>
      <single>
        <search>
          <query>| tstats local=false summariesonly=true allow_old_summaries=true dc(All_Traffic.src) from datamodel=Network_Traffic.All_Traffic</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xdc4e41","0x006d9c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>Traffic Destinations</title>
      <single>
        <search>
          <query>| tstats local=false summariesonly=true allow_old_summaries=true dc(All_Traffic.dest) from datamodel=Network_Traffic.All_Traffic</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xdc4e41","0x006d9c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
0 Karma

igifrin_splunk
Splunk Employee
Splunk Employee

Ah, let's try it again - are you trying to list allowed/blocked events when you click on the single value panels? If that's the case, something like this may do the job:

| from datamodel:Network_Traffic.All_Traffic 
| eval selected_action=case("$action$" == "All_Traffic.action=allowed", "allowed", "$action$" == "*", "%", "$action$" =="(All_Traffic.action=blocked OR All_Traffic.action=dropped)", "blocked") 
| where like(action,selected_action)

If that's not it, please let me know what you would like to see when you click on one of those single value panels.

Here is a sample dashboard:

<form hideFilters="true" theme="dark">
  <label>Network Traffic Clone</label>
  <init>
    <set token="action">*</set>
  </init>
  <fieldset submitButton="false">
    <input type="time" token="field1" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Blocked Connections</title>
      <single>
        <search>
          <query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action=blocked OR All_Traffic.action=dropped)</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xf8be34","0xf8be34"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="action">(All_Traffic.action=blocked OR All_Traffic.action=dropped)</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <title>Allowed Connections</title>
      <single>
        <search>
          <query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xdc4e41","0x53a051"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="action">All_Traffic.action=allowed</set>
        </drilldown>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events</title>
      <event>
        <search>
          <query>| from datamodel:Network_Traffic.All_Traffic 
| eval selected_action=case("$action$" == "All_Traffic.action=allowed", "allowed", "$action$" == "*", "%", "$action$" =="(All_Traffic.action=blocked OR All_Traffic.action=dropped)", "blocked") 
| where like(action,selected_action)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">5</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

johnward4
Communicator

That worked! Thank you, @igifrin_splunk

0 Karma
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...