Here is the search that shows client IPs connecting to malicious destination IPs mentioned in the Wildfire report. This is one if the searches under the wildfire dashboard in the Palo Alto Networks App for Splunk.
| `pan_tstats` count(traffic) FROM `node(log.traffic)` groupby _time log.traffic.dest_ip_port log.dest_ip log.dest_port log.src_ip log.user log.app | rename log.traffic.dest_ip_port AS ip_port | join type=inner ip_port [ | `pan_tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port | rename wildfire_report.tcp_ip_port AS ip_port ] | dedup 1 log.src_ip log.user ip_port log.app | eval "Traffic Link" = "View Traffic Logs" | eval "WildFire Link" = "View WildFire Report" | table _time log.src_ip log.user log.dest_ip log.dest_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link" | rex mode=sed field=ip_port "s/,/:/" | rename log.src_ip AS Source | rename log.dest_ip AS "Dest IP" | rename log.dest_port AS "Dest Port" | rename log.user AS User | rename log.app AS Application | rename wildfire_report.wildfire.id AS "WildFire Report ID" | sort -_time
I am getting the data I want, but I want to get rid of IPs such as 204.79.197.200, 104.16.24.216 which are Microsoft or Akamai etc. The field name is tcp_ip in pan_wildfire_report. I added constraints such as sourcetype="pan:wildfire_report" NOT 104.16.24.216 NOT 204.79.197.200
, but that doesn't seem to work.
If IPs are in a field and not in _raw you will need to specify a field value.
e.g. | search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| `pan_tstats` count(traffic) FROM `node(log.traffic)` groupby _time log.traffic.dest_ip_port log.dest_ip log.dest_port log.src_ip log.user log.app
| rename log.traffic.dest_ip_port AS ip_port
| join type=inner ip_port [
| `pan_tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port
| rename wildfire_report.tcp_ip_port AS ip_port ]
| dedup 1 log.src_ip log.user ip_port log.app
| eval "Traffic Link" = "View Traffic Logs"
| eval "WildFire Link" = "View WildFire Report"
| table _time log.src_ip log.user log.dest_ip log.dest_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link"
| rex mode=sed field=ip_port "s/,/:/"
| search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| rename log.src_ip AS Source
| rename log.dest_ip AS "Dest IP"
| rename log.dest_port AS "Dest Port"
| rename log.user AS User
| rename log.app AS Application
| rename wildfire_report.wildfire.id AS "WildFire Report ID"
| sort -_time
You may need to add quotes around ip addresses and not sure I got right field name but this should get you what you need.
If IPs are in a field and not in _raw you will need to specify a field value.
e.g. | search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| `pan_tstats` count(traffic) FROM `node(log.traffic)` groupby _time log.traffic.dest_ip_port log.dest_ip log.dest_port log.src_ip log.user log.app
| rename log.traffic.dest_ip_port AS ip_port
| join type=inner ip_port [
| `pan_tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port
| rename wildfire_report.tcp_ip_port AS ip_port ]
| dedup 1 log.src_ip log.user ip_port log.app
| eval "Traffic Link" = "View Traffic Logs"
| eval "WildFire Link" = "View WildFire Report"
| table _time log.src_ip log.user log.dest_ip log.dest_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link"
| rex mode=sed field=ip_port "s/,/:/"
| search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| rename log.src_ip AS Source
| rename log.dest_ip AS "Dest IP"
| rename log.dest_port AS "Dest Port"
| rename log.user AS User
| rename log.app AS Application
| rename wildfire_report.wildfire.id AS "WildFire Report ID"
| sort -_time
You may need to add quotes around ip addresses and not sure I got right field name but this should get you what you need.
Yes this worked perfectly