Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Palo Alto Networks App for Splunk: How to remove c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmenon84
Path Finder
06-01-2016
03:34 PM
Here is the search that shows client IPs connecting to malicious destination IPs mentioned in the Wildfire report. This is one if the searches under the wildfire dashboard in the Palo Alto Networks App for Splunk.
| `pan_tstats` count(traffic) FROM `node(log.traffic)` groupby _time log.traffic.dest_ip_port log.dest_ip log.dest_port log.src_ip log.user log.app | rename log.traffic.dest_ip_port AS ip_port | join type=inner ip_port [ | `pan_tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port | rename wildfire_report.tcp_ip_port AS ip_port ] | dedup 1 log.src_ip log.user ip_port log.app | eval "Traffic Link" = "View Traffic Logs" | eval "WildFire Link" = "View WildFire Report" | table _time log.src_ip log.user log.dest_ip log.dest_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link" | rex mode=sed field=ip_port "s/,/:/" | rename log.src_ip AS Source | rename log.dest_ip AS "Dest IP" | rename log.dest_port AS "Dest Port" | rename log.user AS User | rename log.app AS Application | rename wildfire_report.wildfire.id AS "WildFire Report ID" | sort -_time
I am getting the data I want, but I want to get rid of IPs such as 204.79.197.200, 104.16.24.216 which are Microsoft or Akamai etc. The field name is tcp_ip in pan_wildfire_report. I added constraints such as sourcetype="pan:wildfire_report" NOT 104.16.24.216 NOT 204.79.197.200, but that doesn't seem to work.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snoobzilla
Builder
06-02-2016
06:29 AM
If IPs are in a field and not in _raw you will need to specify a field value.
e.g. | search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| `pan_tstats` count(traffic) FROM `node(log.traffic)` groupby _time log.traffic.dest_ip_port log.dest_ip log.dest_port log.src_ip log.user log.app
| rename log.traffic.dest_ip_port AS ip_port
| join type=inner ip_port [
| `pan_tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port
| rename wildfire_report.tcp_ip_port AS ip_port ]
| dedup 1 log.src_ip log.user ip_port log.app
| eval "Traffic Link" = "View Traffic Logs"
| eval "WildFire Link" = "View WildFire Report"
| table _time log.src_ip log.user log.dest_ip log.dest_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link"
| rex mode=sed field=ip_port "s/,/:/"
| search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| rename log.src_ip AS Source
| rename log.dest_ip AS "Dest IP"
| rename log.dest_port AS "Dest Port"
| rename log.user AS User
| rename log.app AS Application
| rename wildfire_report.wildfire.id AS "WildFire Report ID"
| sort -_time
You may need to add quotes around ip addresses and not sure I got right field name but this should get you what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snoobzilla
Builder
06-02-2016
06:29 AM
If IPs are in a field and not in _raw you will need to specify a field value.
e.g. | search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| `pan_tstats` count(traffic) FROM `node(log.traffic)` groupby _time log.traffic.dest_ip_port log.dest_ip log.dest_port log.src_ip log.user log.app
| rename log.traffic.dest_ip_port AS ip_port
| join type=inner ip_port [
| `pan_tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port
| rename wildfire_report.tcp_ip_port AS ip_port ]
| dedup 1 log.src_ip log.user ip_port log.app
| eval "Traffic Link" = "View Traffic Logs"
| eval "WildFire Link" = "View WildFire Report"
| table _time log.src_ip log.user log.dest_ip log.dest_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link"
| rex mode=sed field=ip_port "s/,/:/"
| search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| rename log.src_ip AS Source
| rename log.dest_ip AS "Dest IP"
| rename log.dest_port AS "Dest Port"
| rename log.user AS User
| rename log.app AS Application
| rename wildfire_report.wildfire.id AS "WildFire Report ID"
| sort -_time
You may need to add quotes around ip addresses and not sure I got right field name but this should get you what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmenon84
Path Finder
06-09-2016
09:51 AM
Yes this worked perfectly
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
