Dashboards & Visualizations

Which Events Code you using to monitor Firewall Activity on Windows?

test_qweqwe
Builder

[UPD] The logs kinda different, so I changed my question.

Hi.
I need some ideas to create Windows Firewall Rules dashboard.
Right now it's looks:

Pane 1: List of Firewall Rules
4945 - A rule was listed when the Windows Firewall started

Panel 2: Windows Firewall Exception List
4946 - A change has been made to Windows Firewall exception list. A rule was added
4947 - A change has been made to Windows Firewall exception list. A rule was modified
4948 - A change has been made to Windows Firewall exception list. A rule was deleted

Panel 3: Other Changes In Firewall Rules
4954 - Windows Firewall Group Policy settings has changed. The new settings have been applied
4956 - Windows Firewall has changed the active profile

Panel 4: Local Security Policy

index=win_firewall sourcetype="WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" host=$host$ 
| stats count by _time host Application_Path Message User 
| rename count as Count _time as Time host as Host Application_Path as "Application Path" 
| fieldformat Time=strftime('Time', "%c") 
| sort -Time

2011 - Firewall Service Block Notifications
2008 - Firewall Rule Processing
2010 - Network profile changed on an interface

0 Karma
1 Solution

test_qweqwe
Builder

Thanks, it will help me!

0 Karma

niketn
Legend

@test_qweqwe, can you add sample data for one of the events? (Assuming all events have similar structure)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

would add maybe the a panel that shows how changed firewall rule and whether they supposed to have permission to do so.
also would maybe check changes across time and hosts and see if many changes where apply at the same time or same changes where applied to multiple hosts
hope it helps

0 Karma

abhijeet01
Path Finder

can you share sample logs ?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...