Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search when firewall disabled on servers

syed_star357
New Member
‎11-02-2016 01:08 AM

Dear Team,

How to search when firewall disabled on servers. the below search able to see firewall status and server last log on. we want to know when the firewall option has been disabled.

| dbquery "" "SELECT * FROM tb_EntityInfo"|rename EI_OS_MachineName as Host|fillnull value="-"|search PFWSetting!=1|rename EI_OS_MachineName as Host EI_IPAddressList as IPAddress EI_UserDomain as Domain EI_UserAccount as LoggedInUser EI_LastLogonTime as LastLogonTime LastScheduleScanUTC as LastScheduleScan EI_DomainName as Group EI_MACAddressList as MAC|search Host!=|search EI_State= Host=* |eval AVEngine_Version=EI_ProductVersion+" "+EI_ProductBuildNumber|eval Operating_System=EI_OS_Name+" "+EI_OS_Version+" "+EI_OS_SPVersion|eval LastLogonTime=strftime(LastLogonTime,"%c") |eval LastScheduleScan=strftime(LastScheduleScan,"%c")|eval Firewall=if(PFWSetting="1","Enabled","Disabled")|eval State=if(EI_State="100","Online",if(EI_State="101","Offline","Roaming"))|fields - ID EI_*|table Host IPAddress MAC Operating_System Firewall State LastLogonTime

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2016 02:14 AM

this one finds out the Firewall status as Enabled or Disabled
| eval Firewall=if(PFWSetting="1","Enabled","Disabled")

and you are printing a table output which includes "Firewall", which was calculated above, as well.
|table Host IPAddress MAC Operating_System Firewall State LastLogonTime

so, the disabled firewall status is already printed by this query.
please update us more.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2016 02:14 AM

this one finds out the Firewall status as Enabled or Disabled
| eval Firewall=if(PFWSetting="1","Enabled","Disabled")

and you are printing a table output which includes "Firewall", which was calculated above, as well.
|table Host IPAddress MAC Operating_System Firewall State LastLogonTime

so, the disabled firewall status is already printed by this query.
please update us more.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

syed_star357
New Member
‎11-02-2016 02:17 AM

Dear Investsekar,

We want to know when the firewall status has been disabled from servers. what is the search to get firewall status disabled date and time.

Regards,
Syed

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2016 02:27 AM

Hi Syed,
the query got two timestamps -
LastLogonTime
and
LastScheduleScan

so, disabled time is not picked up by the query, i guess.

maybe, you need to check the output of this and see if there is any field for disabled time and include that in the later part of the query.
| dbquery "" "SELECT FROM tb_EntityInfo"|rename EI_OS_MachineName as Host|fillnull value="-"|search PFWSetting!=1

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...