Splunk Enterprise Security

How would I write a query that defines failure or success against firewall by geoIP?

brian1_tate
Path Finder

I realize this is a silly question but it just so happens we have so many firewalls in exist stance that traffic that is legitimate has been blocked and traffic that is not has been occasionally allowed though. I know the source index to pull the data from but I would think it would involve an iplookup on each entry (maybe using dedup to remove the consistent duplicates that I would think would exist) and somehow use geostats to map the iplookup on a visual map. How would one go about something this grand for 500,000 firewalls or more and can anyone suggest a lookup table I could use for geostats?

If you do, you certainly deserve a massive cookie and candy bar I'll even comment your name in the file if I can. Any or all thoughts are welcome because this one boggles my mind. I would also think I would need to accelerate this search for it to be useful but I'll leave the comments to more experienced Splunk ninjas.

Thx all

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

The search below is native to Splunk, and I used the eventgen sample data so the field names may be a bit different but this might help you get started. Basically once I have the search criteria I am interested in, I call iplocation against the IP of the network device. If I stop there I will get a tabular output with city and country output for those devices. I can then take the geostats command and map the lat long from the iplocation results to the latField and longField and then do a count or count by Action or count by ComputerIPAddress to get the various bubbles to size out based on volume of events.

sourcetype=sophos:firewall ComputerIPAddress!="" |iplocation ComputerIPAddress |geostats latField=lat longField=lon count by Action

0 Karma

mhpark
Path Finder

GeoLite2 would give you a chance with automatic field lookups for Splunk.

http://dev.maxmind.com/geoip/geoip2/geolite2/

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...