Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How would I write a query that defines failure or success against firewall by geoIP?

brian1_tate
Path Finder
‎09-06-2016 11:35 PM

I realize this is a silly question but it just so happens we have so many firewalls in exist stance that traffic that is legitimate has been blocked and traffic that is not has been occasionally allowed though. I know the source index to pull the data from but I would think it would involve an iplookup on each entry (maybe using dedup to remove the consistent duplicates that I would think would exist) and somehow use geostats to map the iplookup on a visual map. How would one go about something this grand for 500,000 firewalls or more and can anyone suggest a lookup table I could use for geostats?

If you do, you certainly deserve a massive cookie and candy bar I'll even comment your name in the file if I can. Any or all thoughts are welcome because this one boggles my mind. I would also think I would need to accelerate this search for it to be useful but I'll leave the comments to more experienced Splunk ninjas.

Thx all

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎09-07-2016 07:30 AM

The search below is native to Splunk, and I used the eventgen sample data so the field names may be a bit different but this might help you get started. Basically once I have the search criteria I am interested in, I call iplocation against the IP of the network device. If I stop there I will get a tabular output with city and country output for those devices. I can then take the geostats command and map the lat long from the iplocation results to the latField and longField and then do a count or count by Action or count by ComputerIPAddress to get the various bubbles to size out based on volume of events.

sourcetype=sophos:firewall ComputerIPAddress!="" |iplocation ComputerIPAddress |geostats latField=lat longField=lon count by Action

0 Karma
Reply

mhpark
Path Finder
‎09-07-2016 06:37 AM

GeoLite2 would give you a chance with automatic field lookups for Splunk.

http://dev.maxmind.com/geoip/geoip2/geolite2/

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...