Splunk Search

Help on query to filter incoming traffic to a firewall

Berfomet96
Engager

Hello.

Recently I've joined a new company that is using splunk as their siem and this past month I've being trying to learn a bit about the tool since I'm completely new to it. I was assigned as an exercise to work out a query to basically do this 2 things:

  • identify potential policies with all ports enabled
  • identify which of these policies are recieving petitions from public IP addresses

So far I've come up with this query:

 

 

index="sourcedb" sourcetype=fgt_traffic host="<external firewall ip>" action!=blocked 
| eventstats dc(dest_port) as ports by policyid 
| stats count by policyid ports 
| eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public") 
| where source_ip="public"

 

 

 Basically, the main problem I'm having and can't seem to find a reasonable solution is that I've already managed to find out how to filter private IP addresses from the results but I feel like my eventstats sentence is not working properly, mainly because I'm counting all the distinct destination ports but not by the policyid.

I'd be really grateful if you guys could give me a hint or an advice about how I can aproach this case.

Thanks in advance

Labels (2)
Tags (3)
0 Karma
1 Solution

PickleRick
Ultra Champion

The beginning is quite good but as @ITWhisperer already pointed out, when you aggregate with stats you lose the original event data. So

1) dc the ports with eventstats by policy - this part you have.

2) filter to only include the policies with many ports (using where condition on the dc(ports) field) - it will limit the number of events at next steps

3) verify which policies receive traffic from non-local networks - again, this part you mostly have

4) list the policies with stats values(policyid) and you're home.

One additional hint - completely unrelated to all those stats and whatnot - if you'r using accelerated datamodels, querying them instead of searching throughout raw data should be much faster. But that's a completely different story.

View solution in original post

PickleRick
Ultra Champion

The beginning is quite good but as @ITWhisperer already pointed out, when you aggregate with stats you lose the original event data. So

1) dc the ports with eventstats by policy - this part you have.

2) filter to only include the policies with many ports (using where condition on the dc(ports) field) - it will limit the number of events at next steps

3) verify which policies receive traffic from non-local networks - again, this part you mostly have

4) list the policies with stats values(policyid) and you're home.

One additional hint - completely unrelated to all those stats and whatnot - if you'r using accelerated datamodels, querying them instead of searching throughout raw data should be much faster. But that's a completely different story.

ITWhisperer
SplunkTrust
SplunkTrust
| stats count by policyid ports

This will leave you with events that only have three fields, count, policyid and ports. This means that src is not available for the if function. Perhaps move the eval and where commands before the stats command?

0 Karma

Berfomet96
Engager

Thanks for the reply, I tried that but if I put the stats* command at the end, then the column "source_ip" from the eval command won't show up in my statistics tab

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...