Splunk Search

Help on query to filter incoming traffic to a firewall

Berfomet96
Explorer

Hello.

Recently I've joined a new company that is using splunk as their siem and this past month I've being trying to learn a bit about the tool since I'm completely new to it. I was assigned as an exercise to work out a query to basically do this 2 things:

  • identify potential policies with all ports enabled
  • identify which of these policies are recieving petitions from public IP addresses

So far I've come up with this query:

 

 

index="sourcedb" sourcetype=fgt_traffic host="<external firewall ip>" action!=blocked 
| eventstats dc(dest_port) as ports by policyid 
| stats count by policyid ports 
| eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public") 
| where source_ip="public"

 

 

 Basically, the main problem I'm having and can't seem to find a reasonable solution is that I've already managed to find out how to filter private IP addresses from the results but I feel like my eventstats sentence is not working properly, mainly because I'm counting all the distinct destination ports but not by the policyid.

I'd be really grateful if you guys could give me a hint or an advice about how I can aproach this case.

Thanks in advance

Labels (2)
Tags (3)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

The beginning is quite good but as @ITWhisperer already pointed out, when you aggregate with stats you lose the original event data. So

1) dc the ports with eventstats by policy - this part you have.

2) filter to only include the policies with many ports (using where condition on the dc(ports) field) - it will limit the number of events at next steps

3) verify which policies receive traffic from non-local networks - again, this part you mostly have

4) list the policies with stats values(policyid) and you're home.

One additional hint - completely unrelated to all those stats and whatnot - if you'r using accelerated datamodels, querying them instead of searching throughout raw data should be much faster. But that's a completely different story.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

The beginning is quite good but as @ITWhisperer already pointed out, when you aggregate with stats you lose the original event data. So

1) dc the ports with eventstats by policy - this part you have.

2) filter to only include the policies with many ports (using where condition on the dc(ports) field) - it will limit the number of events at next steps

3) verify which policies receive traffic from non-local networks - again, this part you mostly have

4) list the policies with stats values(policyid) and you're home.

One additional hint - completely unrelated to all those stats and whatnot - if you'r using accelerated datamodels, querying them instead of searching throughout raw data should be much faster. But that's a completely different story.

ITWhisperer
SplunkTrust
SplunkTrust
| stats count by policyid ports

This will leave you with events that only have three fields, count, policyid and ports. This means that src is not available for the if function. Perhaps move the eval and where commands before the stats command?

0 Karma

Berfomet96
Explorer

Thanks for the reply, I tried that but if I put the stats* command at the end, then the column "source_ip" from the eval command won't show up in my statistics tab

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...