Hello.
Recently I've joined a new company that is using splunk as their siem and this past month I've being trying to learn a bit about the tool since I'm completely new to it. I was assigned as an exercise to work out a query to basically do this 2 things:
So far I've come up with this query:
index="sourcedb" sourcetype=fgt_traffic host="<external firewall ip>" action!=blocked
| eventstats dc(dest_port) as ports by policyid
| stats count by policyid ports
| eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public")
| where source_ip="public"
Basically, the main problem I'm having and can't seem to find a reasonable solution is that I've already managed to find out how to filter private IP addresses from the results but I feel like my eventstats sentence is not working properly, mainly because I'm counting all the distinct destination ports but not by the policyid.
I'd be really grateful if you guys could give me a hint or an advice about how I can aproach this case.
Thanks in advance
The beginning is quite good but as @ITWhisperer already pointed out, when you aggregate with stats you lose the original event data. So
1) dc the ports with eventstats by policy - this part you have.
2) filter to only include the policies with many ports (using where condition on the dc(ports) field) - it will limit the number of events at next steps
3) verify which policies receive traffic from non-local networks - again, this part you mostly have
4) list the policies with stats values(policyid) and you're home.
One additional hint - completely unrelated to all those stats and whatnot - if you'r using accelerated datamodels, querying them instead of searching throughout raw data should be much faster. But that's a completely different story.
The beginning is quite good but as @ITWhisperer already pointed out, when you aggregate with stats you lose the original event data. So
1) dc the ports with eventstats by policy - this part you have.
2) filter to only include the policies with many ports (using where condition on the dc(ports) field) - it will limit the number of events at next steps
3) verify which policies receive traffic from non-local networks - again, this part you mostly have
4) list the policies with stats values(policyid) and you're home.
One additional hint - completely unrelated to all those stats and whatnot - if you'r using accelerated datamodels, querying them instead of searching throughout raw data should be much faster. But that's a completely different story.
| stats count by policyid ports
This will leave you with events that only have three fields, count, policyid and ports. This means that src is not available for the if function. Perhaps move the eval and where commands before the stats command?
Thanks for the reply, I tried that but if I put the stats* command at the end, then the column "source_ip" from the eval command won't show up in my statistics tab