Solved: Re: New Security Rule.

SPLKwame28 · ‎08-06-2022

Creating A dashboard to log any New Firewall rule that has been committed to Panorama. How do i go about this? Any assistance will be greatly appreciated. Thanks

gcusello · ‎08-10-2022

Hi @SPLKwame28,

if you already have logs from Panorama, and you correctly parsed them (I suppose you're using Palo Alto networks Add-On - https://splunkbase.splunk.com/app/2757/), you could daily list all the rules and save results in a lookup and then check the active rules.

In other words, you should have a field called "rule", so you could schedule a search (e.g every night) like the following:

index=your_index earliest=30d@d latest=@d
| eval day=if(_time<now()-86400,"last_day","previous_days")
| stats dc(day) AS day_count values(day) AS day BY rule
| eval status=case(day_count=2,"present in the last day and before",day="previous_days","present only in previous days",day="last_day", "New rule")
| table rule status

And have the situation of the last 30 days.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎08-06-2022

Hi @SPLKwame28,

your questions is too vague to answer.

Could you better describe your needs:

splunk version?
have you already ingested logs or not?
have you persed them?
did you installed the panorama App (https://splunkbase.splunk.com/app/5831/)?
do you know SPL or not ?if not follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial),

Ciao.

Giuseppe

SPLKwame28 · ‎08-10-2022

@gcusello We already have logs from panorama to splunk. I want to setup a dashboard/table in splunk to be able to see new rule or modified rules. I do monthly audit to remove or modify any new rule for our panorama cleanup. Trying to find a way to simplify this. I appreciate your help here.

Thank you.

gcusello · ‎08-10-2022

Hi @SPLKwame28,

if you already have logs from Panorama, and you correctly parsed them (I suppose you're using Palo Alto networks Add-On - https://splunkbase.splunk.com/app/2757/), you could daily list all the rules and save results in a lookup and then check the active rules.

In other words, you should have a field called "rule", so you could schedule a search (e.g every night) like the following:

index=your_index earliest=30d@d latest=@d
| eval day=if(_time<now()-86400,"last_day","previous_days")
| stats dc(day) AS day_count values(day) AS day BY rule
| eval status=case(day_count=2,"present in the last day and before",day="previous_days","present only in previous days",day="last_day", "New rule")
| table rule status

And have the situation of the last 30 days.

Ciao.

Giuseppe

gcusello · ‎08-18-2022

Hi @SPLKwame28 ,

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

SPLKwame28 · ‎08-12-2022

@gcusello this really helped to get those rules on panorama. Modified it with the Fisrttime>now()

| eval day=if(firstTime>now()-86400,"last_day","previous_day")

it really helped . i will keep you posted on the outcome.

Thanks

gcusello · ‎08-13-2022

Hi @SPLKwame28 ,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

How do I create a dashboard to log any New Firewall rule that has been committed to Panorama?

field extraction

lookup

search job inspector

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!