Creating A dashboard to log any New Firewall rule that has been committed to Panorama. How do i go about this? Any assistance will be greatly appreciated. Thanks
Hi @SPLKwame28,
if you already have logs from Panorama, and you correctly parsed them (I suppose you're using Palo Alto networks Add-On - https://splunkbase.splunk.com/app/2757/), you could daily list all the rules and save results in a lookup and then check the active rules.
In other words, you should have a field called "rule", so you could schedule a search (e.g every night) like the following:
index=your_index earliest=30d@d latest=@d
| eval day=if(_time<now()-86400,"last_day","previous_days")
| stats dc(day) AS day_count values(day) AS day BY rule
| eval status=case(day_count=2,"present in the last day and before",day="previous_days","present only in previous days",day="last_day", "New rule")
| table rule status
And have the situation of the last 30 days.
Ciao.
Giuseppe
Hi @SPLKwame28,
your questions is too vague to answer.
Could you better describe your needs:
Ciao.
Giuseppe
@gcusello We already have logs from panorama to splunk. I want to setup a dashboard/table in splunk to be able to see new rule or modified rules. I do monthly audit to remove or modify any new rule for our panorama cleanup. Trying to find a way to simplify this. I appreciate your help here.
Thank you.
Hi @SPLKwame28,
if you already have logs from Panorama, and you correctly parsed them (I suppose you're using Palo Alto networks Add-On - https://splunkbase.splunk.com/app/2757/), you could daily list all the rules and save results in a lookup and then check the active rules.
In other words, you should have a field called "rule", so you could schedule a search (e.g every night) like the following:
index=your_index earliest=30d@d latest=@d
| eval day=if(_time<now()-86400,"last_day","previous_days")
| stats dc(day) AS day_count values(day) AS day BY rule
| eval status=case(day_count=2,"present in the last day and before",day="previous_days","present only in previous days",day="last_day", "New rule")
| table rule status
And have the situation of the last 30 days.
Ciao.
Giuseppe
Hi @SPLKwame28 ,
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors;-)
@gcusello this really helped to get those rules on panorama. Modified it with the Fisrttime>now()
| eval day=if(firstTime>now()-86400,"last_day","previous_day")
it really helped . i will keep you posted on the outcome.
Thanks
Hi @SPLKwame28 ,
if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors;-)