Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a dashboard to log any New Firewall rule that has been committed to Panorama?

SPLKwame28
Engager
‎08-06-2022 05:56 PM

Creating A dashboard to log any New Firewall rule that has been committed to Panorama. How do i go about this? Any assistance will be greatly appreciated. Thanks 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-10-2022 11:25 PM

Hi @SPLKwame28,

if you already have logs from Panorama, and you correctly parsed them (I suppose you're using Palo Alto networks Add-On - https://splunkbase.splunk.com/app/2757/), you could daily list all the rules and save results in a lookup and then check the active rules.

In other words, you should have a field called "rule", so you could schedule a search (e.g every night) like the following:

index=your_index earliest=30d@d latest=@d
| eval day=if(_time<now()-86400,"last_day","previous_days")
| stats dc(day) AS day_count values(day) AS day BY rule
| eval status=case(day_count=2,"present in the last day and before",day="previous_days","present only in previous days",day="last_day", "New rule")
| table rule status

And have the situation of the last 30 days.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-06-2022 10:48 PM

Hi @SPLKwame28,

your questions is too vague to answer.

Could you better describe your needs:

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

SPLKwame28
Engager
‎08-10-2022 12:44 PM

@gcusello We already have logs from panorama to splunk. I want to setup a dashboard/table in splunk to be able to see new rule or modified rules. I do monthly audit to remove or modify any new rule for our panorama cleanup. Trying to find a way to simplify this. I appreciate your help here.

Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-10-2022 11:25 PM

Hi @SPLKwame28,

if you already have logs from Panorama, and you correctly parsed them (I suppose you're using Palo Alto networks Add-On - https://splunkbase.splunk.com/app/2757/), you could daily list all the rules and save results in a lookup and then check the active rules.

In other words, you should have a field called "rule", so you could schedule a search (e.g every night) like the following:

index=your_index earliest=30d@d latest=@d
| eval day=if(_time<now()-86400,"last_day","previous_days")
| stats dc(day) AS day_count values(day) AS day BY rule
| eval status=case(day_count=2,"present in the last day and before",day="previous_days","present only in previous days",day="last_day", "New rule")
| table rule status

And have the situation of the last 30 days.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-18-2022 12:04 AM

Hi @SPLKwame28 ,

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

0 Karma
Reply
Solved! Jump to solution

SPLKwame28
Engager
‎08-12-2022 10:34 AM

@gcusello  this really helped to get those rules on panorama.  Modified it with the Fisrttime>now()

| eval day=if(firstTime>now()-86400,"last_day","previous_day")

it really helped . i will keep you posted on the outcome. 

 

Thanks 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-13-2022 01:05 AM

Hi @SPLKwame28 ,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...