I am trying to piece together a search that shows all allowed connections that originate from our web proxies and pass through our perimeter firewalls on ports that are not 80 and 443.
Here is the search I have so far that doesnt seem to be showing the data correctly:
index=*firewall action=allowed (src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x) AND (dest_port!=80 AND dest_port!=443) AND (dest_ip!=192.x.x.x/20 AND dest_ip!=205.x.x.x/19)
| append [search index=*proxy action=allowed (port!=80 AND port!=443) | rename port AS dest_port | table action,dest_ip, dest_port, dest]
| stats dc(dest_ip) by dest_ip, dest_port, dest, action, index
| sort -dest_port, dest_ip
| table index,action,dest_ip, dest_port, dest
Here is what I am wanting to see:
1. Action Dest_IP Dest_Port Dest(Domain)
Allowed 175.x.x.x 9009 anydomain.com
The action, dest_ip and dest_port appear in the firewall index
The action, dest_ip, port (renamed to dest_port in search) and dest appear in the proxy index.
This search is returning results but not confident this is the best path and still need to validate the data is good.
(index=*proxy action=allowed (host=Proxy0* OR host=AnotherProxy*) AND (port!=80 AND port!=443)) OR (index=*firewall action=allowed (src_ip=10.x.x.x OR src_ip=10.x.x.x) AND (dest_port!=80 AND dest_port!=443) AND (dest_ip!=192.x.x.x/20 AND dest_ip!=205.x.x.x/19))
| rename port AS dest_port
| stats dc(dest_ip) by dest_ip, dest_port, action, dest, url
| dedup dest
| sort -dest_port, dest_ip
| table action,dest_ip, dest_port, dest, url
Edit: typo
You do not, at the current point, have any information linking the data in the two indexes. Are these two parts of a single transaction (list all the firewall events together with their related proxy events) , or are they separate items that you are putting together (list all the firewall events, list all the proxy events).
I am wanting to list all firewall events and their related proxy events. Matching the destination ip from the firewall to the destination ip from the proxy and showing the associated web site.