Simple source and Destination lookup

Sotu · ‎05-07-2024

I am looking to write a simple search that tells me if a host or hosts are reaching out to a specific IP address. So far I have

index="firewall" host=hostname src_addr=x.x.x.x dest_addr=x.x.x.x

When I run this it doesn't come back with anything. Should I be searching under my domain instead? I would like for it to be lined up like below,

Hostname | source IP | destination IP

PickleRick · ‎05-08-2024

What you can search for depends on your data. If you have properly onboarded data, you should have your events ingested with a well-defined sourcetype and have your fields extracted. Otherwise Splunk might simply not know what you mean by "src_addr" or "dest_addr".

Even better if you have your data CIM-compliant - then you can search from datamodel using just standardized fields regardless of the actual fields contained within the original raw event. But that's a bit more advanced topic. The first thing would be to verify what fields you actually have available.

Try running

index=firewall host=your_firewall | head 10

in verbose mode and expand a single event to see what fields are extracted.

If your fields are called - for example - src_ip and dest_ip, searching for src_addr and dest_addr will yield no results because Splunk doesn't know those fields.

Sotu · ‎05-07-2024

Running the index="firewall" works successfully and adding the sourcetype="firewall" lets me search through the logs successfully but it will only let me filter and look for the fields below for some reason. I can't look for destination IP addresses?

deepakc · ‎05-08-2024

Sourcetype is important because it categorises the raw data and should extract / parse the data into fields. From the screen shot it looks like your data is not being parsed/extracted on the SH.

1. You most likely do not have the correct sourcetype or TA installed for you TA.
2. Obviously this is firewall data (I have never heard of a sourcetype firewall, but it could be a custom name, normally its called or set with a meaningful name like cisco:asa etc.

Run this command and see if it returns any sourcetypes, if it still doesn't, identify the vendor of the firewall logs, find the TA in Splunk base, look at how you are ingesting this data, inputs and check and note the metadata settings, use the sourcetype from there. If not you will have to develop a custom one for this data source.

| tstats count where index=firewall BY sourcetype, index
| stats values(sourcetype) BY index

.

Sotu · ‎05-07-2024

Thanks! I will give this a shot and see if it works

deepakc · ‎05-07-2024

This could be a number of things as to why your not getting any results.

With Splunk you should be able to see the fields in the fields side bar provided you have access to the index (permissions) and the data has been onboarded correctly and fields are extracted.

Run index="firewall" and see of you get data and then you should find the sourcetype associated with the data you want to search.

Example

index="firewall" sourcetype=<Add your sourcetype here>
| table host, src_addr, dest_addr

Note: The fields your interested based on your data may be different - so look at the left fields side bar.

If you cant get anything, it may be that you don't have permissions to see that firewall index/data or the data has not been onboarded correctly

Simple source and Destination lookup

eval

fields

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...