Hello.
Recently I've joined a new company that is using splunk as their siem and this past month I've being trying to learn a bit about the tool since I'm completely new to it. I was assigned as an...
See more...
Hello.
Recently I've joined a new company that is using splunk as their siem and this past month I've being trying to learn a bit about the tool since I'm completely new to it. I was assigned as an exercise to work out a query to basically do this 2 things:
identify potential policies with all ports enabled
identify which of these policies are recieving petitions from public IP addresses
So far I've come up with this query:
index="sourcedb" sourcetype=fgt_traffic host="<external firewall ip>" action!=blocked
| eventstats dc(dest_port) as ports by policyid
| stats count by policyid ports
| eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public")
| where source_ip="public"
Basically, the main problem I'm having and can't seem to find a reasonable solution is that I've already managed to find out how to filter private IP addresses from the results but I feel like my eventstats sentence is not working properly, mainly because I'm counting all the distinct destination ports but not by the policyid.
I'd be really grateful if you guys could give me a hint or an advice about how I can aproach this case.
Thanks in advance