Splunk Enterprise Security

How would I write a query that defines failure or success against firewall by geoIP?

brian1_tate
Path Finder

I realize this is a silly question but it just so happens we have so many firewalls in exist stance that traffic that is legitimate has been blocked and traffic that is not has been occasionally allowed though. I know the source index to pull the data from but I would think it would involve an iplookup on each entry (maybe using dedup to remove the consistent duplicates that I would think would exist) and somehow use geostats to map the iplookup on a visual map. How would one go about something this grand for 500,000 firewalls or more and can anyone suggest a lookup table I could use for geostats?

If you do, you certainly deserve a massive cookie and candy bar I'll even comment your name in the file if I can. Any or all thoughts are welcome because this one boggles my mind. I would also think I would need to accelerate this search for it to be useful but I'll leave the comments to more experienced Splunk ninjas.

Thx all

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

The search below is native to Splunk, and I used the eventgen sample data so the field names may be a bit different but this might help you get started. Basically once I have the search criteria I am interested in, I call iplocation against the IP of the network device. If I stop there I will get a tabular output with city and country output for those devices. I can then take the geostats command and map the lat long from the iplocation results to the latField and longField and then do a count or count by Action or count by ComputerIPAddress to get the various bubbles to size out based on volume of events.

sourcetype=sophos:firewall ComputerIPAddress!="" |iplocation ComputerIPAddress |geostats latField=lat longField=lon count by Action

0 Karma

mhpark
Path Finder

GeoLite2 would give you a chance with automatic field lookups for Splunk.

http://dev.maxmind.com/geoip/geoip2/geolite2/

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...