Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Palo Alto Networks App for Splunk: How to remove c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmenon84
Path Finder
06-01-2016
03:34 PM
Here is the search that shows client IPs connecting to malicious destination IPs mentioned in the Wildfire report. This is one if the searches under the wildfire dashboard in the Palo Alto Networks App for Splunk.
| `pan_tstats` count(traffic) FROM `node(log.traffic)` groupby _time log.traffic.dest_ip_port log.dest_ip log.dest_port log.src_ip log.user log.app | rename log.traffic.dest_ip_port AS ip_port | join type=inner ip_port [ | `pan_tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port | rename wildfire_report.tcp_ip_port AS ip_port ] | dedup 1 log.src_ip log.user ip_port log.app | eval "Traffic Link" = "View Traffic Logs" | eval "WildFire Link" = "View WildFire Report" | table _time log.src_ip log.user log.dest_ip log.dest_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link" | rex mode=sed field=ip_port "s/,/:/" | rename log.src_ip AS Source | rename log.dest_ip AS "Dest IP" | rename log.dest_port AS "Dest Port" | rename log.user AS User | rename log.app AS Application | rename wildfire_report.wildfire.id AS "WildFire Report ID" | sort -_time
I am getting the data I want, but I want to get rid of IPs such as 204.79.197.200, 104.16.24.216 which are Microsoft or Akamai etc. The field name is tcp_ip in pan_wildfire_report. I added constraints such as sourcetype="pan:wildfire_report" NOT 104.16.24.216 NOT 204.79.197.200, but that doesn't seem to work.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snoobzilla
Builder
06-02-2016
06:29 AM
If IPs are in a field and not in _raw you will need to specify a field value.
e.g. | search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| `pan_tstats` count(traffic) FROM `node(log.traffic)` groupby _time log.traffic.dest_ip_port log.dest_ip log.dest_port log.src_ip log.user log.app
| rename log.traffic.dest_ip_port AS ip_port
| join type=inner ip_port [
| `pan_tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port
| rename wildfire_report.tcp_ip_port AS ip_port ]
| dedup 1 log.src_ip log.user ip_port log.app
| eval "Traffic Link" = "View Traffic Logs"
| eval "WildFire Link" = "View WildFire Report"
| table _time log.src_ip log.user log.dest_ip log.dest_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link"
| rex mode=sed field=ip_port "s/,/:/"
| search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| rename log.src_ip AS Source
| rename log.dest_ip AS "Dest IP"
| rename log.dest_port AS "Dest Port"
| rename log.user AS User
| rename log.app AS Application
| rename wildfire_report.wildfire.id AS "WildFire Report ID"
| sort -_time
You may need to add quotes around ip addresses and not sure I got right field name but this should get you what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snoobzilla
Builder
06-02-2016
06:29 AM
If IPs are in a field and not in _raw you will need to specify a field value.
e.g. | search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| `pan_tstats` count(traffic) FROM `node(log.traffic)` groupby _time log.traffic.dest_ip_port log.dest_ip log.dest_port log.src_ip log.user log.app
| rename log.traffic.dest_ip_port AS ip_port
| join type=inner ip_port [
| `pan_tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port
| rename wildfire_report.tcp_ip_port AS ip_port ]
| dedup 1 log.src_ip log.user ip_port log.app
| eval "Traffic Link" = "View Traffic Logs"
| eval "WildFire Link" = "View WildFire Report"
| table _time log.src_ip log.user log.dest_ip log.dest_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link"
| rex mode=sed field=ip_port "s/,/:/"
| search log.dest_ip!=204.79.197.200 log.dest_ip!=204.79.197.200
| rename log.src_ip AS Source
| rename log.dest_ip AS "Dest IP"
| rename log.dest_port AS "Dest Port"
| rename log.user AS User
| rename log.app AS Application
| rename wildfire_report.wildfire.id AS "WildFire Report ID"
| sort -_time
You may need to add quotes around ip addresses and not sure I got right field name but this should get you what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmenon84
Path Finder
06-09-2016
09:51 AM
Yes this worked perfectly
Get Updates on the Splunk Community!
Introducing Splunk Enterprise 9.2
WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
Routing logs with Splunk OTel Collector for Kubernetes
The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...
