SIEM(Splunk) dashboard creation - Firewall

By

Summary: In this blog we are going to create a Firewall Dashboard in SIEM tool Splunk which helps an organization to visualize its security in real-time.


Dashboards: Dashboard consists of one or more panels displaying data visually, presenting it in a useful way in form of events, tables or charts which can be used to measure, monitor & analyze revelant key areas.

Now, we will go forward and create a firewall dashboard which will help us in better analyzing our data.
(P.s We have already uploaded firewall logs on splunk. Please check this blog -  https://bit.ly/3UQWoBP)


First, we will install this "Infosec" app from -  https://splunkbase.splunk.com/app/4240 which adresses most common security issues and we will create the same dashboard.



Dashboard Panels:

Panels that our dashboard will have are:

1- Blocked connections: (  We are using Palo Alto traffic logs to find out all the blocked connections)

index=botsv2 sourcetype="pan:traffic" action=blocked |stats count(action)

--Dashboard Creation: Click on Save as > New Dashboard ( Keep choosing existing dashboard for remaining queries once dashboard is created)


Allowed connections:

index=botsv2 sourcetype="pan:traffic" action=allowed |stats count(action)


3- External Source IP's:

index=botsv2 sourcetype="pan:traffic" src_ip!=10.0.0.0/8 src_ip!=192.168.0.0/16 src_ip!=172.16.0.0/16 |stats dc(src_ip)


4- External Destination IP's:

index=botsv2 sourcetype="pan:traffic" dest_ip!=10.0.0.0/8 dest_ip!=192.168.0.0/16 dest_ip!=172.16.0.0/16 |stats dc(dest_ip)


5 -Network Traffic by Action:

index=botsv2 sourcetype="pan:traffic" |timechart count by action


6- Traffic by protocol:

index=botsv2 sourcetype="pan:traffic" |fields transport | timechart span=600s count by transport


7- Traffic by App/ Protocol:

index=botsv2 sourcetype="pan:traffic" | fields protocol | timechart span=700s count by protocol


8- Blocked Incoming Traffic by Destination Port:

index=botsv2 sourcetype="pan:traffic" action=blocked | fields dest_port| top limit=20 dest_port showperc=false


9- Incoming traffic by App/protocol:

index=botsv2 sourcetype="pan:traffic" src_ip!=10.0.0.0/8 src_ip!=192.168.0.0/16 src_ip!=172.16.0.0/16|fields src_ip,protocol |stats count by src_ip| rename count(src_ip) as "incoming traffic"


10-Top Countries by Blocked connections:

index=botsv2 sourcetype="pan:traffic" action=blocked |fields dest_location,src_ip| stats count(src_ip) by dest_location,src_ip


11- Top Sources by Blocked connections:

index=botsv2 sourcetype="pan:traffic" action=blocked | top src_ip



Firewall Monitoring - Dashboard: 



Comments

Post a Comment

Popular posts from this blog

Uploading demo logs and analyzing Firewall logs

By
Image
Summary: In this blog, we are going to download demo logs from GitHub and upload, understand and analyze FortiGate and Palo alto raw logs. Uploading logs to Splunk : We will start by downloading the dataset from  https://github.com/splunk/botsv1  this site. Here in the below pic, you can see two different datasets ( One containing normal and attack logs and the other one containing only attack logs). I am downloading the attack logs. This dataset contains different types of logs as shown below. As the botsv1 dataset contains only FortiGate firewall logs for Palo Alto logs we will download the botsv2 dataset from this site https://github.com/splunk/botsv2 Uploading logs to Splunk: After downloading both the datasets, extract and copy both the folders and paste them to  InstallationPath/Splunk/etc/apps    After this step, we will allow Splunk to parse the logs for a few seconds and then check as shown below. Here, we can see that both the datasets have been uploa...
Read more

My first Cybersecurity Certification

By
Image
After learning about CompTIA security+ through LinkedIn and after doing some initial research about the content, book, and objectives of the exam I got an understanding that this certification touches on every part of the fundamental cybersecurity domain in great detail. In this blog, I will discuss what I learned from the certification, the key materials to study and how to learn it so that it can be beneficial to apply these concepts while dealing with real-life situations or in a home-lab environment. How the certification helps? As we know CompTIA security+ is a global certification it validates and helps us have the baseline knowledge to perform core cybersecurity operations. It helps an individual to identify and address potential threats, risk management techniques, and also intrusion detection and prevention systems among others. As the exam covers 6 important domains within cybersecurity some of the key topics I learned and think were very essential in building up my knowledge...
Read more