Skip to main content

Splunk - Drop Down Management Dashboard for Attacks



Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on.
Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services.

To start with, we will use the same lookup that we have created in my previous blog.
First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows:
Time
Source IP
Country
Action Taken
URL
Destination IP
Attack Description
Count

Data Source in this case is Web Application Firewall. You can achieve the same for any other data source.
In order to present the information mentioned in above table, I am using following as a raw query. I am looking for the logs from WAF, and on top of that in this particular case I am checking only the deny logs.
sourcetype=waf_firewall src_ip="*" dest_ip="*" deny  |  geoip src_ip | fillnull value=NULL | stats c as "Count" by _time src_ip src_ip_country_name action_taken  URL dest_ip Attack_Description |rename src_ip as Source_IP src_ip_country_name as Country action_taken as Action_Taken | sort -_time

Note: If you look at the query you might notice that the src_ip and dest_ip are both asterisk (*) respectively. Because I would like to give a user this flexibility that he/she may select dest_ip from the dropdown menu and in case of src_ip they may be able to verify the attacks from any particular IP.



Once you are convinced with your raw query what you would like to show as in Dashboard, you should save it as a dashboard.


 

You will have to provide following self-explanatory details based upon how you would like to present this dashboard. You can either integrate your dashboard to an existing one or you can start with a new dashboard. Next assign a Dashboard ID and you may change the dashboard permissions as well.

Once you have the dashboard, you would like add the panels, based on this scenario we will need three panels.

  • Attacker IP 
  • Service IP
  • Timeline
Go to your dashboard and click on Edit on the top right corner and Edit Panels

 
Afterwards you have to add predefined input from available inputs:


In our case we would require two text fields and a time field. Add text field two times and the time field for our customized timeline. In case of Source IP, we will start with all IPs where the attacks might come from hence we would fill it in with wildcard * and in case of Destination IP we will use our pre-defined lookup, which is basically a list of services that includes the name of the service and the respective IPs.
Source IP:  In order to edit source IP field click the pencil button and edit the required field as shown below, here the name of the token is very important therefore we should remember it so that later on we can manipulate our query to get the input from our pre-defined fields.



Destination IP: In case of destination IP, we will dynamically fill it with our lookup therefore scroll down and check for the Dynamic Options. Here you may insert your query that can get the input from your lookup. In fact you may use any Splunk query here depending upon your use case.
In our case, we will do as follows:




In this case, we have defined the token as service


And finally our input field will look like as follows: 

 


We have now almost all our requirements fulfilled and we are almost done. Last thing we would like to achieve is that our dashboard should display the results based upon our selected input filed e.g. if you select a service from a drop-down menu, it should only show results for that particular service.

Therefore click again onto Edit on the top right corner and Edit Panels and then edit search string.

It will pop-up a new window where you can edit your search query as well and you can also integrate your time line to the dashboard.
As we have shown earlier that in case of src_ip and dest_ip we have chosen wild card * as our input value, now in order to fill it in with our dynamic input fields we have to utilize the tokens that we have defined earlier for our inputs.

Tokens: Tokens are like programming variables that represents a value that can change based upon user selection. In a search query token name uses following syntax e.g. $TokenName$
For details you may check Splunk documentation which explains in detail where you can use a token and what you may achieve out of it in different scenarios.

Finally we change our search query  and the value of  src_ip and dest_ip we will receive from our input as follows:
sourcetype=waf_firewall src_ip="$Attacker_IP$" dest_ip="$service$
For Time Range Scope select Shared Time Picker so that if you change the time, content of dashboard also change and you are ready to go.



Finally your dashboard should look like as follows:

Once you select a service that is registered into WAF and you have logs from it into Splunk it should give us the desired results.
E.g. Below:




Labels:

Comments

Post a Comment

Popular posts from this blog

Splunk - Adding a lookup

These days many companies started using Splunk for security monitoring and the only thing I can say is “it is worth it”.   Splunk can significantly reduce the work load, just imagine that you are operating more than 20 Security Solutions which generated tons of logs and you have to identify an attack and of course react in a prompt fashion. I can certainly recommend Splunk for such scenarios. Of course everything comes at a cost and Splunk is definitely not a cheap product.   I am now using Splunk for past 3 years but still from time to time I need to google some stuff to fix my issues and many a times I had to spend a bit too much time even though the Splunk community is very strong. May be I was not looking into the right direction and perhaps I was too naive to understand what others were talking. Therefore with the medium of my blog, I will share some useful information for all the splunk users. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...
Post a Comment
Read more

Cloud based WAF sucks more than you thought - Privacy?

In my  previous  post, I have described a basic diagram of WAF into any network. Now imagine if we just place WAF into a cloud and for an easy explanation,instead of reinventing the wheel, I will refer to the Sucuri’s  diagram  here   It is clearly stated in this diagram that Sucuri's network will protect your website against hackers who may perform injection attacks like XSS, SQL Injection, Command injection etc. Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do...
Post a Comment
Read more

Cloud based WAF against cyber attacks?

Target  :  www.bhaskar.com Alexa Global Rank  : 427 Rank in India  : 31 I deal with Web Application Firewalls in my daily operations and I got to know some more in the market out of which everyone claims that they are the best. Every time we talk about web application firewalls, one basic question arises, can we completely mitigate all the web related risks onto a WAF? Another question that arises in my mind is, can small and medium size businesses afford to have an in-house WAF for all their applications, I think NOT as it requires some investment, continuous maintenance and continuous WAF operations, moreover awareness about the Security, which is mostly missed. These factors evolves a new business model  "Cloud Based WAF" Why Cloud based WAF? Easy to afford Mitigate risks onto third party Easy to maintain Compliance & Governance Source:  https://sucuri.net/website-firewall/signup   Hmm......Sounds very promising with the ...
Post a Comment
Read more