1st time connection between servers (FTD CISCO)


This query helps you to see all new connections between servers. Still work in progress and can be extended further. “White-listing” happens through the lookup files.


index=nfw "Allow"
| rex (?:SrcIP.*\b(?<SrcIP>\d+\.\d+\.\d+\.\d+).*DstIP.*\b(?<DstIP>\d+\.\d+\.\d+\.\d+))
| stats count min(_time) AS earliest max(_time) AS maxtime BY SrcIP, DstIP
| where earliest>relative_time(now(), "-1d@d") AND count<=1
| search DstIP= AND NOT 
[| inputlookup networkdestip.csv 
| fields DstIP] 
| search SrcIP= AND NOT 
[| inputlookup networksrcip.csv
| fields SrcIP]
| fields SrcIP, DstIP
Share This:

Leave A Comment?