1st time connection between servers (FTD CISCO)

Description:

This query helps you to see all new connections between servers. Still work in progress and can be extended further. “White-listing” happens through the lookup files.

Query:

index=nfw "Allow"
| rex (?:SrcIP.*\b(?<SrcIP>\d+\.\d+\.\d+\.\d+).*DstIP.*\b(?<DstIP>\d+\.\d+\.\d+\.\d+))
| stats count min(_time) AS earliest max(_time) AS maxtime BY SrcIP, DstIP
| where earliest>relative_time(now(), "-1d@d") AND count<=1
| search DstIP=10.0.0.0/8 AND NOT 
[| inputlookup networkdestip.csv 
| fields DstIP] 
| search SrcIP=10.0.0.0/8 AND NOT 
[| inputlookup networksrcip.csv
| fields SrcIP]
| fields SrcIP, DstIP
Share This:
Tagged:

Leave A Comment?