SPL
1st time connection between servers (FTD CISCO)
Description
Description:
This query helps you to see all new connections between servers. Still work in progress and can be extended further. "White-listing" happens through the lookup files.
Query:
0 0
index=nfw "Allow" | rex (?:SrcIP.*\b(?<SrcIP>\d+\.\d+\.\d+\.\d+).*DstIP.*\b(?<DstIP>\d+\.\d+\.\d+\.\d+)) | stats count min(_time) AS earliest max(_time) AS maxtime BY SrcIP, DstIP | where earliest>relative_time(now(), "-1d@d") AND count<=1 | search DstIP=10.0.0.0/8 AND NOT [| inputlookup networkdestip.csv | fields DstIP] | search SrcIP=10.0.0.0/8 AND NOT [| inputlookup networksrcip.csv | fields SrcIP] | fields SrcIP, DstIP
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.