Skip to content

Commit

Permalink
updated as per the changes requested
Browse files Browse the repository at this point in the history
  • Loading branch information
@hardikhdholariya
hardikhdholariya committed Jul 4, 2024
1 parent 0d96e77 commit 801a548
Showing 1 changed file with 14 additions and 18 deletions.
32 changes: 14 additions & 18 deletions cyences_app_for_splunk/default/data/ui/views/cs_network_reports.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,11 +128,10 @@
<table>
<title>From $flow_map_viz-from$ To $flow_map_viz-to$</title>
<search>
<query>| tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_port) as no_src_port, dc(All_Traffic.dest_port) as no_dest_port from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ AND All_Traffic.src_ip="$flow_map_viz-from$*" AND All_Traffic.dest_ip="$flow_map_viz-to$*" by host, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action
<query>| tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_port) as no_src_port, dc(All_Traffic.dest_port) as no_dest_port, values(host) as reporting_device_ip from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ AND All_Traffic.src_ip="$flow_map_viz-from$*" AND All_Traffic.dest_ip="$flow_map_viz-to$*" by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action
| `drop_dm_object_name(All_Traffic)`
| eval total_MB = round(total_bytes/1024/1024, 2)
| eval total_k_packets = round(total_packets/1000)
| rename host as reporting_device_ip
| table reporting_device_ip src_ip no_src_port dest_ip no_dest_port action total_MB total_k_packets</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
Expand All @@ -148,11 +147,10 @@
<table>
<title>Subnet = $flow_map_viz-node$</title>
<search>
<query>| tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_port) as no_src_port, dc(All_Traffic.dest_port) as no_dest_port from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ AND (All_Traffic.src_ip="$flow_map_viz-node$*" OR All_Traffic.dest_ip="$flow_map_viz-node$*") by host, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action
<query>| tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_port) as no_src_port, dc(All_Traffic.dest_port) as no_dest_port, values(host) as reporting_device_ip from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ AND (All_Traffic.src_ip="$flow_map_viz-node$*" OR All_Traffic.dest_ip="$flow_map_viz-node$*") by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action
| `drop_dm_object_name(All_Traffic)`
| eval total_MB = round(total_bytes/1024/1024, 2)
| eval total_k_packets = round(total_packets/1000)
| rename host as reporting_device_ip
| table reporting_device_ip src_ip no_src_port dest_ip no_dest_port action total_MB total_k_packets</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
Expand All @@ -167,11 +165,10 @@
<title>All Internal Traffic</title>
<table>
<search>
<query>| tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_port) as no_src_port, dc(All_Traffic.dest_port) as no_dest_port from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by host, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action
<query>| tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_port) as no_src_port, dc(All_Traffic.dest_port) as no_dest_port, values(host) as reporting_device_ip from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action
| `drop_dm_object_name(All_Traffic)`
| eval total_MB = round(total_bytes/1024/1024, 2)
| eval total_k_packets = round(total_packets/1000)
| rename host as reporting_device_ip
| table reporting_device_ip src_ip no_src_port dest_ip no_dest_port action total_MB total_k_packets</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
Expand Down Expand Up @@ -283,7 +280,7 @@
<title>Vulnerable Internal Traffic</title>
<table>
<search>
<query>| tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) by host, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.src_port, All_Traffic.dest_port All_Traffic.action
<query>| tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, values(host) as host from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.src_port, All_Traffic.dest_port All_Traffic.action
| `drop_dm_object_name(All_Traffic)`
| append
[| inputlookup cs_all_vuln where (status="open" OR status="reopened") AND port!="0" AND ($tkn_vul_severity$)
Expand All @@ -294,26 +291,25 @@
| eval existing = 1
| appendpipe
[| eval src_ip = coalesce(ip, src_ip), src_port = coalesce(port, src_port)
| eval single_field1 = host."#".dest_ip."#".dest_port."#".action."#".total_bytes."#".total_packets
| stats count, values(signature) as signature, values(single_field1) as single_field1, values(is_vul) as is_src_vul by src_ip src_port]
| eval single_field1 = dest_ip."#".dest_port."#".action."#".total_bytes."#".total_packets
| stats count, values(host) as host, values(signature) as signature, values(single_field1) as single_field1, values(is_vul) as is_src_vul by src_ip src_port]
| appendpipe
[| where existing=1
| eval dest_ip = coalesce(ip, dest_ip), dest_port = coalesce(port, dest_port)
| eval single_field2 = host."#".src_ip."#".src_port."#".action."#".total_bytes."#".total_packets
| stats count, values(signature) as signature, values(single_field2) as single_field2, values(is_vul) as is_dest_vul by dest_ip dest_port]
| eval single_field2 = src_ip."#".src_port."#".action."#".total_bytes."#".total_packets
| stats count, values(host) as host, values(signature) as signature, values(single_field2) as single_field2, values(is_vul) as is_dest_vul by dest_ip dest_port]
| search (single_field1=* OR single_field2=*) (is_src_vul=* OR is_dest_vul=*)
| mvexpand single_field1
| mvexpand single_field2
| rex field=single_field1 "^(?&lt;host&gt;[^#]+)#(?&lt;dest_ip&gt;[^#]+)#(?&lt;dest_port&gt;[^#]+)#(?&lt;action&gt;[^#]+)#(?&lt;total_bytes&gt;[^#]+)#(?&lt;total_packets&gt;[^#]+)$"
| rex field=single_field2 "^(?&lt;host&gt;[^#]+)#(?&lt;src_ip&gt;[^#]+)#(?&lt;src_port&gt;[^#]+)#(?&lt;action&gt;[^#]+)#(?&lt;total_bytes&gt;[^#]+)#(?&lt;total_packets&gt;[^#]+)$"
| rex field=single_field1 "^(?&lt;dest_ip&gt;[^#]+)#(?&lt;dest_port&gt;[^#]+)#(?&lt;action&gt;[^#]+)#(?&lt;total_bytes&gt;[^#]+)#(?&lt;total_packets&gt;[^#]+)$"
| rex field=single_field2 "^(?&lt;src_ip&gt;[^#]+)#(?&lt;src_port&gt;[^#]+)#(?&lt;action&gt;[^#]+)#(?&lt;total_bytes&gt;[^#]+)#(?&lt;total_packets&gt;[^#]+)$"
| sort 0 -action, -total_bytes
| eval total_KB = round(total_bytes/1024, 2)
| eval total_k_packets = round(total_packets/1000,1)
| rename host as reporting_device_ip
| table reporting_device_ip src_ip src_port is_src_vul dest_ip dest_port is_dest_vul action total_KB total_k_packets signature
| appendpipe [| where is_src_vul=1 | stats values(is_src_vul) as is_src_vul, values(dest_ip) as dest_ips, sum(total_KB) as total_KB, sum(total_k_packets) as total_k_packets, dc(dest_port) as no_dest_ports, values(signature) as signature by reporting_device_ip, src_ip, src_port, action | eval is_new=1]
| appendpipe [| where is_dest_vul=1 | stats values(is_dest_vul) as is_dest_vul, values(src_ip) as src_ips, sum(total_KB) as total_KB, sum(total_k_packets) as total_k_packets, dc(src_port) as no_src_ports, values(signature) as signature by reporting_device_ip, dest_ip, dest_port, action | eval is_new=1]
| where is_new=1 | fields - is_new</query>
| table host src_ip src_port is_src_vul dest_ip dest_port is_dest_vul action total_KB total_k_packets signature
| appendpipe [| where is_src_vul=1 | stats values(host) as reporting_device_ip, values(is_src_vul) as is_src_vul, values(dest_ip) as dest_ips, sum(total_KB) as total_KB, sum(total_k_packets) as total_k_packets, dc(dest_port) as no_dest_ports, values(signature) as signature by src_ip, src_port, action | eval is_new=1]
| appendpipe [| where is_dest_vul=1 | stats values(host) as reporting_device_ip, values(is_dest_vul) as is_dest_vul, values(src_ip) as src_ips, sum(total_KB) as total_KB, sum(total_k_packets) as total_k_packets, dc(src_port) as no_src_ports, values(signature) as signature by dest_ip, dest_port, action | eval is_new=1]
| where is_new=1 | fields - is_new, host</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
Expand Down

0 comments on commit 801a548

Please sign in to comment.