Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support for f5 bigip #607

Merged
merged 4 commits into from
Aug 8, 2024
Merged

support for f5 bigip #607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bdefe61
support for f5 bigip
mahirchavda Jul 31, 2024
0115a80
missing part
mahirchavda Jul 31, 2024
ed4e6c6
minor change
mahirchavda Jul 31, 2024
a1a9028
Resolve review comments
mahirchavda Aug 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion cyences_app_for_splunk/appserver/static/cs_overview.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ require([
{ id: 'cs_malicious_ip_list', title: 'Malicious IP List' },
{ id: 'cs_mssql', title: 'MSSQL' },
{ id: 'cs_oracle', title: 'Oracle' },
{ id: 'cs_f5_bigip_asm', title: 'F5 BIGIP' },
]

let panel_depends_tokens = [
Expand All @@ -69,6 +70,7 @@ require([
{ token: 'linux', associated_products: ['Linux'] },
{ token: 'db_oracle', associated_products: ['Oracle'] },
{ token: 'db_mssql', associated_products: ['MSSQL'] },
{ token: 'f5_bigip', associated_products: ['F5 BIGIP'] },
]


Expand Down Expand Up @@ -171,7 +173,7 @@ require([
}
});

var tableIDs = ["tbl_network_compromise", "tbl_authentication", "tbl_credential_compromise", "tbl_ransomware", "tbl_linux", "tbl_ad_windows", "tbl_email", "tbl_o365", "tbl_gws", "tbl_aws", "tbl_antivirus", "tbl_monthly_alerts", "tbl_vulnerability", "tbl_db_oracle", "tbl_db_mssql" ];
var tableIDs = ["tbl_network_compromise", "tbl_authentication", "tbl_credential_compromise", "tbl_ransomware", "tbl_linux", "tbl_f5_bigip", "tbl_ad_windows", "tbl_email", "tbl_o365", "tbl_gws", "tbl_aws", "tbl_antivirus", "tbl_monthly_alerts", "tbl_vulnerability", "tbl_db_oracle", "tbl_db_mssql" ];
for (let i=0;i<tableIDs.length;i++) {
var sh = mvc.Components.getInstance(tableIDs[i]);
if(typeof(sh)!="undefined") {
Expand Down
13 changes: 13 additions & 0 deletions cyences_app_for_splunk/bin/cs_product_list.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,19 @@ def build_source_reviewer_search(by, values, first_call=True):
}
],
},
{
"name": "F5 BIGIP",
"macro_configurations": [
{
"macro_name": "cs_f5_bigip",
"label": "F5 BIGIP Data",
"search_by": "sourcetype",
"search_values": "f5:bigip:syslog,f5:bigip:asm:syslog",
"earliest_time": "-1d@d",
"latest_time": "now",
}
],
},
{
"name": "Palo Alto",
"macro_configurations": [
Expand Down
1 change: 1 addition & 0 deletions cyences_app_for_splunk/default/data/ui/nav/default.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
</collection>
<collection label="Network Devices">
<view name="cs_network_reports" />
<view name="cs_f5_bigip_asm" /><!--F5 BIGIP-->
<view name="cs_fortigate_firewall" /><!--FortiGate-->
<view name="cs_paloalto_firewall_reports" /><!--Palo Alto-->
<view name="cs_sophos_firewall" /><!--Sophos Firewall-->
Expand Down
242 changes: 242 additions & 0 deletions cyences_app_for_splunk/default/data/ui/views/cs_f5_bigip_asm.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,242 @@
<form version="1.1" theme="dark">
<label>F5 BIGIP ASM</label>
<fieldset submitButton="false">
<input type="time" token="timerange">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="tkn_severity" searchWhenChanged="true">
<label>Severity</label>
<choice value="critical">critical</choice>
<choice value="high">high</choice>
<choice value="medium">medium</choice>
<choice value="low">low</choice>
<choice value="informational">informational</choice>
<default>critical,high,medium,low</default>
<prefix>severity IN (</prefix>
<suffix>)</suffix>
<initialValue>critical,high,medium,low</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>,</delimiter>
</input>
<input type="text" token="tkn_src_ip" searchWhenChanged="true">
<label>Source IP</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>ip_client="</prefix>
<suffix>"</suffix>
</input>
<input type="text" token="tkn_dest_ip" searchWhenChanged="true">
<label>Destionation IP</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>dest_ip="</prefix>
<suffix>"</suffix>
</input>
</fieldset>
<row>
<panel>
<title>Top 10 Attack Type</title>
<table>
<search>
<query>`cs_f5_asm` attack_type!="N/A" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$ | top attack_type</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Top 10 Attack Type</title>
<chart>
<search>
<query>`cs_f5_asm` attack_type!="N/A" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$ | top attack_type</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Top 10 Source IP</title>
<table>
<search>
<query>`cs_f5_asm` attack_type!="N/A" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$ | top ip_client</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Top 10 Source IP</title>
<chart>
<search>
<query>`cs_f5_asm` attack_type!="N/A" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$ | top ip_client</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<chart>
<title>Top Rules Over Time</title>
<search>
<query>`cs_f5_asm` attack_type!="N/A" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$ | timechart count by policy_name</query>
mahirchavda marked this conversation as resolved.
Show resolved Hide resolved
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
</search>
<option name="charting.chart">area</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<chart>
<title>Top Action</title>
<search>
<query>`cs_f5_asm` attack_type!="N/A" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$ | timechart count by enforcement_action</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
</search>
<option name="charting.chart">area</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<chart>
<title>Top Blocked Source IPs</title>
<search>
<query>`cs_f5_asm` attack_type!="N/A" enforcement_action="block" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$ | timechart count by ip_client</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
</search>
<option name="charting.chart">area</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<chart>
<title>Top Blocked Destionation IPs</title>
<search>
<query>`cs_f5_asm` attack_type!="N/A" enforcement_action="block" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$ | timechart count by dest_ip</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
</search>
<option name="charting.chart">area</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Blocked Source IPs</title>
<map>
<search>
<query>`cs_f5_asm` attack_type!="N/A" enforcement_action="block" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$ | iplocation ip_client | geostats latfield=lat longfield=lon count</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="mapping.choroplethLayer.colorBins">5</option>
<option name="mapping.choroplethLayer.colorMode">auto</option>
<option name="mapping.choroplethLayer.maximumColor">0xaf575a</option>
<option name="mapping.choroplethLayer.minimumColor">0x62b3b2</option>
<option name="mapping.choroplethLayer.neutralPoint">0</option>
<option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
<option name="mapping.choroplethLayer.showBorder">1</option>
<option name="mapping.data.maxClusters">100</option>
<option name="mapping.legend.placement">bottomright</option>
<option name="mapping.map.center">(0,0)</option>
<option name="mapping.map.panning">1</option>
<option name="mapping.map.scrollZoom">0</option>
<option name="mapping.map.zoom">2</option>
<option name="mapping.markerLayer.markerMaxSize">50</option>
<option name="mapping.markerLayer.markerMinSize">10</option>
<option name="mapping.markerLayer.markerOpacity">0.8</option>
<option name="mapping.showTiles">1</option>
<option name="mapping.tileLayer.maxZoom">7</option>
<option name="mapping.tileLayer.minZoom">0</option>
<option name="mapping.tileLayer.tileOpacity">1</option>
<option name="mapping.type">marker</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</map>
</panel>
</row>
<row>
<panel>
<table>
<title>All Events</title>
<search>
<query>`cs_f5_asm` $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$
| table _time ip_client src_port dest_ip dest_port manage_ip_addr x_fwd_hdr_val attack_type enforcement_action blocking_exception_reason client_type credential_stuffing_lookup_result device_id enforced_by geo_info http_class ip_addr_intelli ip_route_domain login_result method mobile_application_name mobile_application_version policy_apply_date policy_name protocol protocol_info req_status resp_code route_domain severity sig_ids sig_names sub_violates threat_campaign_names unit_host uri username violate_details violate_rate violations virus_name is_trunct</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Attacks by IP</title>
<search>
<query>`cs_f5_asm` attack_type!="N/A" $tkn_src_ip$ $tkn_dest_ip$ $tkn_severity$
| table _time ip_client src_port dest_ip dest_port manage_ip_addr x_fwd_hdr_val attack_type enforcement_action blocking_exception_reason client_type credential_stuffing_lookup_result device_id enforced_by geo_info http_class ip_addr_intelli ip_route_domain login_result method mobile_application_name mobile_application_version policy_apply_date policy_name protocol protocol_info req_status resp_code route_domain severity sig_ids sig_names sub_violates threat_campaign_names unit_host uri username violate_details violate_rate violations virus_name is_trunct
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't need all these fields for upcoming stats command.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is useful when we want to debug something by opening in the search query

| eval action = if(isnull(enforcement_action), "allow", enforcement_action)
| stats values(attack_type) as attack_type, count by ip_client, action
| eval action = action. "(". count . ")"
| stats values(attack_type) as attack_type, values(action) as action, sum(count) as total by ip_client
| iplocation ip_client
| fields - lat lon Region City
| sort - total</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
21 changes: 21 additions & 0 deletions cyences_app_for_splunk/default/data/ui/views/cs_overview.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -457,6 +457,27 @@
</drilldown>
</table>
</panel>
<panel depends="$f5_bigip$">
<title>F5 BIGIP</title>
<table id="tbl_f5_bigip">
<search base="basesearch">
<query>| `cs_filter_savedsearches("F5 BIGIP")`</query>
</search>
<option name="count">10</option>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="disabled">
<colorPalette type="map">{"1":#F7BC38}</colorPalette>
</format>
<format type="color" field="is_scheduled">
<colorPalette type="map">{"0":#F7BC38}</colorPalette>
</format>
<fields>["Name","Notable Events"]</fields>
<drilldown>
<link target="_blank">/app/cyences_app_for_splunk/cs_forensics?form.tkn_savedsearch=$row.savedsearch_name$&amp;form.timeRange.earliest=$timeRange.earliest$&amp;form.timeRange.latest=$timeRange.latest$&amp;form.tkn_severity=$row.cyences_severity$&amp;$tkn_status_drilldown|n$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$db_oracle$">
Expand Down
13 changes: 13 additions & 0 deletions cyences_app_for_splunk/default/macros.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1637,3 +1637,16 @@ iseval = 0
[cs_cisco_ios_device_failed_login_filter]
definition = search *
iseval = 0

# F5 BIGIP
[cs_f5_bigip]
definition = index=f5
iseval = 0

[cs_f5_bigip_asm]
definition = `cs_f5_bigip` sourcetype="f5:bigip:asm:syslog" "ASM:"
iseval = 0

[cs_f5_bigip_not_blocked_attacks_filter]
definition = search *
iseval = 0
36 changes: 36 additions & 0 deletions cyences_app_for_splunk/default/savedsearches.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6679,3 +6679,39 @@ display.page.search.mode = fast
request.ui_dispatch_app = cyences_app_for_splunk
request.ui_dispatch_view = search
search = | cyencesinventorybackfill search_prefix="User Inventory - Lookup Gen" earliest_time="-24h@m" latest_time="now"


[F5 BIGIP - Not Blocked Attacks]
disabled = 1
enableSched = 1
alert.track = 1
alert.severity = 4
alert.suppress = 0
counttype = number of events
quantity = 0
relation = greater than
cron_schedule = 10 * * * *
description = A not blocked attack events from F5 BIGIP ASM \
\
Data Collection - Splunk Add-on for F5 BIG-IP (https://splunkbase.splunk.com/app/2680).
dispatch.earliest_time = -62m@m
dispatch.latest_time = -2m@m
display.general.type = statistics
display.page.search.tab = statistics
display.page.search.mode = fast
request.ui_dispatch_app = cyences_app_for_splunk
request.ui_dispatch_view = search
search = `cs_f5_bigip_asm` ip_client="*" dest_ip="*" severity IN ("critical","high","medium") enforcement_action!=block attack_type!="JSON Parser Attack" \
| eval cyences_severity = if(severity="informational", "info", severity) \
| `cs_human_readable_time_format(_time, event_time)` \
| table event_time cyences_severity ip_client src_port dest_ip dest_port manage_ip_addr x_fwd_hdr_val attack_type enforcement_action blocking_exception_reason client_type credential_stuffing_lookup_result device_id enforced_by geo_info http_class ip_addr_intelli ip_route_domain login_result method mobile_application_name mobile_application_version policy_apply_date policy_name protocol protocol_info req_status resp_code route_domain sig_ids sig_names sub_violates threat_campaign_names unit_host uri username violate_details violate_rate violations virus_name is_trunct \
| `cs_f5_bigip_not_blocked_attacks_filter`
action.cyences_notable_event_action = 1
action.cyences_notable_event_action.param.filter_macro_name = cs_f5_bigip_not_blocked_attacks_filter
action.cyences_notable_event_action.contributing_events = `cs_f5_bigip_asm` ip_client="*" dest_ip="*" severity IN ("critical","high","medium") enforcement_action!=block attack_type!="JSON Parser Attack"
action.cyences_notable_event_action.system_compromised_search = | stats count by dest_ip
action.cyences_notable_event_action.system_compromised_drilldown = `cs_f5_bigip_asm` ip_client="*" dest_ip="*" severity IN ("critical","high","medium") enforcement_action!=block attack_type!="JSON Parser Attack" dest_ip=$row.dest_ip$
action.cyences_notable_event_action.attacker_search = | stats count by ip_client
action.cyences_notable_event_action.attacker_drilldown = `cs_f5_bigip_asm` ip_client="*" dest_ip="*" severity IN ("critical","high","medium") enforcement_action!=block attack_type!="JSON Parser Attack" ip_client=$row.ip_client$
action.cyences_send_email_action = 1
action.cyences_notable_event_action.products = F5 BIGIP