Analyzer
Search
search examples:
(((receiver = "51sec_syslog" ) and deviceProduct = "ASA") and deviceAction = "denied" ) and (destinationAddress = "192.168.2.8" or destinationAddress = "192.168.2.9" )| fields sourceAddress
((sourceAddress = "10.1.22.14" and (destinationAddress ="172.21.1.107" or destinationAddress ="172.21.1.108" or destinationAddress ="172.21.1.11" or destinationAddress ="172.21.1.10") )) and not name = "Packet denied by Access List"| fields name,destinationPort
 Live Event Viewer
Dashboard
Reports
Configuration
YouTube Video for Web Gui OverView:
Search Example:
a. sourceAddress=1.1.1.2 and name startswith "TCP" and name contains "DEN" | fields requestUrl
b.  ((name CONTAINS "Search.cgi Command Injection Vulnerability" ) and destinationAddress = "14.47.251.171") AND deviceInboundInterface CONTAINS "11"| fields sourceAddress,destinationAddress,deviceInboundInterface
c. CEF "failed" | dedup name
Removes duplicate events from search results. That is, events that contain the same value in the specified field. The first matching event is kept, and the subsequent events with the same value in the specified field are removed.
It will search all logs which has 'failed' word then listed first found one in name field.
d. deviceProduct = "IronPort Web Security Appliance" | fields message
Some Useful SIEM Use Case Reports
Daily
1. Routers/Switches/Firewalls Commands and Configuration Changes
2. Successful Device Login Summary
3. Internal IPS Permitted Events
4. Internal IPS Denied Events
5. Firewall Denials
Weekly
1. Web Security Appliance URL Detections
2. Failed Device Login Details
3. Denied outbound connections by src-dst / src -ports
4. Remote VPN Authentication Report
5. IPS Top Attacks Weekly
6. IPS Top blocked events weekly
7. IPS Top allowed events weekly
8. Top WSA Websites
9. IronPort WSA Overview Weekly Report
10. IronPort ESA Overview Weekly Report
References:
((sourceAddress = "10.1.22.14" and (destinationAddress ="172.21.1.107" or destinationAddress ="172.21.1.108" or destinationAddress ="172.21.1.11" or destinationAddress ="172.21.1.10") )) and not name = "Packet denied by Access List"| fields name,destinationPort
 Live Event Viewer
Dashboard
Reports
Configuration
YouTube Video for Web Gui OverView:
a. sourceAddress=1.1.1.2 and name startswith "TCP" and name contains "DEN" | fields requestUrl
b.  ((name CONTAINS "Search.cgi Command Injection Vulnerability" ) and destinationAddress = "14.47.251.171") AND deviceInboundInterface CONTAINS "11"| fields sourceAddress,destinationAddress,deviceInboundInterface
c. CEF "failed" | dedup name
Removes duplicate events from search results. That is, events that contain the same value in the specified field. The first matching event is kept, and the subsequent events with the same value in the specified field are removed.
It will search all logs which has 'failed' word then listed first found one in name field.
d. deviceProduct = "IronPort Web Security Appliance" | fields message
Some Useful SIEM Use Case Reports
Daily
1. Routers/Switches/Firewalls Commands and Configuration Changes
2. Successful Device Login Summary
3. Internal IPS Permitted Events
4. Internal IPS Denied Events
5. Firewall Denials
Weekly
1. Web Security Appliance URL Detections
2. Failed Device Login Details
3. Denied outbound connections by src-dst / src -ports
4. Remote VPN Authentication Report
5. IPS Top Attacks Weekly
6. IPS Top blocked events weekly
7. IPS Top allowed events weekly
8. Top WSA Websites
9. IronPort WSA Overview Weekly Report
10. IronPort ESA Overview Weekly Report
References:
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tG_BL_4Xg9B1At_iJ-wr7zrg5HyLBVzDUxZUxAAxSgxUpofZnmjSDkgqfG9LomhEkMHrD-yQs31GxhSMuoXJBWLIaXaoFXXDB8jue24tqJmg)
No comments:
Post a Comment