-
Notifications
You must be signed in to change notification settings - Fork 7
/
Splunk CISCO ASA Search Queries.txt
335 lines (255 loc) · 9.07 KB
/
Splunk CISCO ASA Search Queries.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
Top blocked IPs:
sourcetype="cisco:asa" action=drop
| top limit=10 src_ip
Top blocked ports:
sourcetype="cisco:asa" action=drop
| top limit=10 dest_port
Top allowed protocols:
sourcetype="cisco:asa" action=allow
| top limit=10 protocol
VPN connections:
sourcetype="cisco:asa" "VPN session"
| stats count by username
Authentication failures:
sourcetype="cisco:asa" "%ASA-5-111008"
| stats count by username
Inbound traffic by destination IP:
sourcetype="cisco:asa" direction=inbound
| stats sum(bytes) by dest_ip
Outbound traffic by source IP:
sourcetype="cisco:asa" direction=outbound
| stats sum(bytes) by src_ip
Firewall policy changes:
sourcetype="cisco:asa" "%ASA-5-111010"
| table _time, user, action, policy_name
Top ICMP types:
sourcetype="cisco:asa" icmp
| top limit=10 icmp_type
Top threats detected:
sourcetype="cisco:asa" "%ASA-4-410" OR "%ASA-4-411"
| top limit=10 threat_name
Firewall restart events:
sourcetype="cisco:asa" "%ASA-6-302014"
| table _time, hostname, action
Top source countries for blocked traffic:
sourcetype="cisco:asa" action=drop
| iplocation src_ip
| top limit=10 Country
Top destination countries for allowed traffic:
sourcetype="cisco:asa" action=allow
| iplocation dest_ip
| top limit=10 Country
Firewall configuration changes:
sourcetype="cisco:asa" "%ASA-5-111005"
| table _time, user, action, config_change
Top connection build events by source IP:
sourcetype="cisco:asa" "%ASA-6-302013"
| top limit=10 src_ip
Top connection teardown events by source IP:
sourcetype="cisco:asa" "%ASA-6-302015"
| top limit=10 src_ip
Denied traffic by protocol:
sourcetype="cisco:asa" action=deny
| stats count by protocol
Connections with high bytes transferred:
sourcetype="cisco:asa" "%ASA-6-302013" OR "%ASA-6-302014"
| where bytes>1000000
| table _time, src_ip, dest_ip, bytes
ACL rule changes:
sourcetype="cisco:asa" "%ASA-5-111009"
| table _time, user, action, acl_rule
Top denied IP pairs:
sourcetype="cisco:asa" action=deny
| stats count by src_ip, dest_ip
| sort - count limit=10
Top allowed IP pairs:
sourcetype="cisco:asa" action=allow
| stats count by src_ip, dest_ip
| sort - count limit=10
Top VPN users by connection time:
sourcetype="cisco:asa" "VPN session"
| stats sum(duration) as total_time by username
| sort - total_time limit=10
Connections with high duration:
sourcetype="cisco:asa" "%ASA-6-302013" OR "%ASA-6-302014"
| where duration>3600
| table _time, src_ip, dest_ip, duration
SSH authentication events:
sourcetype="cisco:asa" "%ASA-6-113"
| table _time, user, action
Top source IP addresses for SYN flood attacks:
sourcetype="cisco:asa" "%ASA-4-733100"
| top limit=10 src_ip
Top destination IP addresses for SYN flood attacks:
sourcetype="cisco:asa" "%ASA-4-733100"
| top limit=10 dest_ip
Top allowed inbound services:
sourcetype="cisco:asa" action=allow direction=inbound
| top limit=10 dest_service
Top allowed outbound services:
sourcetype="cisco:asa" action=allow direction=outbound
| top limit=10 dest_service
Firewall interface changes:
sourcetype="cisco:asa" "%ASA-5-111003"
| table _time, user, action, interface
Top source IP addresses for packets exceeding connection limits:
sourcetype="cisco:asa" "%ASA-4-419002"
| top limit=10 src_ip
Top source IP addresses for port scanning attacks:
sourcetype="cisco:asa" "%ASA-4-733101"
| top limit=10 src_ip
Top destination IP addresses for port scanning attacks:
sourcetype="cisco:asa" "%ASA-4-733101"
| top limit=10 dest_ip
Top source IP addresses for unauthorized access attempts:
sourcetype="cisco:asa" "%ASA-4-733102"
| top limit=10 src_ip
Top destination IP addresses for unauthorized access attempts:
sourcetype="cisco:asa" "%ASA-4-733102"
| top limit=10 dest_ip
Top source IP addresses for packets with invalid checksums:
sourcetype="cisco:asa" "%ASA-4-507003"
| top limit=10 src_ip
Top destination IP addresses for packets with invalid checksums:
sourcetype="cisco:asa" "%ASA-4-507003"
| top limit=10 dest_ip
Top source IP addresses for packets with invalid headers:
sourcetype="cisco:asa" "%ASA-4-507001"
| top limit=10 src_ip
Top destination IP addresses for packets with invalid headers:
sourcetype="cisco:asa" "%ASA-4-507001"
| top limit=10 dest_ip
Top source IP addresses for packets with invalid lengths:
sourcetype="cisco:asa" "%ASA-4-507002"
| top limit=10 src_ip
Top destination IP addresses for packets with invalid lengths:
sourcetype="cisco:asa" "%ASA-4-507002"
| top limit=10 dest_ip
Top source IP addresses for fragmented packets:
sourcetype="cisco:asa" "%ASA-4-507004"
| top limit=10 src_ip
Top destination IP addresses for fragmented packets:
sourcetype="cisco:asa" "%ASA-4-507004"
| top limit=10 dest_ip
Top source IP addresses for denied ICMP packets:
sourcetype="cisco:asa" action=deny icmp
| top limit=10 src_ip
Top destination IP addresses for denied ICMP packets:
sourcetype="cisco:asa" action=deny icmp
| top limit=10 dest_ip
Top source IP addresses for denied TCP packets:
sourcetype="cisco:asa" action=deny tcp
| top limit=10 src_ip
Top destination IP addresses for denied TCP packets:
sourcetype="cisco:asa" action=deny tcp
| top limit=10 dest_ip
Top source IP addresses for denied UDP packets:
sourcetype="cisco:asa" action=deny udp
| top limit=10 src_ip
Top destination IP addresses for denied UDP packets:
sourcetype="cisco:asa" action=deny udp
| top limit=10 dest_ip
Allowed connections by duration:
sourcetype="cisco:asa" action=allow "%ASA-6-302013" OR "%ASA-6-302014"
| stats avg(duration) as average_duration by src_ip, dest_ip
| sort - average_duration limit=10
Denied connections by duration:
sourcetype="cisco:asa" action=deny "%ASA-6-302013" OR "%ASA-6-302014"
| stats avg(duration) as average_duration by src_ip, dest_ip
| sort - average_duration limit=10
Top source IP addresses for denied GRE packets:
sourcetype="cisco:asa" action=deny gre
| top limit=10 src_ip
Top destination IP addresses for denied GRE packets:
sourcetype="cisco:asa" action=deny gre
| top limit=10 dest_ip
Connections with high packet rates:
sourcetype="cisco:asa" "%ASA-6-302013" OR "%ASA-6-302014"
| where packets>10000
| table _time, src_ip, dest_ip, packets
Connections with high byte rates:
sourcetype="cisco:asa" "%ASA-6-302013" OR "%ASA-6-302014"
| where bytes>1000000
| table _time, src_ip, dest_ip, bytes
Top source IP addresses for denied ESP packets:
sourcetype="cisco:asa" action=deny esp
| top limit=10 src_ip
Top destination IP addresses for denied ESP packets:
sourcetype="cisco:asa" action=deny esp
| top limit=10 dest_ip
Top source IP addresses for denied AH packets:
sourcetype="cisco:asa" action=deny ah
| top limit=10 src_ip
Top destination IP addresses for denied AH packets:
sourcetype="cisco:asa" action=deny ah
| top limit=10 dest_ip
Top source IP addresses for denied SCTP packets:
sourcetype="cisco:asa" action=deny sctp
| top limit=10 src_ip
Top destination IP addresses for denied SCTP packets:
sourcetype="cisco:asa" action=deny sctp
| top limit=10 dest_ip
Allowed connections by protocol:
sourcetype="cisco:asa" action=allow
| stats count by protocol
| sort - count limit=10
Denied connections by protocol:
sourcetype="cisco:asa" action=deny
| stats count by protocol
| sort - count limit=10
Top source IP addresses for denied IP packets:
sourcetype="cisco:asa" action=deny ip
| top limit=10 src_ip
Top destination IP addresses for denied IP packets:
sourcetype="cisco:asa" action=deny ip
| top limit=10 dest_ip
Top source IP addresses for denied IPIP packets:
sourcetype="cisco:asa" action=deny ipip
| top limit=10 src_ip
Top destination IP addresses for denied IPIP packets:
sourcetype="cisco:asa" action=deny ipip
| top limit=10 dest_ip
Top source IP addresses for denied IPv6 packets:
sourcetype="cisco:asa" action=deny ipv6
| top limit=10 src_ip
Top destination IP addresses for denied IPv6 packets:
sourcetype="cisco:asa" action=deny ipv6
| top limit=10 dest_ip
Allowed connections by interface:
sourcetype="cisco:asa" action=allow
| stats count by interface
| sort - count limit=10
Denied connections by interface:
sourcetype="cisco:asa" action=deny
| stats count by interface
| sort - count limit=10
Top source IP addresses for denied MPLS packets:
sourcetype="cisco:asa" action=deny mpls
| top limit=10 src_ip
Top destination IP addresses for denied MPLS packets:
sourcetype="cisco:asa" action=deny mpls
| top limit=10 dest_ip
Top source IP addresses for denied L2TP packets:
sourcetype="cisco:asa" action=deny l2tp
| top limit=10 src_ip
Top destination IP addresses for denied L2TP packets:
sourcetype="cisco:asa" action=deny l2tp
| top limit=10 dest_ip
Top source IP addresses for denied PPTP packets:
sourcetype="cisco:asa" action=deny pptp
| top limit=10 src_ip
Top destination IP addresses for denied PPTP packets:
sourcetype="cisco:asa" action=deny pptp
| top limit=10 dest_ip
Top source IP addresses for denied PPPoE packets:
sourcetype="cisco:asa" action=deny pppoe
| top limit=10 src_ip
Top destination IP addresses for denied PPPoE packets:
sourcetype="cisco:asa" action=deny pppoe
| top limit=10 dest_ip
Top source IP addresses for denied OSPF packets:
sourcetype="cisco:asa" action=deny ospf
| top limit=10 src_ip
Top destination IP addresses for denied OSPF packets:
sourcetype="cisco:asa" action=deny ospf
| top limit=10 dest_ip