Last active
May 1, 2023 17:15
-
-
Save superducktoes/d2a7fee8ae953e54752c71771dabbb8f to your computer and use it in GitHub Desktop.
Firewall dashboard for Splunk enriching with GreyNoise data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form theme="dark"> | |
| <label>GreyNoise Firewall Data</label> | |
| <fieldset submitButton="false"> | |
| <input type="time" token="field1"> | |
| <label></label> | |
| <default> | |
| <earliest>-24h@h</earliest> | |
| <latest>now</latest> | |
| </default> | |
| </input> | |
| </fieldset> | |
| <row> | |
| <panel> | |
| <map> | |
| <search> | |
| <query>index=main SRC!=10.0.0.* | |
| | iplocation SRC | |
| | stats count by Country | |
| | geom geo_countries featureIdField="Country"</query> | |
| <earliest>-30d@d</earliest> | |
| <latest>now</latest> | |
| <sampleRatio>1</sampleRatio> | |
| </search> | |
| <option name="drilldown">none</option> | |
| <option name="height">501</option> | |
| <option name="mapping.choroplethLayer.colorBins">6</option> | |
| <option name="mapping.choroplethLayer.colorMode">auto</option> | |
| <option name="mapping.choroplethLayer.maximumColor">0xaf575a</option> | |
| <option name="mapping.choroplethLayer.minimumColor">0x62b3b2</option> | |
| <option name="mapping.choroplethLayer.neutralPoint">0</option> | |
| <option name="mapping.choroplethLayer.shapeOpacity">0.75</option> | |
| <option name="mapping.choroplethLayer.showBorder">0</option> | |
| <option name="mapping.data.maxClusters">100</option> | |
| <option name="mapping.legend.placement">bottomright</option> | |
| <option name="mapping.map.center">(0,0)</option> | |
| <option name="mapping.map.panning">1</option> | |
| <option name="mapping.map.scrollZoom">0</option> | |
| <option name="mapping.map.zoom">2</option> | |
| <option name="mapping.markerLayer.markerMaxSize">50</option> | |
| <option name="mapping.markerLayer.markerMinSize">10</option> | |
| <option name="mapping.markerLayer.markerOpacity">0.8</option> | |
| <option name="mapping.showTiles">1</option> | |
| <option name="mapping.tileLayer.maxZoom">7</option> | |
| <option name="mapping.tileLayer.minZoom">0</option> | |
| <option name="mapping.tileLayer.tileOpacity">1</option> | |
| <option name="mapping.type">choropleth</option> | |
| <option name="trellis.enabled">0</option> | |
| <option name="trellis.scales.shared">1</option> | |
| <option name="trellis.size">medium</option> | |
| </map> | |
| </panel> | |
| </row> | |
| <row> | |
| <panel> | |
| <title>GreyNoise Noise</title> | |
| <table> | |
| <search> | |
| <query>index=main SRC!=10.0.0.* | |
| | stats count by SRC | |
| | where count > 10 | gnfilter ip_field=SRC noise_events=true | |
| | gnenrich ip_field=SRC | |
| | search greynoise_classification=unknown | |
| | rename SRC as IP, count as Count, greynoise_tags as Tags, greynoise_classification as Classification | |
| | table IP, Count, Tags, Classification | |
| | sort - Count</query> | |
| <earliest>$field1.earliest$</earliest> | |
| <latest>$field1.latest$</latest> | |
| <sampleRatio>1</sampleRatio> | |
| </search> | |
| <option name="count">10</option> | |
| <option name="dataOverlayMode">none</option> | |
| <option name="drilldown">none</option> | |
| <option name="percentagesRow">false</option> | |
| <option name="refresh.display">progressbar</option> | |
| <option name="rowNumbers">false</option> | |
| <option name="totalsRow">false</option> | |
| <option name="wrap">true</option> | |
| </table> | |
| </panel> | |
| <panel> | |
| <title>GreyNoise Malicious</title> | |
| <table> | |
| <search> | |
| <query>index=main SRC!=10.0.0.* | |
| | stats count by SRC | |
| | where count >= 5 | |
| | gnfilter ip_field=SRC noise_events=true | |
| | gnenrich ip_field=SRC | |
| | search greynoise_classification=malicious | |
| | rename SRC as IP, count as Count, greynoise_tags as Tags, greynoise_classification as Classification | |
| | table IP, Count, Tags, Classification | |
| | sort - Count</query> | |
| <earliest>$field1.earliest$</earliest> | |
| <latest>$field1.latest$</latest> | |
| <sampleRatio>1</sampleRatio> | |
| </search> | |
| <option name="count">5</option> | |
| <option name="dataOverlayMode">none</option> | |
| <option name="drilldown">none</option> | |
| <option name="percentagesRow">false</option> | |
| <option name="refresh.display">progressbar</option> | |
| <option name="rowNumbers">false</option> | |
| <option name="totalsRow">false</option> | |
| <option name="wrap">true</option> | |
| </table> | |
| </panel> | |
| <panel> | |
| <title>No GreyNoise Data</title> | |
| <table> | |
| <search> | |
| <query>index=main SRC!=10.0.0.* SRC!=254.128.0.0 SRC!=127.0.0.1 SRC!=161.35.50.13 SRC!=10.116.* SRC!=172.31.89.243 SRC!=192.168.1.1 | |
| | stats count by SRC | |
| | where count > 10 | |
| | gnfilter ip_field=SRC noise_events=false | |
| | rename SRC as IP, count as Count, greynoise_tags as Tags, greynoise_classification as Classification | |
| | table IP, Count | |
| | sort - Count</query> | |
| <earliest>$field1.earliest$</earliest> | |
| <latest>$field1.latest$</latest> | |
| <sampleRatio>1</sampleRatio> | |
| </search> | |
| <option name="count">10</option> | |
| <option name="dataOverlayMode">none</option> | |
| <option name="drilldown">none</option> | |
| <option name="percentagesRow">false</option> | |
| <option name="refresh.display">progressbar</option> | |
| <option name="rowNumbers">false</option> | |
| <option name="totalsRow">false</option> | |
| <option name="wrap">true</option> | |
| </table> | |
| </panel> | |
| </row> | |
| <row> | |
| <panel> | |
| <title>Noise Change Last 24 Hours</title> | |
| <single> | |
| <search> | |
| <query>index=main SRC!=10.0.0.* | |
| | lookup gn_scan_deployment_ip_lookup _key as SRC | |
| | where noise=1 | |
| | timechart span=1h count(SRC) | |
| | rename count(SRC) as "Noise"</query> | |
| <earliest>-24h@h</earliest> | |
| <latest>now</latest> | |
| <sampleRatio>1</sampleRatio> | |
| </search> | |
| <option name="colorBy">trend</option> | |
| <option name="colorMode">none</option> | |
| <option name="drilldown">none</option> | |
| <option name="numberPrecision">0</option> | |
| <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> | |
| <option name="rangeValues">[0,30,70,100]</option> | |
| <option name="refresh.display">progressbar</option> | |
| <option name="showSparkline">1</option> | |
| <option name="showTrendIndicator">1</option> | |
| <option name="trellis.enabled">0</option> | |
| <option name="trellis.scales.shared">1</option> | |
| <option name="trellis.size">medium</option> | |
| <option name="trendColorInterpretation">inverse</option> | |
| <option name="trendDisplayMode">percent</option> | |
| <option name="trendInterval">-24h</option> | |
| <option name="unitPosition">after</option> | |
| <option name="useColors">1</option> | |
| <option name="useThousandSeparators">1</option> | |
| </single> | |
| </panel> | |
| <panel> | |
| <title>Benign Scanners</title> | |
| <chart> | |
| <search> | |
| <query>index=main SRC!=10.0.0.* | |
| | stats count by SRC | |
| | gnenrich ip_field=SRC | search greynoise_classification = benign | stats count by greynoise_actor | sort - count</query> | |
| <earliest>-24h@h</earliest> | |
| <latest>now</latest> | |
| <sampleRatio>1</sampleRatio> | |
| </search> | |
| <option name="charting.chart">pie</option> | |
| <option name="charting.drilldown">none</option> | |
| <option name="refresh.display">progressbar</option> | |
| </chart> | |
| </panel> | |
| </row> | |
| <row> | |
| <panel> | |
| <title>CVE's By IP</title> | |
| <chart> | |
| <search> | |
| <query>index=main source=/var/log/ufw.log | gnquick ip_field=SRC | search greynoise_noise=1 | gnenrich ip_field=SRC | stats count by greynoise_cve</query> | |
| <earliest>-24h@h</earliest> | |
| <latest>now</latest> | |
| <sampleRatio>1</sampleRatio> | |
| </search> | |
| <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> | |
| <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> | |
| <option name="charting.axisTitleX.visibility">visible</option> | |
| <option name="charting.axisTitleY.visibility">visible</option> | |
| <option name="charting.axisTitleY2.visibility">visible</option> | |
| <option name="charting.axisX.abbreviation">none</option> | |
| <option name="charting.axisX.scale">linear</option> | |
| <option name="charting.axisY.abbreviation">none</option> | |
| <option name="charting.axisY.scale">linear</option> | |
| <option name="charting.axisY2.abbreviation">none</option> | |
| <option name="charting.axisY2.enabled">0</option> | |
| <option name="charting.axisY2.scale">inherit</option> | |
| <option name="charting.chart">pie</option> | |
| <option name="charting.chart.bubbleMaximumSize">50</option> | |
| <option name="charting.chart.bubbleMinimumSize">10</option> | |
| <option name="charting.chart.bubbleSizeBy">area</option> | |
| <option name="charting.chart.nullValueMode">gaps</option> | |
| <option name="charting.chart.showDataLabels">none</option> | |
| <option name="charting.chart.sliceCollapsingThreshold">0.01</option> | |
| <option name="charting.chart.stackMode">default</option> | |
| <option name="charting.chart.style">shiny</option> | |
| <option name="charting.drilldown">none</option> | |
| <option name="charting.layout.splitSeries">0</option> | |
| <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> | |
| <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> | |
| <option name="charting.legend.mode">standard</option> | |
| <option name="charting.legend.placement">right</option> | |
| <option name="charting.lineWidth">2</option> | |
| <option name="trellis.enabled">0</option> | |
| <option name="trellis.scales.shared">1</option> | |
| <option name="trellis.size">medium</option> | |
| </chart> | |
| </panel> | |
| </row> | |
| </form> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment