topic Re: Filter-List in General Topics

Filter-List

aziz_paloalto — Sun, 06 Aug 2017 08:56:54 GMT

Hello everyone!

any one has list of safed filters that could help a lot and saves our time

Re: Filter-List

Raido_Rattameister — Sun, 06 Aug 2017 18:13:13 GMT

Hey what exactly you mean?

Are you referring to reccomended ruleset or traffic log filter to search for anomalies or something else?

Re: Filter-List

BPry — Mon, 07 Aug 2017 18:16:12 GMT

@aziz_paloalto,

Most filters are going to be specific to that persons enviroment and therefore wouldn't do a lot of good without having to heavily modify that filter. If you need help building out a specific filter we could probably help with that.

Re: Filter-List

aziz_paloalto — Wed, 09 Aug 2017 09:54:57 GMT

I mean the traffic log filter , data filtiring , url filtiring etc

I mean the common filter that i could save to the filters

Re: Filter-List

aziz_paloalto — Wed, 09 Aug 2017 09:56:03 GMT

I really appreciate it and that would be helpful

Re: Filter-List

BPry — Wed, 09 Aug 2017 13:10:16 GMT

@aziz_paloalto,

I don't think I understand exactly what you are asking for. Do you mean your to filter results? There really isn't a 'common filter' that I have in my enviroment that would work in yours as filters generally specify at the very least IP ranges that you are looking at. I've listed some of the most common filters below that may help you if that's what you're asking for? Any filter you build is going to be dependent on what you are looking for, and truthfully I don't often find myself saving filters. If you find yourself running the same query over and over again it's probably easier to just build that query into a custom report that you can run.

( addr in address )

( addr.src in address )

( addr.dst in address )

( zone.dst in zone )

( zone.src in zone )

( rule eq 'rule' )

( action eq action )

( user.src eq user )

( user.dst eq user )

( app eq application )

( port.dst eq port )

( port.src eq port )

( severity eq severity )

You don't have to specify eq here for equals, you could easily do a geq or a leq instead. For example generally I'll have a ( severity geq medium ) filter when I look in the threat log or I'll just filter out the information ones by a ' not ( severity eq informational )' filter

Any of these can be tied together with an 'and', 'or', 'and not', 'or not' and similar. Addresses can be specified as either a sole address such as 10.191.16.61 or as 10.191.16.0/24 or 10.191.0.0/16. So one of my traffic query's may be

(( addr.src in 10.191.0.0/16 ) and ( zone.dst eq untrust )) and (rule eq 'LAB Users).

Likewise a URL Filtering filter that I commonly do is (category eq adult) or switch out adult for block-list.

Because of the differences in policy and enviroments I can't really say if any of these filters really works for you as I presented them in my examples; I would be less worried about saving filters as generally you wouldn't run a filter that's actually that long as regardless of platform it takes a while to actually process the longer your filter gets. For example ( addr in 10.191.16.61 ) generates really quickly. A more detailed filter of ' ( addr.src in 10.191.0.0/16 ) and (( zone.dst eq untrust ) and ( rule eq 'Alert on Unknown Users')) and not (( addr.dst in 8.8.8.8 ) or (addr.dst in 8.8.4.4 ) or ( addr.dst in 206.145.187.198 ) or ( addr.dst in 206.145.187.201 ))' is going to take a lot longer to process as it has to evaluate all of the criteria that you specified and find the logs that still apply with your filter specified.

Hopefully something like this is what you were looking for.

Re: Filter-List

jvalentine — Wed, 09 Aug 2017 20:51:19 GMT

One of my favorite filters is to find blocked traffic. In the UNIFIED LOG, try this filter:

(addr in 1.1.1.1) and (action neq allow) and (action neq alert)

That will show you blocked traffic for 1.1.1.1, from any of the features/functions in the Firewall, including AV, WildFire, IPS, C2, Data Filter/File Blocking, URL Filtering, etc.

Re: Filter-List

aziz_paloalto — Thu, 10 Aug 2017 06:10:53 GMT

mostlly you've covered everything needed for what I meant

and gave good summary that could help others too.