Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-06-2017 01:56 AM
Hello everyone!
any one has list of safed filters that could help a lot and saves our time
08-09-2017 06:10 AM
I don't think I understand exactly what you are asking for. Do you mean your to filter results? There really isn't a 'common filter' that I have in my enviroment that would work in yours as filters generally specify at the very least IP ranges that you are looking at. I've listed some of the most common filters below that may help you if that's what you're asking for? Any filter you build is going to be dependent on what you are looking for, and truthfully I don't often find myself saving filters. If you find yourself running the same query over and over again it's probably easier to just build that query into a custom report that you can run.
( addr in address )
( addr.src in address )
( addr.dst in address )
( zone.dst in zone )
( zone.src in zone )
( rule eq 'rule' )
( action eq action )
( user.src eq user )
( user.dst eq user )
( app eq application )
( port.dst eq port )
( port.src eq port )
( severity eq severity )
You don't have to specify eq here for equals, you could easily do a geq or a leq instead. For example generally I'll have a ( severity geq medium ) filter when I look in the threat log or I'll just filter out the information ones by a ' not ( severity eq informational )' filter
Any of these can be tied together with an 'and', 'or', 'and not', 'or not' and similar. Addresses can be specified as either a sole address such as 10.191.16.61 or as 10.191.16.0/24 or 10.191.0.0/16. So one of my traffic query's may be
(( addr.src in 10.191.0.0/16 ) and ( zone.dst eq untrust )) and (rule eq 'LAB Users).
Likewise a URL Filtering filter that I commonly do is (category eq adult) or switch out adult for block-list.
Because of the differences in policy and enviroments I can't really say if any of these filters really works for you as I presented them in my examples; I would be less worried about saving filters as generally you wouldn't run a filter that's actually that long as regardless of platform it takes a while to actually process the longer your filter gets. For example ( addr in 10.191.16.61 ) generates really quickly. A more detailed filter of ' ( addr.src in 10.191.0.0/16 ) and (( zone.dst eq untrust ) and ( rule eq 'Alert on Unknown Users')) and not (( addr.dst in 8.8.8.8 ) or (addr.dst in 8.8.4.4 ) or ( addr.dst in 206.145.187.198 ) or ( addr.dst in 206.145.187.201 ))' is going to take a lot longer to process as it has to evaluate all of the criteria that you specified and find the logs that still apply with your filter specified.
Hopefully something like this is what you were looking for.
08-06-2017 11:13 AM
Hey what exactly you mean?
Are you referring to reccomended ruleset or traffic log filter to search for anomalies or something else?
08-07-2017 11:16 AM
Most filters are going to be specific to that persons enviroment and therefore wouldn't do a lot of good without having to heavily modify that filter. If you need help building out a specific filter we could probably help with that.
08-09-2017 02:54 AM
08-09-2017 02:56 AM
08-09-2017 06:10 AM
I don't think I understand exactly what you are asking for. Do you mean your to filter results? There really isn't a 'common filter' that I have in my enviroment that would work in yours as filters generally specify at the very least IP ranges that you are looking at. I've listed some of the most common filters below that may help you if that's what you're asking for? Any filter you build is going to be dependent on what you are looking for, and truthfully I don't often find myself saving filters. If you find yourself running the same query over and over again it's probably easier to just build that query into a custom report that you can run.
( addr in address )
( addr.src in address )
( addr.dst in address )
( zone.dst in zone )
( zone.src in zone )
( rule eq 'rule' )
( action eq action )
( user.src eq user )
( user.dst eq user )
( app eq application )
( port.dst eq port )
( port.src eq port )
( severity eq severity )
You don't have to specify eq here for equals, you could easily do a geq or a leq instead. For example generally I'll have a ( severity geq medium ) filter when I look in the threat log or I'll just filter out the information ones by a ' not ( severity eq informational )' filter
Any of these can be tied together with an 'and', 'or', 'and not', 'or not' and similar. Addresses can be specified as either a sole address such as 10.191.16.61 or as 10.191.16.0/24 or 10.191.0.0/16. So one of my traffic query's may be
(( addr.src in 10.191.0.0/16 ) and ( zone.dst eq untrust )) and (rule eq 'LAB Users).
Likewise a URL Filtering filter that I commonly do is (category eq adult) or switch out adult for block-list.
Because of the differences in policy and enviroments I can't really say if any of these filters really works for you as I presented them in my examples; I would be less worried about saving filters as generally you wouldn't run a filter that's actually that long as regardless of platform it takes a while to actually process the longer your filter gets. For example ( addr in 10.191.16.61 ) generates really quickly. A more detailed filter of ' ( addr.src in 10.191.0.0/16 ) and (( zone.dst eq untrust ) and ( rule eq 'Alert on Unknown Users')) and not (( addr.dst in 8.8.8.8 ) or (addr.dst in 8.8.4.4 ) or ( addr.dst in 206.145.187.198 ) or ( addr.dst in 206.145.187.201 ))' is going to take a lot longer to process as it has to evaluate all of the criteria that you specified and find the logs that still apply with your filter specified.
Hopefully something like this is what you were looking for.
08-09-2017 01:51 PM
One of my favorite filters is to find blocked traffic. In the UNIFIED LOG, try this filter:
(addr in 1.1.1.1) and (action neq allow) and (action neq alert)
That will show you blocked traffic for 1.1.1.1, from any of the features/functions in the Firewall, including AV, WildFire, IPS, C2, Data Filter/File Blocking, URL Filtering, etc.
08-09-2017 11:10 PM
mostlly you've covered everything needed for what I meant
and gave good summary that could help others too.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
