Filter-List

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filter-List

L1 Bithead

Hello everyone!

 

any one has list of safed filters that could help a lot and  saves our time

1 ACCEPTED SOLUTION

Accepted Solutions

@aziz_paloalto,

I don't think I understand exactly what you are asking for. Do you mean your to filter results? There really isn't a 'common filter' that I have in my enviroment that would work in yours as filters generally specify at the very least IP ranges that you are looking at. I've listed some of the most common filters below that may help you if that's what you're asking for? Any filter you build is going to be dependent on what you are looking for, and truthfully I don't often find myself saving filters. If you find yourself running the same query over and over again it's probably easier to just build that query into a custom report that you can run. 

 

( addr in address )

( addr.src in address )

( addr.dst in address )

( zone.dst in zone )

( zone.src in zone )

( rule eq 'rule' )

( action eq action )

( user.src eq user )

( user.dst eq user )

( app eq application )

( port.dst eq port )

( port.src eq port )

( severity eq severity )

You don't have to specify eq here for equals, you could easily do a geq or a leq instead. For example generally I'll have a ( severity geq medium ) filter when I look in the threat log or I'll just filter out the information ones by a ' not ( severity eq informational )' filter

 

Any of these can be tied together with an 'and', 'or', 'and not', 'or not' and similar. Addresses can be specified as either a sole address such as 10.191.16.61 or as 10.191.16.0/24 or 10.191.0.0/16. So one of my traffic query's may be 

(( addr.src in 10.191.0.0/16 ) and ( zone.dst eq untrust )) and (rule eq 'LAB Users).

Likewise a URL Filtering filter that I commonly do is (category eq adult) or switch out adult for block-list. 

 

Because of the differences in policy and enviroments I can't really say if any of these filters really works for you as I presented them in my examples; I would be less worried about saving filters as generally you wouldn't run a filter that's actually that long as regardless of platform it takes a while to actually process the longer your filter gets. For example ( addr in 10.191.16.61 ) generates really quickly. A more detailed filter of ' ( addr.src in 10.191.0.0/16 ) and (( zone.dst eq untrust ) and ( rule eq 'Alert on Unknown Users')) and not (( addr.dst in 8.8.8.8 ) or (addr.dst in 8.8.4.4 ) or ( addr.dst in 206.145.187.198 ) or ( addr.dst in 206.145.187.201 ))' is going to take a lot longer to process as it has to evaluate all of the criteria that you specified and find the logs that still apply with your filter specified. 

 

Hopefully something like this is what you were looking for. 

 

View solution in original post

7 REPLIES 7

L7 Applicator

Hey what exactly you mean?

Are you referring to reccomended ruleset or traffic log filter to search for anomalies or something else?

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

Cyber Elite
Cyber Elite

@aziz_paloalto,

Most filters are going to be specific to that persons enviroment and therefore wouldn't do a lot of good without having to heavily modify that filter. If you need help building out a specific filter we could probably help with that. 

I mean the traffic log filter , data filtiring , url filtiring etc

I mean the common filter that i could save to the filters

I really appreciate it and that would be helpful

@aziz_paloalto,

I don't think I understand exactly what you are asking for. Do you mean your to filter results? There really isn't a 'common filter' that I have in my enviroment that would work in yours as filters generally specify at the very least IP ranges that you are looking at. I've listed some of the most common filters below that may help you if that's what you're asking for? Any filter you build is going to be dependent on what you are looking for, and truthfully I don't often find myself saving filters. If you find yourself running the same query over and over again it's probably easier to just build that query into a custom report that you can run. 

 

( addr in address )

( addr.src in address )

( addr.dst in address )

( zone.dst in zone )

( zone.src in zone )

( rule eq 'rule' )

( action eq action )

( user.src eq user )

( user.dst eq user )

( app eq application )

( port.dst eq port )

( port.src eq port )

( severity eq severity )

You don't have to specify eq here for equals, you could easily do a geq or a leq instead. For example generally I'll have a ( severity geq medium ) filter when I look in the threat log or I'll just filter out the information ones by a ' not ( severity eq informational )' filter

 

Any of these can be tied together with an 'and', 'or', 'and not', 'or not' and similar. Addresses can be specified as either a sole address such as 10.191.16.61 or as 10.191.16.0/24 or 10.191.0.0/16. So one of my traffic query's may be 

(( addr.src in 10.191.0.0/16 ) and ( zone.dst eq untrust )) and (rule eq 'LAB Users).

Likewise a URL Filtering filter that I commonly do is (category eq adult) or switch out adult for block-list. 

 

Because of the differences in policy and enviroments I can't really say if any of these filters really works for you as I presented them in my examples; I would be less worried about saving filters as generally you wouldn't run a filter that's actually that long as regardless of platform it takes a while to actually process the longer your filter gets. For example ( addr in 10.191.16.61 ) generates really quickly. A more detailed filter of ' ( addr.src in 10.191.0.0/16 ) and (( zone.dst eq untrust ) and ( rule eq 'Alert on Unknown Users')) and not (( addr.dst in 8.8.8.8 ) or (addr.dst in 8.8.4.4 ) or ( addr.dst in 206.145.187.198 ) or ( addr.dst in 206.145.187.201 ))' is going to take a lot longer to process as it has to evaluate all of the criteria that you specified and find the logs that still apply with your filter specified. 

 

Hopefully something like this is what you were looking for. 

 

One of my favorite filters is to find blocked traffic.  In the UNIFIED LOG, try this filter:

 

(addr in 1.1.1.1) and (action neq allow) and (action neq alert)

 

That will show you blocked traffic for 1.1.1.1, from any of the features/functions in the Firewall, including AV, WildFire, IPS, C2, Data Filter/File Blocking, URL Filtering, etc.  

mostlly you've covered everything needed for what I meant

and gave good summary that could help others too.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!