Searching for Threats in Firewall Logs Using Splunk
By Greg Vedders
To search for threats in firewall logs using Splunk, you need to craft a search query that looks for common indicators of malicious activity. Here’s a basic example to get you started:
- Open Splunk and navigate to the Search & Reporting app.
- Enter the search query.
A typical search query for firewall logs might look like this:
index=firewall_logs sourcetype="firewall"
| search action=blocked OR action=denied OR action=dropped
| table _time src_ip dest_ip action signature
| dedup src_ip, dest_ip, signature
| sort _time
This query does the following:
- Searches within the
firewall
index and filters for logs with a sourcetype of “firewall”. - Filters the logs to include only those where the action is blocked, denied, or dropped.
- Displays a table with the timestamp, source IP, destination IP, action, and signature of the threat.
- Removes duplicate entries based on source IP, destination IP, and signature.
- Sorts the results by time.
Additional Search Criteria
You can refine the search further by adding more specific criteria. For instance, if you’re looking for known malicious IPs, you can include a lookup against a threat intelligence feed. Here’s an example:
index=firewall sourcetype="firewall"
| search action=blocked OR action=denied OR action=dropped
| lookup threat_intel ip AS src_ip OUTPUT description
| where isnotnull(description)
| table _time src_ip dest_ip action signature description
| dedup src_ip, dest_ip, signature
| sort _time
In this query:
lookup threat_intel ip AS src_ip OUTPUT description
performs a lookup against a threat intelligence dataset to match source IPs.where isnotnull(description)
filters results to include only those with a matching description from the threat intel.
Using Splunk’s Threat Intelligence Framework
Splunk’s Threat Intelligence Framework allows for more advanced threat detection by correlating firewall logs with known threat indicators. Here’s an example that uses this framework:
index=firewall sourcetype="firewall"
| tstats count as event_count from datamodel=Intrusion_Detection.IDS_Attacks where nodename=IDS_Attacks.signature by _time span=1h IDS_Attacks.signature
| lookup threat_intel_by_src_ip src_ip AS src_ip OUTPUT description
| search action=blocked OR action=denied OR action=dropped
| table _time src_ip dest_ip action signature description event_count
| sort _time
This query:
- Utilizes the
tstats
command to summarize data from the Intrusion Detection data model. - Performs a lookup against a threat intelligence feed to match source IPs.
- Filters for blocked, denied, or dropped actions.
- Displays a table with relevant information including the event count.
Creating Alerts
To automate the detection of threats, you can create alerts in Splunk based on your search query. Here’s how to set up an alert:
- Run your search query to verify the results.
- Click on “Save As” and select “Alert”.
- Configure the alert settings:
- Title: Name of the alert.
- Time Range: Set the frequency of the search (e.g., every 5 minutes).
- Trigger Condition: Specify the condition to trigger the alert (e.g., if the number of results is greater than 0).
- Actions: Choose how to be notified (e.g., email, webhook).
By setting up alerts, you can be notified in real-time when potential threats are detected in your firewall logs.