Greg Vedders
  • About
  • Tags
  • Posts

Searching for Threats in Firewall Logs Using Splunk

Utilizing firewall logs to look for potential security threats

posts
May 26, 2024 • 3 min read • 482 words

To search for threats in firewall logs using Splunk, you need to craft a search query that looks for common indicators of malicious activity. Here’s a basic example to get you started:

  1. Open Splunk and navigate to the Search & Reporting app.
  2. Enter the search query.

A typical search query for firewall logs might look like this:

index=firewall_logs sourcetype="firewall"
| search action=blocked OR action=denied OR action=dropped
| table _time src_ip dest_ip action signature
| dedup src_ip, dest_ip, signature
| sort _time

This query does the following:

  • Searches within the firewall index and filters for logs with a sourcetype of “firewall”.
  • Filters the logs to include only those where the action is blocked, denied, or dropped.
  • Displays a table with the timestamp, source IP, destination IP, action, and signature of the threat.
  • Removes duplicate entries based on source IP, destination IP, and signature.
  • Sorts the results by time.

Additional Search Criteria

You can refine the search further by adding more specific criteria. For instance, if you’re looking for known malicious IPs, you can include a lookup against a threat intelligence feed. Here’s an example:

index=firewall sourcetype="firewall"
| search action=blocked OR action=denied OR action=dropped
| lookup threat_intel ip AS src_ip OUTPUT description
| where isnotnull(description)
| table _time src_ip dest_ip action signature description
| dedup src_ip, dest_ip, signature
| sort _time

In this query:

  • lookup threat_intel ip AS src_ip OUTPUT description performs a lookup against a threat intelligence dataset to match source IPs.
  • where isnotnull(description) filters results to include only those with a matching description from the threat intel.

Using Splunk’s Threat Intelligence Framework

Splunk’s Threat Intelligence Framework allows for more advanced threat detection by correlating firewall logs with known threat indicators. Here’s an example that uses this framework:

index=firewall sourcetype="firewall"
| tstats count as event_count from datamodel=Intrusion_Detection.IDS_Attacks where nodename=IDS_Attacks.signature by _time span=1h IDS_Attacks.signature
| lookup threat_intel_by_src_ip src_ip AS src_ip OUTPUT description
| search action=blocked OR action=denied OR action=dropped
| table _time src_ip dest_ip action signature description event_count
| sort _time

This query:

  • Utilizes the tstats command to summarize data from the Intrusion Detection data model.
  • Performs a lookup against a threat intelligence feed to match source IPs.
  • Filters for blocked, denied, or dropped actions.
  • Displays a table with relevant information including the event count.

Creating Alerts

To automate the detection of threats, you can create alerts in Splunk based on your search query. Here’s how to set up an alert:

  1. Run your search query to verify the results.
  2. Click on “Save As” and select “Alert”.
  3. Configure the alert settings:
    • Title: Name of the alert.
    • Time Range: Set the frequency of the search (e.g., every 5 minutes).
    • Trigger Condition: Specify the condition to trigger the alert (e.g., if the number of results is greater than 0).
    • Actions: Choose how to be notified (e.g., email, webhook).

By setting up alerts, you can be notified in real-time when potential threats are detected in your firewall logs.

Share this post
← Older Understanding Current Security Risks: 2024 Update Newer → How Weather Forecasting Works: A Peek Behind the Curtain

About

Greg Vedders writes about information security, troubleshooting, photography, and the occasional unexpected fix.

Recent Posts

  • Automating CatPosters.us With a Gemini and WordPress Bot
  • Teaching Git: What I Covered in Class
  • Introducing Signage Suite — Self-Hosted Wall Displays in PHP
  • Rebuilding gregvedders.com Without a Hugo Theme
  • Hardening a Public Honeypot Server

Tags

Splunk Security Firewall

Related Posts

  • Understanding Current Security Risks: 2024 Update
  • Navigating the Digital Frontier: Exploring the State of Cybersecurity Today
  • Phish vs Spam vs Total O365 Email in Microsoft Sentinel
  • Leaked Credentials Search in Microsoft Sentinel
© Greg Vedders 2026