Splunk Firewall Dashboard

Greetings, everyone! In this repository, I will delve into the intricacies of creating a Firewall dashboard using Splunk.By having a firewall dashboard, It helps the security team to heightened visibility into network traffic flowing through the organization's firewalls. It enables the rapid detection of anomalies and threats by visualizing key firewall logging data. Security teams can gain enhanced situational awareness and threat intelligence through ongoing firewall log analysis, which helps them safeguard digital assets, uphold regulatory compliance, and improve the security posture of the company.

Splunk is a powerful tool designed for log analysis, simplifying tasks such as data collection, management, sorting, and searching. Within the Splunk tool, we employ SPL (Search Processing Language) to navigate and query the data. You can install Splunk from the official website, and a free version is available.

For the Firewall log, I sourced data from a GitHub repository[1]

Upon obtaining data, the first crucial step is to determine its structure—whether it is structured or unstructured. In my case, the data is structured, and extensive, and has been divided into two files. Both files have been uploaded to Splunk.

Getting Data In:

1. Access Splunk, either through the cloud version or locally with the free or enterprise version

2. Add data.

3. Upload Data

4. Select the source type. Set the source type.

5. Update the input setting. I left it to default and proceeded to the next steps.

6. Click on Search and Reporting in the Splunk.

7. Using SPL language search the desired fields. For instance, sourcetype="your_sourcetype" | table source_ip. sourcetype="your_sourcetype" | table dest_ip, sourcetype="your_sourcetype" | table port. It can searched individually. Also, it can be searched in a single search SPL like sourcetype="your_sourcetype" | table source_ip, dest_ip, port. In this command, we are exploring ourselves in fields, and Statistics. Source type is a way to categorize or label the type of data you're working with.

8. Let's break the above command -- fields are the individual pieces of data you can work with, such as "source IP address," "destination IP address," or "timestamp." A table is like a structured way of organizing information.

9. We can sort the search results by adjusting the time. Lik from All time to 24 hours.

10. Other than the table there are other commands like chart, and stats time chart, which can be used to give the statistics table and also will give the visualization. For instance, index="your_index" sourcetype="your_sourcetype" | chart count over field name

12. Also we can use a time chart or stats. [2] Attaching the SPLUNK commands list
13. Jumping into visualization. There are many graphs in Splunk like bar graphs, line charts, pie charts, heat maps, etc.
14. Now by using the above command we have generated a Pie chart - sourcetype="your_sourcetype" | chart count over field name

15. Similarly, we can generate different types of graphs. We need to understand clauses like "by", and "over" The by clause is used to group events based on one or more fields. The over clause is used with the time chart command to specify a field for which the time-based chart is created. [3]

16. Dashboards: Dashboards are views that are made up of panels. The panels can contain modules such as search boxes, fields, charts, tables, and lists. Dashboard panels are usually connected to reports.[4]

17. Types of dashboard: Classic Dashboard and Dashboard Studio. In Dashboard Studio there are other two types Absolute and Grid. [5] About creating the dashboard attached is the SPLUNK documentation about creating a dashboard. In this Repo, we will stick to the dashboard studio Grid. Name the dashboard and select the grid type.

18. Select on the Database Symbol

19. In the data Overview section we have to create a search with SPL.

20. Click on Add chart after your search and insert your desired graphs.

21. Now after adding search and chart

22. Now keep adding your searches related to IP address, Ports, Status codes, HTTPS, display device name, and device IDs. There are many things we can do.

23. The final dashboard that I have developed looks like this.

23. Device Information This panel uses a single-value visualization displaying the device name and device ID. The logs collected by the organization use Fortinet Firewall. In a similar way using a single value the device ID is displayed. This enables the infrastructure awareness in the organization about the device's name and ID.

24. Bytes Bytes_in and Bytes_out: By using an Area chart, the bytes sent in and sent out are displayed, by using the count which counts the reporting data of the log database. The area visualization is used to get the count of the data sent outside and received. Bandwidth utilization is critical for monitoring traffic patterns and capacity planning. It helps the organization to help the organization with network congestion and capacity building. Also, sudden spikes in bandwidth result in the Denial of Service.

25.IP Address This panel displays the IP Address in a table which has been used to sort the Source IP, Destination IP and Destination Port. The table has particular destination ports 443 and 80. This table will allow the security team to filter the traffic and analyze the incoming and outgoing traffic. Proper data protection can be established. Diagnosing network traffic and network issues and developing proper decisions to optimize the data and security.

26.Destination Port By using a pie chart to display the destination ports that have been requested from users in the network, administrators can monitor which ports are being used the most. The pie chart shows the percentage of traffic headed to different ports. The most used port is 443 (HTTPS). This Pie chart enables the security team to improve the infrastructure knowledge of the organization and helps to detect any unapproved port accessed outside the IT port.

27. Application By using a bar chart the most used application by users in the organization is displayed in the chart. It helps the security team to selectively block or limit risky applications and also investigate the abnormal applications accessed by the user.

The security team has significantly increased network visibility and can better detect, investigate, and respond to threats. Searches can be conducted across devices for signs of compromise or policy violations. The unified visibility and accelerated detection promote rapid incident response.

References: [1] https://github.com/splunk/botsv1 [2]https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-stats-chart-and-timechart.html [3] https://docs.splunk.com/Documentation/SCS/current/SearchReference/Introduction [4] https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchTutorial/Aboutdashboards#:~:text=Dashboards%20are%20views%20that%20are,a%20new%20or%20existing%20dashboard. [5]https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchTutorial/Createnewdashboard