From 1fdcf18f8b2a18e405e44e564f4c9df7bb953c56 Mon Sep 17 00:00:00 2001 From: Mauro Pavanello Date: Tue, 27 Jan 2026 10:29:21 +0100 Subject: [PATCH 1/3] Modified Dashboard PaloAlto and Fortigate --- .../Fortigate-Firewall-Dashboard.yaml | 314 ++++++++++++++++++ .../metadata.yaml | 6 +- .../PaloAlto.conf} | 160 ++++++--- .../community/palo-latest/metadata.yaml | 6 +- 4 files changed, 435 insertions(+), 51 deletions(-) create mode 100644 dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml rename dashboards/community/{Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf => palo-latest/PaloAlto.conf} (55%) diff --git a/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml b/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml new file mode 100644 index 0000000..143ce39 --- /dev/null +++ b/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml @@ -0,0 +1,314 @@ +{ + "title": "FortiGate Firewall – Security & Traffic Overview", + "configType": "TABBED", + "duration": "24h", + "tabs": [ + { + "tabName": "Overview", + "graphs": [ + { + "graphStyle": "number", + "title": "Distinct FortiGate Devices", + "query": "dataSource.vendor='Fortinet' | group estimate_distinct(device.name)", + "options": { + "suffix": " firewalls" + }, + layout: { + h: 5, + w: 12, + x: 0, + y: 0 + } + }, { + "graphStyle": "number", + "title": "Connections Blocked", + "query": "dataSource.vendor='Fortinet' status_detail='blocked' | group count=count() by timestamp=timebucket('1hr')", + "options": { + "format": "K" + }, + layout: { + h: 5, + w: 12, + x: 12, + y: 0 + }, + sparklineConfig: { + enabled: false + }, + trendConfig: { + enabled: true, + indicators: { + arrow: { + enabled: true + }, + number: { + calculationType: "ABSOLUTE", + enabled: true + }, + upwardsMeaning: "POSITIVE" + } + } + }, { + "graphStyle": "line", + "title": "Traffic Volume (1 h buckets)", + "lineSmoothing": "straightLines", + "query": "dataSource.vendor='Fortinet' activity_name='traffic' |let traffic.packets_out=number(traffic.packets_out)\n| group outbound=sum(traffic.packets_out) by timestamp=timebucket('1h')", + layout: { + h: 19, + w: 33, + x: 24, + y: 0 + } + }, { + "graphStyle": "line", + "title": "Traffic by Direction", + layout: { + h: 14, + w: 24, + x: 0, + y: 5 + }, + lineSmoothing: "straightLines", + query: "activity_name='traffic' |let NumBytesIn=number(traffic.bytes_in) |let NumBytesout=number(traffic.bytes_out) |group 'Bytes Out'=sum(NumBytesout), 'Bytes In'=sum(NumBytesIn) by timestamp=timebucket('1h')" + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "pie", + maxPieSlices: 10, + query: "dataSource.name='FortiGate' unmapped.logdesc=* | group logdesc=count () by unmapped.logdesc| sort -logdesc ", + title: "Top Event Type", + layout: { + h: 14, + w: 20, + x: 0, + y: 19 + } + } + ] + }, { + "tabName": "Top Talkers", + "graphs": [ + { + "graphStyle": "", + "title": "Top Source IPs", + "query": "dataSource.vendor='Fortinet' unmapped.action='accept' not (src_endpoint.ip contains ('10.','192.168.','0.0.0.0')) | group Connections=count() by src_endpoint.ip | sort -Connections", + "showBarsColumn": "false", + layout: { + h: 14, + w: 20, + x: 0, + y: 0 + } + }, { + "graphStyle": "", + "title": "Top Destination IPs", + "query": "dataSource.vendor='Fortinet' unmapped.action='accept' not (dst_endpoint.ip contains ('10.','192.168.','0.0.0.0')) | group Connections=count() by dst_endpoint.ip | sort -Connections", + "showBarsColumn": "false", + layout: { + h: 14, + w: 20, + x: 20, + y: 0 + } + }, { + "graphStyle": "donut", + "title": "Top Applications (App-ID)", + "maxPieSlices": 12, + "query": "dataSource.vendor='Fortinet' app_name=* | group count() by app_name", + layout: { + h: 14, + w: 20, + x: 40, + y: 0 + }, + dataLabelType: "PERCENTAGE", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "donut", + layout: { + h: 14, + w: 20, + x: 40, + y: 14 + }, + maxPieSlices: 12, + query: "dataSource.vendor='Fortinet' actor.authorizations\\[0\\].policy.name=* | group count() by actor.authorizations\\[0\\].policy.name", + title: "Top Policy", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "donut", + layout: { + h: 14, + w: 20, + x: 20, + y: 14 + }, + maxPieSlices: 12, + query: "dataSource.name='FortiGate' device.type=* | group count() by device.type", + title: "Top Device Type", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "donut", + layout: { + h: 14, + w: 20, + x: 0, + y: 28 + }, + maxPieSlices: 12, + query: "dataSource.name='FortiGate' device.os.name=* | group count() by device.os.name", + title: "Top OS Device", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + graphStyle: "", + layout: { + h: 14, + w: 20, + x: 0, + y: 14 + }, + query: "dataSource.vendor='Fortinet' unmapped.action='deny' src_endpoint.ip=* | group Connections=count() by src_endpoint.ip | sort -Connections", + showBarsColumn: "false", + title: "Top Deny Source IPs " + } + ] + }, { + "tabName": "Threats & Security Events", + "graphs": [ + { + "graphStyle": "number", + "title": "Intrusion-Prevention Events", + "query": "dataSource.vendor='Fortinet' unmapped.level=* | group count()", + layout: { + h: 5, + w: 20, + x: 0, + y: 0 + }, + sparklineConfig: { + enabled: false + }, + trendConfig: { + enabled: false, + indicators: { + arrow: { + enabled: true + }, + number: { + calculationType: "ABSOLUTE", + enabled: true + }, + upwardsMeaning: "POSITIVE" + } + } + }, { + "graphStyle": "donut", + "title": "Threats by Severity", + "maxPieSlices": 6, + "query": "dataSource.vendor='Fortinet' unmapped.level=* | group count() by unmapped.level ", + layout: { + h: 14, + w: 20, + x: 0, + y: 5 + }, + dataLabelType: "PERCENTAGE", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + "graphStyle": "", + "title": "Recent Critical Events", + "query": "activity_name='virus' |columns process.file.name, status_detail, risk_score ", + "showBarsColumn": "false", + layout: { + h: 19, + w: 35, + x: 20, + y: 0 + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "donut", + layout: { + h: 14, + w: 20, + x: 0, + y: 19 + }, + maxPieSlices: 6, + query: "dataSource.name='FortiGate' unmapped.action='blocked' actor.user.name=* | group count() by actor.user.name ", + title: "Deny from user", + totalNumberConfig: { + enabled: false, + label: "" + } + }, + ] + }, { + "tabName": "VPNs", + "graphs": [ + { + graphStyle: "", + query: "dataSource.name='FortiGate' event.type = 'vpn' unmapped.xauthuser=* unmapped.action = 'tunnel-up' srccountry=*| columns unmapped.date, time, srccountry, unmapped.remip, unmapped.xauthuser, tunnelip ", + title: "Successful VPN connection", + layout: { + h: 14, + w: 60, + x: 0, + y: 0 + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "pie", + maxPieSlices: 10, + query: "dataSource.name='FortiGate' event.type = 'vpn' result = 'ERROR' srccountry=* | group count() by srccountry", + title: "Failed VPN location", + layout: { + h: 14, + w: 20, + x: 0, + y: 28 + } + }, { + graphStyle: "", + layout: { + h: 14, + w: 60, + x: 0, + y: 14 + }, + query: "dataSource.name='FortiGate' event.type = 'vpn' unmapped.xauthuser=* unmapped.action = 'tunnel-down' srccountry=* | columns unmapped.date, time, srccountry, unmapped.remip, unmapped.xauthuser, unmapped.duration", + title: "VPN Logout" + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "pie", + layout: { + h: 14, + w: 20, + x: 20, + y: 28 + }, + maxPieSlices: 10, + query: "dataSource.name='FortiGate' event.type = 'vpn' unmapped.action = 'tunnel-up' srccountry=* | group count() by srccountry", + title: "Successfull vpn Location" + } + ] + } + ], +} \ No newline at end of file diff --git a/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml b/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml index cb5ac66..9d9f01c 100644 --- a/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml +++ b/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml @@ -1,9 +1,9 @@ metadata_details: data_dependencies: "Specify datasource.name or OCSF field" required_fields: "Fields required for this dashboard" - description: "Dashboard migrated from samples-main: Fortigate-Firewall-Dashboard.conf" + description: "Dashboard for Fortigate firewalls" usecase_type: "Operational" usecase_action: "Dashboard" - tags: dashboard, migrated, samples-main + tags: dashboard, samples-main version: latest - author: Joel Mora + author: Mauro Pavanello \ No newline at end of file diff --git a/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf b/dashboards/community/palo-latest/PaloAlto.conf similarity index 55% rename from dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf rename to dashboards/community/palo-latest/PaloAlto.conf index 2693a6f..17192d6 100644 --- a/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf +++ b/dashboards/community/palo-latest/PaloAlto.conf @@ -1,14 +1,14 @@ { - parameters: [ - { name: "base_search", options: {display: "hidden"}, defaultValue: "dataSource.name='FortiGate'" } - ], - graphs: [ + tabs: [{"tabName":"Traffic", +options : { + }, +graphs : [ { breakdownFacet: "app_name", graphStyle: "stacked_bar", plots: [ { - facet: "traffic.bytes_in", + facet: "traffic.bytes", filter: "(#base_search#)", label: "Bytes Received" } @@ -17,9 +17,6 @@ yScale: "linear", layout: { h: 14, - i: "0", - minH: 3, - minW: 6, w: 20, x: 20, y: 28 @@ -94,26 +91,20 @@ title: "Elapsed Time by Category", layout: { h: 14, - i: "4", - minH: 3, - minW: 6, w: 20, x: 40, y: 14 }, lineSmoothing: "straightLines", }, { - query: " #base_search# actor.user.name = * \n| group count = count() by actor.user.name\n| sort -count\n|limit 20", + query: "actor.user.name = * \n| group count = count() by actor.user.name\n| sort -count\n|limit 20", title: "Top Users", graphStyle: "pie", layout: { h: 14, - i: "5", - minH: 3, - minW: 6, w: 20, x: 0, - y: 42 + y: 28 }, maxPieSlices: 10, }, { @@ -128,14 +119,14 @@ }, maxPieSlices: 10, }, { - query: "#base_search#\n| group count = count() by src_endpoint.ip\n| sort -count\n|limit 20", + query: "#base_search#\n| group count = count() by src_endpoint.ip \n| sort -count\n|limit 20", title: "Breakdown of Source IPs", graphStyle: "pie", layout: { h: 14, w: 20, x: 0, - y: 28 + y: 14 }, maxPieSlices: 10, }, { @@ -146,18 +137,15 @@ h: 14, w: 20, x: 0, - y: 14 + y: 42 }, maxPieSlices: 10, }, { - query: "#base_search# traffic.bytes_out > 1\n| group sum = sum(traffic.bytes_out)", + query: "#base_search# traffic.bytes_out > 1\n| group sum = sum(traffic.bytes_out)", title: "Total Bytes Sent in Timeframe", graphStyle: "number", layout: { h: 7, - i: "9", - minH: 3, - minW: 6, w: 9, x: 51, y: 7 @@ -214,7 +202,7 @@ h: 14, w: 29, x: 0, - y: 56 + y: 70 }, lineSmoothing: "straightLines", }, @@ -222,14 +210,11 @@ graphStyle: "number", layout: { h: 7, - i: "13", - minH: 3, - minW: 6, w: 11, x: 40, y: 7 }, - query: "#base_search# traffic.bytes_in > 1 | group sum = sum(traffic.bytes_in)\n\n", + query: "traffic.bytes_in > 1 | group sum = sum(traffic.bytes)\n\n", title: "Total Bytes Received in Timeframe" }, { @@ -240,43 +225,128 @@ x: 40, y: 0 }, - query: "dataSource.vendor contains 'Fortinet'\n| group Events = count()\n", + query: "#base_search# \n| group Events = count()\n", title: "Total Requests in Timeframe" }, { graphStyle: "donut", layout: { h: 14, - i: "15", - minH: 3, - minW: 6, w: 20, x: 0, - y: 0 + y: 56 }, maxPieSlices: 20, query: "#base_search# dst_endpoint.location.country=*\n| group count = count() by dst_endpoint.location.country\n| sort -count\n|limit 20", title: "Top Source Countries" }, { - query: " |join\nbaseline = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"baseline\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n),\n\ncurrent = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"current\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n)\n\non \n\nid\n\n| let zscale = (current.average_bytes - baseline.average_bytes) / baseline.std_dev\n| let anomalie = zscale < -2 OR zscale > 2\n| columns anomalie, baseline.average_bytes, current.average_bytes", - title: "Anomalous Bytes (compare last day to baseline - requires 24 hours of data)", + query: " |join\nbaseline = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"baseline\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n),\n\ncurrent = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"current\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n)\n\non \n\nid\n\n| let zscale = (current.average_bytes - baseline.average_bytes) / baseline.std_dev\n| let anomalie = zscale < -2 OR zscale > 2\n| columns baseline.average_bytes, current.average_bytes, anomalie", + title: "Anomalous Bytes (compare last day to baseline)", graphStyle: "", showBarsColumn: "false", layout: { h: 14, - i: "16", - minH: 3, - minW: 6, - w: 29, + w: 20, x: 0, - y: 70 + y: 0 } + }, + { + graphStyle: "", + query: "dataSource.vendor='Palo Alto Networks' unmapped.to_zone='untrust' unmapped.nat_dst_port=22 | columns src_endpoint.ip, dst_endpoint.ip, app_name, dst_endpoint.location.region, traffic.bytes_out", + title: "SSH Connection Outgoing", + layout: { + h: 14, + w: 28, + x: 29, + y: 70 +}, + description: "SSH Connection Outgoing", + showBarsColumn: "false" + }, + { + description: "TOR Connection Outgoing", + graphStyle: "", + layout: { + h: 14, + w: 29, + x: 0, + y: 84 +}, + query: "dataSource.name = 'Palo Alto Networks Firewall' and metadata.log_name = 'TRAFFIC' and (app = 'tor' or app_name = 'tor') and unmapped.action = 'allow' | columns src_endpoint.ip, dst_endpoint.ip, app_name, dst_endpoint.location.region, traffic.bytes_out", + showBarsColumn: "false", + title: "TOR Connection Outgoing" } ], - options: { +parameters : [ + { name: "base_search", options: {display: "hidden"}, defaultValue: "dataSource.name='Palo Alto Networks Firewall'" } + ]}, +{"tabName":"GlobalProtect","graphs":[ + { + description: "VPN Logout", + graphStyle: "", + layout: { + h: 14, + w: 26, + x: 28, + y: 0 +}, + query: "dataSource.vendor='Palo Alto Networks' metadata.event_code='gateway-logout' | columns time,device.ip,src_endpoint.location.region, actor.user.name, device.name,unmapped.login_duration", + showBarsColumn: "false", + title: "VPN Logout" }, - description: "", - filters: [ - ] -} + { + description: "Successful VPN Connection", + graphStyle: "", + layout: { + h: 14, + w: 27, + x: 0, + y: 0 +}, + query: "dataSource.vendor='Palo Alto Networks' metadata.event_code='gateway-connected' | columns time,device.ip,src_endpoint.location.region, actor.user.name, device.name", + showBarsColumn: "false", + title: "Successful VPN Connection" + }, + { + description: "Brute Force Attempt", + graphStyle: "", + layout: { + h: 14, + w: 20, + x: 20, + y: 14 +}, + query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-auth' | columns device.ip,src_endpoint.location.region, actor.user.name, device.name", + showBarsColumn: "false", + title: "Brute Force Attempt" + }, + { + graphStyle: "pie", + layout: { + h: 14, + w: 20, + x: 40, + y: 14 +}, + maxPieSlices: 10, + query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-prelogin' \n| group count = count() by src_endpoint.location.region | sort -count |limit 20", + title: "Source IPs Location BruteForce", + }, + { + graphStyle: "pie", + layout: { + h: 14, + w: 20, + x: 0, + y: 14 +}, + maxPieSlices: 10, + query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-prelogin' \n| group count = count() by device.ip | sort -count |limit 20", + title: "Source IPs BruteForce" + } +]}], + configType: "TABBED", + description: "" +} \ No newline at end of file diff --git a/dashboards/community/palo-latest/metadata.yaml b/dashboards/community/palo-latest/metadata.yaml index eddbb6f..1bec21a 100644 --- a/dashboards/community/palo-latest/metadata.yaml +++ b/dashboards/community/palo-latest/metadata.yaml @@ -1,9 +1,9 @@ metadata_details: data_dependencies: "Specify datasource.name or OCSF field" required_fields: "Fields required for this dashboard" - description: "Dashboard migrated from samples-main: palo.conf" + description: "Dashboard for PaloAlto firewalls" usecase_type: "Operational" usecase_action: "Dashboard" - tags: dashboard, migrated, samples-main + tags: dashboard, samples-main version: latest - author: Joel Mora + author: Mauro Pavanello \ No newline at end of file From 2943cafe9e48f1be1d294107090847455befd88c Mon Sep 17 00:00:00 2001 From: Mauro Pavanello Date: Tue, 27 Jan 2026 10:32:42 +0100 Subject: [PATCH 2/3] Modified Dashboard PaloAlto and Fortigate new file: dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml modified: dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml renamed: dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf -> dashboards/community/palo-latest/PaloAlto.conf modified: dashboards/community/palo-latest/metadata.yaml --- .../Fortigate-Firewall-Dashboard.yaml | 314 ++++++++++++++++++ .../metadata.yaml | 6 +- .../PaloAlto.conf} | 160 ++++++--- .../community/palo-latest/metadata.yaml | 6 +- 4 files changed, 435 insertions(+), 51 deletions(-) create mode 100644 dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml rename dashboards/community/{Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf => palo-latest/PaloAlto.conf} (55%) diff --git a/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml b/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml new file mode 100644 index 0000000..143ce39 --- /dev/null +++ b/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml @@ -0,0 +1,314 @@ +{ + "title": "FortiGate Firewall – Security & Traffic Overview", + "configType": "TABBED", + "duration": "24h", + "tabs": [ + { + "tabName": "Overview", + "graphs": [ + { + "graphStyle": "number", + "title": "Distinct FortiGate Devices", + "query": "dataSource.vendor='Fortinet' | group estimate_distinct(device.name)", + "options": { + "suffix": " firewalls" + }, + layout: { + h: 5, + w: 12, + x: 0, + y: 0 + } + }, { + "graphStyle": "number", + "title": "Connections Blocked", + "query": "dataSource.vendor='Fortinet' status_detail='blocked' | group count=count() by timestamp=timebucket('1hr')", + "options": { + "format": "K" + }, + layout: { + h: 5, + w: 12, + x: 12, + y: 0 + }, + sparklineConfig: { + enabled: false + }, + trendConfig: { + enabled: true, + indicators: { + arrow: { + enabled: true + }, + number: { + calculationType: "ABSOLUTE", + enabled: true + }, + upwardsMeaning: "POSITIVE" + } + } + }, { + "graphStyle": "line", + "title": "Traffic Volume (1 h buckets)", + "lineSmoothing": "straightLines", + "query": "dataSource.vendor='Fortinet' activity_name='traffic' |let traffic.packets_out=number(traffic.packets_out)\n| group outbound=sum(traffic.packets_out) by timestamp=timebucket('1h')", + layout: { + h: 19, + w: 33, + x: 24, + y: 0 + } + }, { + "graphStyle": "line", + "title": "Traffic by Direction", + layout: { + h: 14, + w: 24, + x: 0, + y: 5 + }, + lineSmoothing: "straightLines", + query: "activity_name='traffic' |let NumBytesIn=number(traffic.bytes_in) |let NumBytesout=number(traffic.bytes_out) |group 'Bytes Out'=sum(NumBytesout), 'Bytes In'=sum(NumBytesIn) by timestamp=timebucket('1h')" + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "pie", + maxPieSlices: 10, + query: "dataSource.name='FortiGate' unmapped.logdesc=* | group logdesc=count () by unmapped.logdesc| sort -logdesc ", + title: "Top Event Type", + layout: { + h: 14, + w: 20, + x: 0, + y: 19 + } + } + ] + }, { + "tabName": "Top Talkers", + "graphs": [ + { + "graphStyle": "", + "title": "Top Source IPs", + "query": "dataSource.vendor='Fortinet' unmapped.action='accept' not (src_endpoint.ip contains ('10.','192.168.','0.0.0.0')) | group Connections=count() by src_endpoint.ip | sort -Connections", + "showBarsColumn": "false", + layout: { + h: 14, + w: 20, + x: 0, + y: 0 + } + }, { + "graphStyle": "", + "title": "Top Destination IPs", + "query": "dataSource.vendor='Fortinet' unmapped.action='accept' not (dst_endpoint.ip contains ('10.','192.168.','0.0.0.0')) | group Connections=count() by dst_endpoint.ip | sort -Connections", + "showBarsColumn": "false", + layout: { + h: 14, + w: 20, + x: 20, + y: 0 + } + }, { + "graphStyle": "donut", + "title": "Top Applications (App-ID)", + "maxPieSlices": 12, + "query": "dataSource.vendor='Fortinet' app_name=* | group count() by app_name", + layout: { + h: 14, + w: 20, + x: 40, + y: 0 + }, + dataLabelType: "PERCENTAGE", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "donut", + layout: { + h: 14, + w: 20, + x: 40, + y: 14 + }, + maxPieSlices: 12, + query: "dataSource.vendor='Fortinet' actor.authorizations\\[0\\].policy.name=* | group count() by actor.authorizations\\[0\\].policy.name", + title: "Top Policy", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "donut", + layout: { + h: 14, + w: 20, + x: 20, + y: 14 + }, + maxPieSlices: 12, + query: "dataSource.name='FortiGate' device.type=* | group count() by device.type", + title: "Top Device Type", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "donut", + layout: { + h: 14, + w: 20, + x: 0, + y: 28 + }, + maxPieSlices: 12, + query: "dataSource.name='FortiGate' device.os.name=* | group count() by device.os.name", + title: "Top OS Device", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + graphStyle: "", + layout: { + h: 14, + w: 20, + x: 0, + y: 14 + }, + query: "dataSource.vendor='Fortinet' unmapped.action='deny' src_endpoint.ip=* | group Connections=count() by src_endpoint.ip | sort -Connections", + showBarsColumn: "false", + title: "Top Deny Source IPs " + } + ] + }, { + "tabName": "Threats & Security Events", + "graphs": [ + { + "graphStyle": "number", + "title": "Intrusion-Prevention Events", + "query": "dataSource.vendor='Fortinet' unmapped.level=* | group count()", + layout: { + h: 5, + w: 20, + x: 0, + y: 0 + }, + sparklineConfig: { + enabled: false + }, + trendConfig: { + enabled: false, + indicators: { + arrow: { + enabled: true + }, + number: { + calculationType: "ABSOLUTE", + enabled: true + }, + upwardsMeaning: "POSITIVE" + } + } + }, { + "graphStyle": "donut", + "title": "Threats by Severity", + "maxPieSlices": 6, + "query": "dataSource.vendor='Fortinet' unmapped.level=* | group count() by unmapped.level ", + layout: { + h: 14, + w: 20, + x: 0, + y: 5 + }, + dataLabelType: "PERCENTAGE", + totalNumberConfig: { + enabled: false, + label: "" + } + }, { + "graphStyle": "", + "title": "Recent Critical Events", + "query": "activity_name='virus' |columns process.file.name, status_detail, risk_score ", + "showBarsColumn": "false", + layout: { + h: 19, + w: 35, + x: 20, + y: 0 + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "donut", + layout: { + h: 14, + w: 20, + x: 0, + y: 19 + }, + maxPieSlices: 6, + query: "dataSource.name='FortiGate' unmapped.action='blocked' actor.user.name=* | group count() by actor.user.name ", + title: "Deny from user", + totalNumberConfig: { + enabled: false, + label: "" + } + }, + ] + }, { + "tabName": "VPNs", + "graphs": [ + { + graphStyle: "", + query: "dataSource.name='FortiGate' event.type = 'vpn' unmapped.xauthuser=* unmapped.action = 'tunnel-up' srccountry=*| columns unmapped.date, time, srccountry, unmapped.remip, unmapped.xauthuser, tunnelip ", + title: "Successful VPN connection", + layout: { + h: 14, + w: 60, + x: 0, + y: 0 + } + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "pie", + maxPieSlices: 10, + query: "dataSource.name='FortiGate' event.type = 'vpn' result = 'ERROR' srccountry=* | group count() by srccountry", + title: "Failed VPN location", + layout: { + h: 14, + w: 20, + x: 0, + y: 28 + } + }, { + graphStyle: "", + layout: { + h: 14, + w: 60, + x: 0, + y: 14 + }, + query: "dataSource.name='FortiGate' event.type = 'vpn' unmapped.xauthuser=* unmapped.action = 'tunnel-down' srccountry=* | columns unmapped.date, time, srccountry, unmapped.remip, unmapped.xauthuser, unmapped.duration", + title: "VPN Logout" + }, { + dataLabelType: "PERCENTAGE", + graphStyle: "pie", + layout: { + h: 14, + w: 20, + x: 20, + y: 28 + }, + maxPieSlices: 10, + query: "dataSource.name='FortiGate' event.type = 'vpn' unmapped.action = 'tunnel-up' srccountry=* | group count() by srccountry", + title: "Successfull vpn Location" + } + ] + } + ], +} \ No newline at end of file diff --git a/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml b/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml index cb5ac66..9d9f01c 100644 --- a/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml +++ b/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml @@ -1,9 +1,9 @@ metadata_details: data_dependencies: "Specify datasource.name or OCSF field" required_fields: "Fields required for this dashboard" - description: "Dashboard migrated from samples-main: Fortigate-Firewall-Dashboard.conf" + description: "Dashboard for Fortigate firewalls" usecase_type: "Operational" usecase_action: "Dashboard" - tags: dashboard, migrated, samples-main + tags: dashboard, samples-main version: latest - author: Joel Mora + author: Mauro Pavanello \ No newline at end of file diff --git a/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf b/dashboards/community/palo-latest/PaloAlto.conf similarity index 55% rename from dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf rename to dashboards/community/palo-latest/PaloAlto.conf index 2693a6f..17192d6 100644 --- a/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf +++ b/dashboards/community/palo-latest/PaloAlto.conf @@ -1,14 +1,14 @@ { - parameters: [ - { name: "base_search", options: {display: "hidden"}, defaultValue: "dataSource.name='FortiGate'" } - ], - graphs: [ + tabs: [{"tabName":"Traffic", +options : { + }, +graphs : [ { breakdownFacet: "app_name", graphStyle: "stacked_bar", plots: [ { - facet: "traffic.bytes_in", + facet: "traffic.bytes", filter: "(#base_search#)", label: "Bytes Received" } @@ -17,9 +17,6 @@ yScale: "linear", layout: { h: 14, - i: "0", - minH: 3, - minW: 6, w: 20, x: 20, y: 28 @@ -94,26 +91,20 @@ title: "Elapsed Time by Category", layout: { h: 14, - i: "4", - minH: 3, - minW: 6, w: 20, x: 40, y: 14 }, lineSmoothing: "straightLines", }, { - query: " #base_search# actor.user.name = * \n| group count = count() by actor.user.name\n| sort -count\n|limit 20", + query: "actor.user.name = * \n| group count = count() by actor.user.name\n| sort -count\n|limit 20", title: "Top Users", graphStyle: "pie", layout: { h: 14, - i: "5", - minH: 3, - minW: 6, w: 20, x: 0, - y: 42 + y: 28 }, maxPieSlices: 10, }, { @@ -128,14 +119,14 @@ }, maxPieSlices: 10, }, { - query: "#base_search#\n| group count = count() by src_endpoint.ip\n| sort -count\n|limit 20", + query: "#base_search#\n| group count = count() by src_endpoint.ip \n| sort -count\n|limit 20", title: "Breakdown of Source IPs", graphStyle: "pie", layout: { h: 14, w: 20, x: 0, - y: 28 + y: 14 }, maxPieSlices: 10, }, { @@ -146,18 +137,15 @@ h: 14, w: 20, x: 0, - y: 14 + y: 42 }, maxPieSlices: 10, }, { - query: "#base_search# traffic.bytes_out > 1\n| group sum = sum(traffic.bytes_out)", + query: "#base_search# traffic.bytes_out > 1\n| group sum = sum(traffic.bytes_out)", title: "Total Bytes Sent in Timeframe", graphStyle: "number", layout: { h: 7, - i: "9", - minH: 3, - minW: 6, w: 9, x: 51, y: 7 @@ -214,7 +202,7 @@ h: 14, w: 29, x: 0, - y: 56 + y: 70 }, lineSmoothing: "straightLines", }, @@ -222,14 +210,11 @@ graphStyle: "number", layout: { h: 7, - i: "13", - minH: 3, - minW: 6, w: 11, x: 40, y: 7 }, - query: "#base_search# traffic.bytes_in > 1 | group sum = sum(traffic.bytes_in)\n\n", + query: "traffic.bytes_in > 1 | group sum = sum(traffic.bytes)\n\n", title: "Total Bytes Received in Timeframe" }, { @@ -240,43 +225,128 @@ x: 40, y: 0 }, - query: "dataSource.vendor contains 'Fortinet'\n| group Events = count()\n", + query: "#base_search# \n| group Events = count()\n", title: "Total Requests in Timeframe" }, { graphStyle: "donut", layout: { h: 14, - i: "15", - minH: 3, - minW: 6, w: 20, x: 0, - y: 0 + y: 56 }, maxPieSlices: 20, query: "#base_search# dst_endpoint.location.country=*\n| group count = count() by dst_endpoint.location.country\n| sort -count\n|limit 20", title: "Top Source Countries" }, { - query: " |join\nbaseline = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"baseline\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n),\n\ncurrent = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"current\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n)\n\non \n\nid\n\n| let zscale = (current.average_bytes - baseline.average_bytes) / baseline.std_dev\n| let anomalie = zscale < -2 OR zscale > 2\n| columns anomalie, baseline.average_bytes, current.average_bytes", - title: "Anomalous Bytes (compare last day to baseline - requires 24 hours of data)", + query: " |join\nbaseline = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"baseline\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n),\n\ncurrent = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"current\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n)\n\non \n\nid\n\n| let zscale = (current.average_bytes - baseline.average_bytes) / baseline.std_dev\n| let anomalie = zscale < -2 OR zscale > 2\n| columns baseline.average_bytes, current.average_bytes, anomalie", + title: "Anomalous Bytes (compare last day to baseline)", graphStyle: "", showBarsColumn: "false", layout: { h: 14, - i: "16", - minH: 3, - minW: 6, - w: 29, + w: 20, x: 0, - y: 70 + y: 0 } + }, + { + graphStyle: "", + query: "dataSource.vendor='Palo Alto Networks' unmapped.to_zone='untrust' unmapped.nat_dst_port=22 | columns src_endpoint.ip, dst_endpoint.ip, app_name, dst_endpoint.location.region, traffic.bytes_out", + title: "SSH Connection Outgoing", + layout: { + h: 14, + w: 28, + x: 29, + y: 70 +}, + description: "SSH Connection Outgoing", + showBarsColumn: "false" + }, + { + description: "TOR Connection Outgoing", + graphStyle: "", + layout: { + h: 14, + w: 29, + x: 0, + y: 84 +}, + query: "dataSource.name = 'Palo Alto Networks Firewall' and metadata.log_name = 'TRAFFIC' and (app = 'tor' or app_name = 'tor') and unmapped.action = 'allow' | columns src_endpoint.ip, dst_endpoint.ip, app_name, dst_endpoint.location.region, traffic.bytes_out", + showBarsColumn: "false", + title: "TOR Connection Outgoing" } ], - options: { +parameters : [ + { name: "base_search", options: {display: "hidden"}, defaultValue: "dataSource.name='Palo Alto Networks Firewall'" } + ]}, +{"tabName":"GlobalProtect","graphs":[ + { + description: "VPN Logout", + graphStyle: "", + layout: { + h: 14, + w: 26, + x: 28, + y: 0 +}, + query: "dataSource.vendor='Palo Alto Networks' metadata.event_code='gateway-logout' | columns time,device.ip,src_endpoint.location.region, actor.user.name, device.name,unmapped.login_duration", + showBarsColumn: "false", + title: "VPN Logout" }, - description: "", - filters: [ - ] -} + { + description: "Successful VPN Connection", + graphStyle: "", + layout: { + h: 14, + w: 27, + x: 0, + y: 0 +}, + query: "dataSource.vendor='Palo Alto Networks' metadata.event_code='gateway-connected' | columns time,device.ip,src_endpoint.location.region, actor.user.name, device.name", + showBarsColumn: "false", + title: "Successful VPN Connection" + }, + { + description: "Brute Force Attempt", + graphStyle: "", + layout: { + h: 14, + w: 20, + x: 20, + y: 14 +}, + query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-auth' | columns device.ip,src_endpoint.location.region, actor.user.name, device.name", + showBarsColumn: "false", + title: "Brute Force Attempt" + }, + { + graphStyle: "pie", + layout: { + h: 14, + w: 20, + x: 40, + y: 14 +}, + maxPieSlices: 10, + query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-prelogin' \n| group count = count() by src_endpoint.location.region | sort -count |limit 20", + title: "Source IPs Location BruteForce", + }, + { + graphStyle: "pie", + layout: { + h: 14, + w: 20, + x: 0, + y: 14 +}, + maxPieSlices: 10, + query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-prelogin' \n| group count = count() by device.ip | sort -count |limit 20", + title: "Source IPs BruteForce" + } +]}], + configType: "TABBED", + description: "" +} \ No newline at end of file diff --git a/dashboards/community/palo-latest/metadata.yaml b/dashboards/community/palo-latest/metadata.yaml index eddbb6f..1bec21a 100644 --- a/dashboards/community/palo-latest/metadata.yaml +++ b/dashboards/community/palo-latest/metadata.yaml @@ -1,9 +1,9 @@ metadata_details: data_dependencies: "Specify datasource.name or OCSF field" required_fields: "Fields required for this dashboard" - description: "Dashboard migrated from samples-main: palo.conf" + description: "Dashboard for PaloAlto firewalls" usecase_type: "Operational" usecase_action: "Dashboard" - tags: dashboard, migrated, samples-main + tags: dashboard, samples-main version: latest - author: Joel Mora + author: Mauro Pavanello \ No newline at end of file From bc82727b400e833382cc518691b4c925b094a004 Mon Sep 17 00:00:00 2001 From: M4uRo78 Date: Thu, 29 Jan 2026 08:53:17 +0100 Subject: [PATCH 3/3] Modified Dashboard PaloAlto and Fortigate --- ...yaml => Fortigate-Firewall-Dashboard.conf} | 0 .../metadata.yaml | 4 +- .../community/palo-latest/PaloAlto.conf | 352 ------------- .../community/palo-latest/metadata.yaml | 4 +- dashboards/community/palo-latest/palo.conf | 463 +++++++++--------- 5 files changed, 233 insertions(+), 590 deletions(-) rename dashboards/community/Fortigate-Firewall-Dashboard-latest/{Fortigate-Firewall-Dashboard.yaml => Fortigate-Firewall-Dashboard.conf} (100%) delete mode 100644 dashboards/community/palo-latest/PaloAlto.conf diff --git a/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml b/dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf similarity index 100% rename from dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.yaml rename to dashboards/community/Fortigate-Firewall-Dashboard-latest/Fortigate-Firewall-Dashboard.conf diff --git a/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml b/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml index 9d9f01c..e01ae86 100644 --- a/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml +++ b/dashboards/community/Fortigate-Firewall-Dashboard-latest/metadata.yaml @@ -1,9 +1,9 @@ metadata_details: data_dependencies: "Specify datasource.name or OCSF field" required_fields: "Fields required for this dashboard" - description: "Dashboard for Fortigate firewalls" + description: "Dashboard migrated from samples-main: Fortigate-Firewall-Dashboard.conf" usecase_type: "Operational" usecase_action: "Dashboard" - tags: dashboard, samples-main + tags: dashboard, migrated, samples-main version: latest author: Mauro Pavanello \ No newline at end of file diff --git a/dashboards/community/palo-latest/PaloAlto.conf b/dashboards/community/palo-latest/PaloAlto.conf deleted file mode 100644 index 17192d6..0000000 --- a/dashboards/community/palo-latest/PaloAlto.conf +++ /dev/null @@ -1,352 +0,0 @@ -{ - tabs: [{"tabName":"Traffic", -options : { - }, -graphs : [ - { - breakdownFacet: "app_name", - graphStyle: "stacked_bar", - plots: [ - { - facet: "traffic.bytes", - filter: "(#base_search#)", - label: "Bytes Received" - } -], - title: "Bytes Received by Application", - yScale: "linear", - layout: { - h: 14, - w: 20, - x: 20, - y: 28 -}, - barWidth: "auto", - }, { - barWidth: "5 minutes", - breakdownFacet: "app_name", - graphStyle: "stacked_bar", - plots: [ - { - facet: "traffic.bytes_out", - filter: "(#base_search#)", - label: "Bytes_Sent" - } -], - title: "Bytes Sent by Application", - yScale: "linear", - layout: { - h: 14, - w: 20, - x: 40, - y: 28 -}, - }, { - breakdownFacet: "location.dst_country", - graphStyle: "stacked_bar", - plots: [ - { - facet: "rate", - filter: "(#base_search#)", - label: "rate" - } - ], - title: "Requests by Destination Country", - layout: { - h: 14, - w: 20, - x: 40, - y: 42 -}, - lineSmoothing: "straightLines", - barWidth: "auto" - }, { - breakdownFacet: "actor.user.name", - graphStyle: "line", - plots: [ - { - facet: "rate", - filter: "#base_search#", - label: "rate" - } -], - title: "Requests by Destination User", - layout: { - h: 14, - w: 20, - x: 20, - y: 14 -}, - lineSmoothing: "straightLines", - }, { - breakdownFacet: "category_name", - graphStyle: "line", - plots: [ - { - facet: "duration", - filter: "#base_search# ", - label: "Elapsed_Time" - } -], - title: "Elapsed Time by Category", - layout: { - h: 14, - w: 20, - x: 40, - y: 14 -}, - lineSmoothing: "straightLines", - }, { - query: "actor.user.name = * \n| group count = count() by actor.user.name\n| sort -count\n|limit 20", - title: "Top Users", - graphStyle: "pie", - layout: { - h: 14, - w: 20, - x: 0, - y: 28 -}, - maxPieSlices: 10, - }, { - query: "#base_search# | group count = count() by dst_endpoint.ip \n| sort -count\n|limit 20", - title: "Breakdown of Destination IPs", - graphStyle: "donut", - layout: { - h: 14, - w: 20, - x: 20, - y: 0 -}, - maxPieSlices: 10, - }, { - query: "#base_search#\n| group count = count() by src_endpoint.ip \n| sort -count\n|limit 20", - title: "Breakdown of Source IPs", - graphStyle: "pie", - layout: { - h: 14, - w: 20, - x: 0, - y: 14 -}, - maxPieSlices: 10, - }, { - query: "#base_search# app_name=*\n| group count = count() by app_name\n| sort -count\n|limit 20", - title: "Requests by Applications", - graphStyle: "donut", - layout: { - h: 14, - w: 20, - x: 0, - y: 42 -}, - maxPieSlices: 10, - }, { - query: "#base_search# traffic.bytes_out > 1\n| group sum = sum(traffic.bytes_out)", - title: "Total Bytes Sent in Timeframe", - graphStyle: "number", - layout: { - h: 7, - w: 9, - x: 51, - y: 7 -}, - }, { - breakdownFacet: "location.src_country", - graphStyle: "stacked_bar", - plots: [ - { - facet: "rate", - filter: "(#base_search#)", - label: "rate" - } - ], - title: "Requests by Source Country", - layout: { - h: 14, - w: 20, - x: 20, - y: 42 -}, - lineSmoothing: "straightLines", - barWidth: "auto" - }, { - breakdownFacet: "rule.name", - graphStyle: "line", - plots: [ - { - facet: "rate", - filter: "#base_search#", - label: "rate" - } - ], - title: "Rule Breaakdown", - layout: { - h: 14, - w: 31, - x: 29, - y: 56 -}, - lineSmoothing: "straightLines", - }, { - breakdownFacet: "severity", - graphStyle: "line", - plots: [ - { - facet: "rate", - filter: "#base_search# ", - label: "rate" - } -], - title: "Severity breakdown", - layout: { - h: 14, - w: 29, - x: 0, - y: 70 -}, - lineSmoothing: "straightLines", - }, - { - graphStyle: "number", - layout: { - h: 7, - w: 11, - x: 40, - y: 7 -}, - query: "traffic.bytes_in > 1 | group sum = sum(traffic.bytes)\n\n", - title: "Total Bytes Received in Timeframe" - }, - { - graphStyle: "number", - layout: { - h: 7, - w: 20, - x: 40, - y: 0 -}, - query: "#base_search# \n| group Events = count()\n", - title: "Total Requests in Timeframe" - }, - { - graphStyle: "donut", - layout: { - h: 14, - w: 20, - x: 0, - y: 56 -}, - maxPieSlices: 20, - query: "#base_search# dst_endpoint.location.country=*\n| group count = count() by dst_endpoint.location.country\n| sort -count\n|limit 20", - title: "Top Source Countries" - }, - { - query: " |join\nbaseline = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"baseline\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n),\n\ncurrent = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"current\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n)\n\non \n\nid\n\n| let zscale = (current.average_bytes - baseline.average_bytes) / baseline.std_dev\n| let anomalie = zscale < -2 OR zscale > 2\n| columns baseline.average_bytes, current.average_bytes, anomalie", - title: "Anomalous Bytes (compare last day to baseline)", - graphStyle: "", - showBarsColumn: "false", - layout: { - h: 14, - w: 20, - x: 0, - y: 0 -} - }, - { - graphStyle: "", - query: "dataSource.vendor='Palo Alto Networks' unmapped.to_zone='untrust' unmapped.nat_dst_port=22 | columns src_endpoint.ip, dst_endpoint.ip, app_name, dst_endpoint.location.region, traffic.bytes_out", - title: "SSH Connection Outgoing", - layout: { - h: 14, - w: 28, - x: 29, - y: 70 -}, - description: "SSH Connection Outgoing", - showBarsColumn: "false" - }, - { - description: "TOR Connection Outgoing", - graphStyle: "", - layout: { - h: 14, - w: 29, - x: 0, - y: 84 -}, - query: "dataSource.name = 'Palo Alto Networks Firewall' and metadata.log_name = 'TRAFFIC' and (app = 'tor' or app_name = 'tor') and unmapped.action = 'allow' | columns src_endpoint.ip, dst_endpoint.ip, app_name, dst_endpoint.location.region, traffic.bytes_out", - showBarsColumn: "false", - title: "TOR Connection Outgoing" - } - ], -parameters : [ - { name: "base_search", options: {display: "hidden"}, defaultValue: "dataSource.name='Palo Alto Networks Firewall'" } - ]}, -{"tabName":"GlobalProtect","graphs":[ - { - description: "VPN Logout", - graphStyle: "", - layout: { - h: 14, - w: 26, - x: 28, - y: 0 -}, - query: "dataSource.vendor='Palo Alto Networks' metadata.event_code='gateway-logout' | columns time,device.ip,src_endpoint.location.region, actor.user.name, device.name,unmapped.login_duration", - showBarsColumn: "false", - title: "VPN Logout" - }, - { - description: "Successful VPN Connection", - graphStyle: "", - layout: { - h: 14, - w: 27, - x: 0, - y: 0 -}, - query: "dataSource.vendor='Palo Alto Networks' metadata.event_code='gateway-connected' | columns time,device.ip,src_endpoint.location.region, actor.user.name, device.name", - showBarsColumn: "false", - title: "Successful VPN Connection" - }, - { - description: "Brute Force Attempt", - graphStyle: "", - layout: { - h: 14, - w: 20, - x: 20, - y: 14 -}, - query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-auth' | columns device.ip,src_endpoint.location.region, actor.user.name, device.name", - showBarsColumn: "false", - title: "Brute Force Attempt" - }, - { - graphStyle: "pie", - layout: { - h: 14, - w: 20, - x: 40, - y: 14 -}, - maxPieSlices: 10, - query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-prelogin' \n| group count = count() by src_endpoint.location.region | sort -count |limit 20", - title: "Source IPs Location BruteForce", - }, - { - graphStyle: "pie", - layout: { - h: 14, - w: 20, - x: 0, - y: 14 -}, - maxPieSlices: 10, - query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-prelogin' \n| group count = count() by device.ip | sort -count |limit 20", - title: "Source IPs BruteForce" - } -]}], - configType: "TABBED", - description: "" -} \ No newline at end of file diff --git a/dashboards/community/palo-latest/metadata.yaml b/dashboards/community/palo-latest/metadata.yaml index 1bec21a..52f85a8 100644 --- a/dashboards/community/palo-latest/metadata.yaml +++ b/dashboards/community/palo-latest/metadata.yaml @@ -1,9 +1,9 @@ metadata_details: data_dependencies: "Specify datasource.name or OCSF field" required_fields: "Fields required for this dashboard" - description: "Dashboard for PaloAlto firewalls" + description: "Dashboard migrated from samples-main: palo.conf" usecase_type: "Operational" usecase_action: "Dashboard" - tags: dashboard, samples-main + tags: dashboard, migrated, samples-main version: latest author: Mauro Pavanello \ No newline at end of file diff --git a/dashboards/community/palo-latest/palo.conf b/dashboards/community/palo-latest/palo.conf index 65c6c28..17192d6 100644 --- a/dashboards/community/palo-latest/palo.conf +++ b/dashboards/community/palo-latest/palo.conf @@ -1,123 +1,103 @@ { - graphs: [ + tabs: [{"tabName":"Traffic", +options : { + }, +graphs : [ { - breakdownFacet: "Application", + breakdownFacet: "app_name", graphStyle: "stacked_bar", plots: [ - { - facet: "Bytes_Received", - filter: "(logfile='paloalto')", - label: "Bytes_Received" - } - ], + { + facet: "traffic.bytes", + filter: "(#base_search#)", + label: "Bytes Received" + } +], title: "Bytes Received by Application", yScale: "linear", layout: { h: 14, w: 20, - x: 0, - y: 14 + x: 20, + y: 28 }, - lineSmoothing: "straightLines" - }, - { + barWidth: "auto", + }, { barWidth: "5 minutes", - breakdownFacet: "Application", + breakdownFacet: "app_name", graphStyle: "stacked_bar", plots: [ - { - facet: "Bytes_Sent", - filter: "(logfile='paloalto')", - label: "Bytes_Sent" - } - ], + { + facet: "traffic.bytes_out", + filter: "(#base_search#)", + label: "Bytes_Sent" + } +], title: "Bytes Sent by Application", yScale: "linear", layout: { h: 14, w: 20, - x: 20, + x: 40, y: 28 -} - }, - { - barWidth: "5 minutes", - breakdownFacet: "Destination_IP", - graphStyle: "line", +}, + }, { + breakdownFacet: "location.dst_country", + graphStyle: "stacked_bar", plots: [ { facet: "rate", - filter: "(logfile='paloalto')", + filter: "(#base_search#)", label: "rate" } ], - title: "Requests by IP", + title: "Requests by Destination Country", layout: { h: 14, w: 20, x: 40, - y: 70 -} - }, - { - barWidth: "5 minutes", - breakdownFacet: "Destination_Zone", - graphStyle: "line", - plots: [ - { - facet: "rate", - filter: "(logfile='paloalto')", - label: "rate" - } - ], - title: "Requests by Destination Zone", - layout: { - h: 14, - w: 20, - x: 20, - y: 0 -} - }, - { - barWidth: "5 minutes", - breakdownFacet: "Destination_User", + y: 42 +}, + lineSmoothing: "straightLines", + barWidth: "auto" + }, { + breakdownFacet: "actor.user.name", graphStyle: "line", plots: [ - { - facet: "rate", - filter: "(logfile='paloalto')", - label: "rate" - } - ], + { + facet: "rate", + filter: "#base_search#", + label: "rate" + } +], title: "Requests by Destination User", layout: { h: 14, w: 20, x: 20, - y: 42 -} - }, - { - barWidth: "5 minutes", - breakdownFacet: "Category", + y: 14 +}, + lineSmoothing: "straightLines", + }, { + breakdownFacet: "category_name", graphStyle: "line", plots: [ - { - facet: "Elapsed_Time", - filter: "(logfile='paloalto')", - label: "Elapsed_Time" - } - ], + { + facet: "duration", + filter: "#base_search# ", + label: "Elapsed_Time" + } +], title: "Elapsed Time by Category", layout: { h: 14, w: 20, x: 40, - y: 28 -} - }, - { - query: "logfile contains 'paloalto' Source_User = * \n| group count = count() by Source_User \n| sort -count\n|limit 20", + y: 14 +}, + lineSmoothing: "straightLines", + }, { + query: "actor.user.name = * \n| group count = count() by actor.user.name\n| sort -count\n|limit 20", title: "Top Users", graphStyle: "pie", layout: { @@ -125,37 +105,32 @@ w: 20, x: 0, y: 28 -} - }, - { - query: "logfile contains 'paloalto' \n| group count = count() by Destination_IP \n| sort -count\n|limit 20", +}, + maxPieSlices: 10, + }, { + query: "#base_search# | group count = count() by dst_endpoint.ip \n| sort -count\n|limit 20", title: "Breakdown of Destination IPs", graphStyle: "donut", layout: { h: 14, w: 20, x: 20, - y: 56 + y: 0 }, - maxPieSlices: 10 - }, - { - query: "logfile contains 'paloalto' \n| group count = count() by Source_IP \n| sort -count\n|limit 20", + maxPieSlices: 10, + }, { + query: "#base_search#\n| group count = count() by src_endpoint.ip \n| sort -count\n|limit 20", title: "Breakdown of Source IPs", graphStyle: "pie", layout: { h: 14, - i: "8", - minH: 3, - minW: 6, w: 20, x: 0, - y: 0 + y: 14 }, - maxPieSlices: 10 - }, - { - query: "logfile contains 'paloalto' \n| group count = count() by Application \n| sort -count\n|limit 20", + maxPieSlices: 10, + }, { + query: "#base_search# app_name=*\n| group count = count() by app_name\n| sort -count\n|limit 20", title: "Requests by Applications", graphStyle: "donut", layout: { @@ -163,195 +138,215 @@ w: 20, x: 0, y: 42 -} - }, - { - query: "logfile contains 'paloalto' Bytes_Received = *\n| group count = count() ", - title: "Total Requests", - layout: { - h: 14, - w: 20, - x: 20, - y: 70 -} - }, - { - query: "logfile contains 'paloalto' Bytes_Received = *\n| group count = count() ", +}, + maxPieSlices: 10, + }, { + query: "#base_search# traffic.bytes_out > 1\n| group sum = sum(traffic.bytes_out)", title: "Total Bytes Sent in Timeframe", graphStyle: "number", layout: { h: 7, - w: 20, - x: 40, + w: 9, + x: 51, y: 7 -} - }, - { - query: "logfile contains 'paloalto' Bytes_Sent = *\n| parse \"$Bytes{regex=\\\\d+}$\" from Bytes_Sent \n| group sum = sum(Bytes)\n\n", - title: "Total Bytes Received in Timeframe", - graphStyle: "number", - layout: { - h: 7, - w: 20, - x: 40, - y: 0 -} - }, - { - barWidth: "1 minute", - breakdownFacet: "Destination_Port", +}, + }, { + breakdownFacet: "location.src_country", graphStyle: "stacked_bar", plots: [ { - facet: "Packets", - filter: "(logfile='paloalto')", - label: "Packets" + facet: "rate", + filter: "(#base_search#)", + label: "rate" } ], - title: "Packets by port", - yScale: "linear", + title: "Requests by Source Country", layout: { h: 14, w: 20, - x: 0, - y: 70 -} - }, - { - barWidth: "1 minute", - breakdownFacet: "Source_Zone", + x: 20, + y: 42 +}, + lineSmoothing: "straightLines", + barWidth: "auto" + }, { + breakdownFacet: "rule.name", graphStyle: "line", plots: [ { facet: "rate", - filter: "(logfile='paloalto')", + filter: "#base_search#", label: "rate" } ], - title: "Requests by Source Zone", + title: "Rule Breaakdown", layout: { h: 14, - w: 20, + w: 31, + x: 29, + y: 56 +}, + lineSmoothing: "straightLines", + }, { + breakdownFacet: "severity", + graphStyle: "line", + plots: [ + { + facet: "rate", + filter: "#base_search# ", + label: "rate" + } +], + title: "Severity breakdown", + layout: { + h: 14, + w: 29, + x: 0, + y: 70 +}, + lineSmoothing: "straightLines", + }, + { + graphStyle: "number", + layout: { + h: 7, + w: 11, x: 40, - y: 42 -} + y: 7 +}, + query: "traffic.bytes_in > 1 | group sum = sum(traffic.bytes)\n\n", + title: "Total Bytes Received in Timeframe" }, { - query: "logfile='paloalto' parser = 'pa-firewall01' URL-Filename \n = * \n| group count = count() by URL-Filename \n| sort -count\n", - title: "URL-Filename breakdown ", + graphStyle: "number", layout: { - h: 14, + h: 7, w: 20, x: 40, - y: 14 -} + y: 0 +}, + query: "#base_search# \n| group Events = count()\n", + title: "Total Requests in Timeframe" }, { - breakdownFacet: "Destination_IP", - graphStyle: "line", - plots: [ - { - facet: "rate", - filter: "logfile contains 'paloalto'", - label: "rate" - } - ], - title: "Destination Ip Breakdown", + graphStyle: "donut", layout: { h: 14, w: 20, x: 0, y: 56 -} +}, + maxPieSlices: 20, + query: "#base_search# dst_endpoint.location.country=*\n| group count = count() by dst_endpoint.location.country\n| sort -count\n|limit 20", + title: "Top Source Countries" }, { - breakdownFacet: "Rule_Name", - graphStyle: "line", - plots: [ - { - facet: "rate", - filter: "logfile contains 'paloalto'", - label: "rate" - } - ], - title: "Rule Breaakdown", + query: " |join\nbaseline = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"baseline\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n),\n\ncurrent = (#base_search# traffic.bytes > 1 \n| group bytes = sum(traffic.bytes) by timestamp= timebucket('1d'), src_endpoint.ip\t\n| let Yesterday = queryend() - (24 * 60 * 60 * 1000000000)\n| let data = timestamp<=Yesterday? \"baseline\" : \"current\"\n| filter data = \"current\"\n| group average_bytes = average(bytes), std_dev = stddev(bytes) by data\n| let id = \"1\"\n)\n\non \n\nid\n\n| let zscale = (current.average_bytes - baseline.average_bytes) / baseline.std_dev\n| let anomalie = zscale < -2 OR zscale > 2\n| columns baseline.average_bytes, current.average_bytes, anomalie", + title: "Anomalous Bytes (compare last day to baseline)", + graphStyle: "", + showBarsColumn: "false", layout: { h: 14, - w: 19, - x: 1, - y: 84 + w: 20, + x: 0, + y: 0 } }, { - breakdownFacet: "severity", - graphStyle: "line", - plots: [ - { - facet: "rate", - filter: "logfile contains 'paloalto' severity>=5", - label: "rate" - } - ], - title: "Severity breakdown", + graphStyle: "", + query: "dataSource.vendor='Palo Alto Networks' unmapped.to_zone='untrust' unmapped.nat_dst_port=22 | columns src_endpoint.ip, dst_endpoint.ip, app_name, dst_endpoint.location.region, traffic.bytes_out", + title: "SSH Connection Outgoing", layout: { h: 14, - w: 20, - x: 20, - y: 14 -} + w: 28, + x: 29, + y: 70 +}, + description: "SSH Connection Outgoing", + showBarsColumn: "false" }, { - barWidth: "5 minutes", - breakdownFacet: "Virtual_System", - graphStyle: "stacked_bar", - plots: [ - { - facet: "rate", - filter: "logfile contains 'paloalto' severity>=5", - label: "rate" - } - ], - title: "Breakdown of Virtual Systems", - yScale: "linear", + description: "TOR Connection Outgoing", + graphStyle: "", layout: { h: 14, - w: 19, - x: 21, + w: 29, + x: 0, y: 84 -} - }, - { - barWidth: "5 minutes", - breakdownFacet: "Application", - graphStyle: "stacked_bar", - plots: [ - { - facet: "p999(Bytes_Received)", - filter: "(logfile='paloalto')", - label: "p999(Bytes_Received)" - } - ], - title: "p99 Bytes Received", - yScale: "linear", - layout: { +}, + query: "dataSource.name = 'Palo Alto Networks Firewall' and metadata.log_name = 'TRAFFIC' and (app = 'tor' or app_name = 'tor') and unmapped.action = 'allow' | columns src_endpoint.ip, dst_endpoint.ip, app_name, dst_endpoint.location.region, traffic.bytes_out", + showBarsColumn: "false", + title: "TOR Connection Outgoing" + } + ], +parameters : [ + { name: "base_search", options: {display: "hidden"}, defaultValue: "dataSource.name='Palo Alto Networks Firewall'" } + ]}, +{"tabName":"GlobalProtect","graphs":[ + { + description: "VPN Logout", + graphStyle: "", + layout: { + h: 14, + w: 26, + x: 28, + y: 0 +}, + query: "dataSource.vendor='Palo Alto Networks' metadata.event_code='gateway-logout' | columns time,device.ip,src_endpoint.location.region, actor.user.name, device.name,unmapped.login_duration", + showBarsColumn: "false", + title: "VPN Logout" + }, + { + description: "Successful VPN Connection", + graphStyle: "", + layout: { + h: 14, + w: 27, + x: 0, + y: 0 +}, + query: "dataSource.vendor='Palo Alto Networks' metadata.event_code='gateway-connected' | columns time,device.ip,src_endpoint.location.region, actor.user.name, device.name", + showBarsColumn: "false", + title: "Successful VPN Connection" + }, + { + description: "Brute Force Attempt", + graphStyle: "", + layout: { + h: 14, + w: 20, + x: 20, + y: 14 +}, + query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-auth' | columns device.ip,src_endpoint.location.region, actor.user.name, device.name", + showBarsColumn: "false", + title: "Brute Force Attempt" + }, + { + graphStyle: "pie", + layout: { h: 14, w: 20, x: 40, - y: 56 -} - }, - { - barWidth: "1 minute", - graphStyle: "stacked_bar", - plots: [ - { - filter: "action = 'ACCEPT' dstaddr = * logfile='minecraft' serverHost='cloudwatch-630972250024'", - label: "Rate" - } - ], - title: "Flow Logs Accepted", - yScale: "linear" - } - ], - options: {} -} + y: 14 +}, + maxPieSlices: 10, + query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-prelogin' \n| group count = count() by src_endpoint.location.region | sort -count |limit 20", + title: "Source IPs Location BruteForce", + }, + { + graphStyle: "pie", + layout: { + h: 14, + w: 20, + x: 0, + y: 14 +}, + maxPieSlices: 10, + query: "dataSource.vendor='Palo Alto Networks' activity_name='GLOBALPROTECT' metadata.event_code='portal-prelogin' \n| group count = count() by device.ip | sort -count |limit 20", + title: "Source IPs BruteForce" + } +]}], + configType: "TABBED", + description: "" +} \ No newline at end of file