NxtFireGuard Dashboard Search

1. Introduction 🔍

The NxtFireGuard Dashboard offers a powerful search function that allows you to filter specific security events and threats based on various parameters. This guide will show you how to perform a search and what fields are available.

2. Example Search 📊

Here's an example of a search query to filter for a specific threat case:

threat_name: "SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt, Unknown Traffic"
AND source_ip: "203.0.113.45"
AND target_ip: "192.168.10.5"
AND target_port: "443"
AND domain: "example.org"
AND criticality: 3

3. Explanation of Search Parameters 📋

countrycode

The ISO code representing the country from which the traffic originated, which helps identify geographical patterns in threats.
Example: countrycode: "US" might indicate that the traffic is coming from the United States.

countryname

The name of the country associated with the source IP. Understanding the geographic sources of attacks can aid in geopolitical risk assessments.
Example: countryname: "Canada" indicates that the traffic originated from Canada.

criticality

A classification of the threat’s severity, helping prioritize responses.
Example: criticality: 5 indicates a very high severity level for the incident.

domain

The domain from which the attacker IP originates, providing context about potential threats.
Example: domain: "malicious.com" suggests that the attack is linked to this specific domain.

host

The host that sent the alert, indicating the asset involved in the incident.
Example: host: "server1.example.com" shows which server generated the alert.

host_type

The category of the host sending the alert, which assists in identifying attackers targeting specific host types, such as Cisco ISE.
Example: host_type: "cisco-firepower" shows all attacks targeting a Cisco-Firepower Firewall.

isp

The Internet Service Provider associated with the source IP. Analyzing traffic from certain ISPs can provide insights into potential malicious patterns.
Example: isp: "Comcast" reveals that the source IP is serviced by Comcast.

istor

Indicates whether the IP is a known TOR node.
Example: istor: true suggests that the IP address is part of the TOR network.

source_ip

The IP address that initiated the traffic.
Example: source_ip: "203.0.113.45" shows the origin of the network traffic.

target_ip

The IP address that was attacked.
Example: target_ip: "192.168.10.5" indicates the specific target of the attack.

target_port

The port targeted during the attack.
Example: target_port: "80" suggests that the attack was aimed at the HTTP service.

threat_name

The descriptive name of the threat.
Example: threat_name: "SQL Injection Attempt" specifies the type of attack being analyzed.

4. Wildcard Search with the * Operator ✨

The * operator acts as a placeholder for any arbitrary values in fields. For example:
Domain search with wildcard:
To search for a domain ending with example.org:

domain: "*.example.org"

IP search with wildcard:
To search for IP addresses starting with 192.168.:

source_ip: "192.168.*"

5. Applying the Search 🔎

You can enter the syntax described above into the dashboard's search field to filter for specific incidents. Using AND connects multiple filter criteria, so the search only returns results that meet all conditions.

6. Exclusion of Results in the NxtFireGuard Dashboard Search Syntax 🚫

Sometimes you want to exclude certain results from your search to focus on other threats or events. This section shows how to use the NOT operators to specifically exclude entries.

7. Example of an Exclusion Search ❌

Here's an example of a search query that excludes specific IP addresses, country codes, ports, domains, and threats:

NOT source_ip: "203.0.113.45"
AND NOT country_code: "US"
AND NOT target_ip: "192.168.10.50"
AND NOT target_port: "443"
AND NOT threat_name: "SERVER-WEBAPP TP-Link Archer Router command injection attempt, A System Call was Detected"
AND NOT domain: "example.org"
AND NOT criticality: 2

8. Wildcard Search with the * Operator for Exclusions 🚷

The * operator can also be used to exclude multiple entries. It acts as a placeholder for any:

Exclude domains:
To exclude all domains ending with example.org:

NOT domain: "*.example.org"

Exclude IPs:
To exclude all IP addresses starting with 192.168.:

NOT source_ip: "192.168.*"

Excluding multiple criteria:
You can exclude multiple values for a field. For example:

NOT source_ip: ("203.0.113.45" OR "198.51.100.23")

1. Introduction 🔍​

2. Example Search 📊​

3. Explanation of Search Parameters 📋​

countrycode​

countryname​

criticality​

domain​

host​

host_type​

isp​

istor​

source_ip​

target_ip​

target_port​

threat_name​

4. Wildcard Search with the * Operator ✨​

5. Applying the Search 🔎​

6. Exclusion of Results in the NxtFireGuard Dashboard Search Syntax 🚫​

7. Example of an Exclusion Search ❌​

8. Wildcard Search with the * Operator for Exclusions 🚷​