NxtFireGuard Dashboard Search
1. Introduction πβ
The NxtFireGuard Dashboard offers a powerful search function that allows you to filter specific security events and threats based on various parameters. This guide will show you how to perform a search and what fields are available.
2. Example Search πβ
Here's an example of a search query to filter for a specific threat case:
threat_name: "SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt, Unknown Traffic"
AND source_ip: "203.0.113.45"
AND target_ip: "192.168.10.5"
AND target_port: "443"
AND domain: "example.org"
AND criticality: 3
3. Explanation of Search Parameters πβ
countrycodeβ
The ISO code representing the country from which the traffic originated, which helps identify geographical patterns in threats.
Example: countrycode: "US"
might indicate that the traffic is coming from the United States.
countrynameβ
The name of the country associated with the source IP. Understanding the geographic sources of attacks can aid in geopolitical risk assessments.
Example: countryname: "Canada"
indicates that the traffic originated from Canada.
criticalityβ
A classification of the threatβs severity, helping prioritize responses.
Example: criticality: 5
indicates a very high severity level for the incident.
domainβ
The domain from which the attacker IP originates, providing context about potential threats.
Example: domain: "malicious.com"
suggests that the attack is linked to this specific domain.
hostβ
The host that sent the alert, indicating the asset involved in the incident.
Example: host: "server1.example.com"
shows which server generated the alert.
host_typeβ
The category of the host sending the alert, which assists in identifying attackers targeting specific host types, such as Cisco ISE.
Example: host_type: "cisco-firepower"
shows all attacks targeting a Cisco-Firepower Firewall.
ispβ
The Internet Service Provider associated with the source IP. Analyzing traffic from certain ISPs can provide insights into potential malicious patterns.
Example: isp: "Comcast"
reveals that the source IP is serviced by Comcast.
istorβ
Indicates whether the IP is a known TOR node.
Example: istor: true
suggests that the IP address is part of the TOR network.
source_ipβ
The IP address that initiated the traffic.
Example: source_ip: "203.0.113.45"
shows the origin of the network traffic.
target_ipβ
The IP address that was attacked.
Example: target_ip: "192.168.10.5"
indicates the specific target of the attack.
target_portβ
The port targeted during the attack.
Example: target_port: "80"
suggests that the attack was aimed at the HTTP service.
threat_nameβ
The descriptive name of the threat.
Example: threat_name: "SQL Injection Attempt"
specifies the type of attack being analyzed.
4. Wildcard Search with the * Operator β¨β
The * operator acts as a placeholder for any arbitrary values in fields. For example:
Domain search with wildcard:
To search for a domain ending with example.org:
domain: "*.example.org"
IP search with wildcard:
To search for IP addresses starting with 192.168.:
source_ip: "192.168.*"
5. Applying the Search πβ
You can enter the syntax described above into the dashboard's search field to filter for specific incidents. Using AND connects multiple filter criteria, so the search only returns results that meet all conditions.
6. Exclusion of Results in the NxtFireGuard Dashboard Search Syntax π«β
Sometimes you want to exclude certain results from your search to focus on other threats or events. This section shows how to use the NOT operators to specifically exclude entries.
7. Example of an Exclusion Search ββ
Here's an example of a search query that excludes specific IP addresses, country codes, ports, domains, and threats:
NOT source_ip: "203.0.113.45"
AND NOT country_code: "US"
AND NOT target_ip: "192.168.10.50"
AND NOT target_port: "443"
AND NOT threat_name: "SERVER-WEBAPP TP-Link Archer Router command injection attempt, A System Call was Detected"
AND NOT domain: "example.org"
AND NOT criticality: 2
8. Wildcard Search with the * Operator for Exclusions π·β
The * operator can also be used to exclude multiple entries. It acts as a placeholder for any:
Exclude domains:
To exclude all domains ending with example.org:
NOT domain: "*.example.org"
Exclude IPs:
To exclude all IP addresses starting with 192.168.:
NOT source_ip: "192.168.*"
Excluding multiple criteria:
You can exclude multiple values for a field. For example:
NOT source_ip: ("203.0.113.45" OR "198.51.100.23")