Monitor intranet traffic to dangerous websites
In this guided tutorial, you will generate a Graph diagram using firewall log data in order to visualize and analyze accesses to dangerous sites from within your company's Intranet.
There are two phases explained below:
This video takes you through the same tutorial if you want a quick overview of the process.
Build and enhance the query
- Go to Data Search and open the firewall.paloalto.traffic data table.
- First we'll filter the data to show only the events associated with the firewall whose traffic we want to analyze. Select Filter in the toolbar, then select the Equal operation. Add the Serial column and 012001000758 as arguments, then click the Filter Data button. Remember that you have to click the pencil icon to enter the Serial value as free text.
- Now we'll apply a filter to show only destination IP addresses that are public. Select Filter in the toolbar, then select the Is Public IPv4 operation. Add the dstIp column as the argument, then click the Filter Data button.
- In order to enhance the geographic information for the events (so that later we can view sites on a map), we'll use a built-in operation that returns the geographic coordinates based on the destination IP address. Select Create Column in the toolbar, then select Geolocated Coordinates (mmcoordinates) as the operation. Select the dstIp column as the argument and name the column dstServerCoordinates. Click the Create Column button.
- Now we'll use another built-in operation that uses an internal lookup table that lists IP addresses that are known threats along with the type of threat they pose. Select Create Column in the toolbar, then select Search Threat-Malware-by-IP for threat as the operation. Select the dstIp column as the argument and name the column Threat. Click the Create Column button.
- The newly created Threat column reports null for any IP address not identified as a threat. Since we only want to analyze accesses to dangerous sites, let's filter those events out of our query. Select Filter in the toolbar, then select Is not null as the operation. Add the Threat column as argument, then click the Filter Data button.
- Even though Intranets usually assign dynamic IP addresses, for the purposes of this example we're going to assume the source IP address are fixed. Therefore, we have created a custom operation that uses a lookup table that links the source IP addresses to the employees that use them. Select Create Column in the toolbar, then under Operation click custom or all and select the Full Name custom lookup as the operation. Select the srcIp column as the argument and name the new column UserName.
- Now that we have generated new columns of data and applied the relevant filters, we can proceed to group our data by time and choose the more relevant fields to use in our graph. Select Group in the toolbar and select 1 hour as the grouping period. Now add UserName, dstIP, dstServerCoordinates, Threat and dstCountry as the arguments. Click the Group By button.
- We want to include a couple of calculated metrics in our graph; the number of connections in each time period, and the average number of bytes per connection. Select Aggregation in the toolbar, and select Count as the Aggregation and name the new column count. Select Aggregation in the toolbar again, and this time select Average as the Aggregation and name the new column bytes.
- At this point, confirm that your data table looks like this. If it does, we can proceed to generate the Graph diagram.
Generate the Graph diagram
- From the toolbar, select Additional tools → Charts → Diagrams → Graph diagram. This opens the graph builder. Drag the UserName, dstIp and Threat column headers to the builder canvas. Then drag the count and bytes column headers to the metrics placeholder.
- Drag the dstServerCoordinates and dstCountry column headers as nodes of dstIp to geolocate the servers in the map.
- Let's customize the colors and icons of the elements in the graph. To do this, select the element's node type, then make your changes in the properties bar that appears in the builder. For example, let's make the UserName node use a person icon and appear in blue. Select the settings node type above the UserName node set the Icon to user_profile_avatar_man_male2 and choose blue as the color. The changes appear automatically.
- Now we're ready to view the diagram. Click Apply. On the left you have a panel full of settings a filters that you can use to customize the Graph diagram.
For more details on how use the settings to view the information in different ways, see Graph diagram menu. The video above also demonstrates some of the available settings, such as plotting the nodes and connections on a world map.