Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-7
Search for Blocked Traffic by Source IP:
- Query: Identify blocked traffic originating from a specific source IP address.
sqlSELECT * FROM firewall_logs WHERE action = 'deny' AND src_ip = 'xxx.xxx.xxx.xxx';
Search for Allowed Traffic to a Specific Destination Port:
- Query: Look for allowed traffic directed to a specific destination port.
sqlSELECT * FROM firewall_logs WHERE action = 'accept' AND dst_port = <port_number>;
Search for Denied Traffic from a Specific Country:
- Query: Identify denied traffic originating from a specific country.
sqlSELECT * FROM firewall_logs WHERE action = 'deny' AND src_country = 'CountryCode';
Search for Traffic Blocked by Intrusion Prevention System (IPS):
- Query: Look for traffic blocked by the IPS module.
sqlSELECT * FROM firewall_logs WHERE action = 'deny' AND log_subtype = 'intrusion prevention';
Search for Traffic Blocked by Web Filter:
- Query: Identify traffic blocked by the web filter module.
sqlSELECT * FROM firewall_logs WHERE action = 'deny' AND log_subtype = 'webfilter';
Search for Denied Traffic due to Antivirus Detection:
- Query: Look for traffic denied due to antivirus detection.
sqlSELECT * FROM firewall_logs WHERE action = 'deny' AND log_subtype = 'av';
Search for VPN Connection Establishment Logs:
- Query: Identify logs related to VPN connection establishment.
sqlSELECT * FROM firewall_logs WHERE log_subtype = 'vpn' AND event_type = 'ipsec';
Search for Traffic Matching a Specific Firewall Policy:
- Query: Look for traffic that matches a specific firewall policy.
sqlSELECT * FROM firewall_logs WHERE policy_id = '<policy_id>';
Search for Traffic with a High Risk Rating:
- Query: Identify traffic with a high risk rating based on FortiGuard threat intelligence.
sqlSELECT * FROM firewall_logs WHERE risk_rating >= <threshold>;
Search for Traffic Matching a Specific Application Control Rule:
- Query: Look for traffic that matches a specific application control rule.
sqlSELECT * FROM firewall_logs WHERE app_control_rule = '<rule_name>';
These queries allow you to analyze FortiGate firewall logs for various security events and traffic patterns, helping you monitor network activity, detect threats, and troubleshoot issues effectively. Adjust the parameters and conditions in each query as needed to match your specific use cases and requirements.
Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-6
Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-8
Post a Comment