Display Firewall Events

Monitor firewall events and associated data in table

This is a query example for the Firewall Events widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
*
| metadata.eventType=FirewallMatchEvent
| select([event.HostName,event.DeviceId,event.EventType,event.PolicyName,event.RuleName,event.HostName,event.CommandLine,event.ImageFileName,event.LocalAddress,event.RemoteAddress])

Introduction

This widget is used to display a table of firewall events across the network infrastructure, showing detailed information about host systems, device identifiers, and network connections in a table.

In this widget, the select() function is used to extract specific fields from firewall events to create a focused tabular view of security-relevant information. The resulting table provides a clear and organized presentation of firewall event data.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@error_msg[1]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.CommandLineevent.ComputerNameevent.DetectDescriptionevent.DetectNameevent.DeviceIdevent.HostNameevent.ImageFileNameevent.LocalAddressevent.LocalIPevent.Objectiveevent.RemoteAddressevent.RuleIdevent.SensorIdevent.SeverityNameevent.Tacticevent.Techniqueevent.UserNamemetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-14T11:23:10trueauto-dashboard-queriessiem-connectortrueCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSON | No field named metadata.eventCreationTime to use when parsing timestampCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSONNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_0_22_17683897902026-01-14T11:23:10{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389786295","customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"RuleId":"1", "LocalAddress":"192.168.2.143","RemoteAddress":"192.168.0.87","HostName":"PROD-WEB01","SensorId":"b2c3d4e5f6g7h8i9j0k1","DeviceId" : "c3d4e5f6g7h8i9j0k1l2", "CommandLine" : "/usr/bin/grep -i "error" /var/log/syslog", "ImageFileName" : "/usr/bin/grep"}} 38cbc192813c809d34dfb3b8a7996e7b0Z                    
2026-01-14T11:23:10 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_258_17683897902026-01-14T11:23:11{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768389790391", "customerIDString":"d4e5f6g7h8i9j0k1l2m3" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-APP02","UserName":"adamsb","SensorId":"e5f6g7h8i9j0k1l2m3n4","LocalIP":"192.168.3.211","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}} 38cbc192813c809d34dfb3b8a7996e7b0Z PROD-APP02Detected suspicious PowerShell command execution with encoded argumentsSuspicious PowerShell Command Line    192.168.3.211Command and Control  e5f6g7h8i9j0k1l2m3n4MediumExecutionT1059.001 - PowerShelladamsbd4e5f6g7h8i9j0k1l2m31768389790391DetectionSummaryEvent
2026-01-14T11:23:11 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_259_17683897912026-01-14T11:23:11{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389791164","customerIDString":"f6g7h8i9j0k1l2m3n4o5" }, "event":{"RuleId":"3", "LocalAddress":"192.168.1.54","RemoteAddress":"192.168.4.198","HostName":"PROD-DB01","SensorId":"g7h8i9j0k1l2m3n4o5p6","DeviceId" : "h8i9j0k1l2m3n4o5p6q7", "CommandLine" : "/usr/sbin/useradd -m -s /bin/bash jdoe", "ImageFileName" : "/usr/sbin/useradd"}} 38cbc192813c809d34dfb3b8a7996e7b0Z/usr/sbin/useradd -m -s /bin/bash jdoe   h8i9j0k1l2m3n4o5p6q7PROD-DB01/usr/sbin/useradd192.168.1.54  192.168.4.1983g7h8i9j0k1l2m3n4o5p6    f6g7h8i9j0k1l2m3n4o51768389791164FirewallMatchEvent
2026-01-14T11:23:11 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_260_17683897912026-01-14T11:23:12{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768389791929", "customerIDString":"i9j0k1l2m3n4o5p6q7r8" }, "event":{"SeverityName":"Low", "DetectName":"Suspicious Registry Modification","ComputerName":"PROD-FILE01","UserName":"andersonk","SensorId":"j0k1l2m3n4o5p6q7r8s9","LocalIP":"192.168.2.16","Tactic":"Credential Access","Technique":"T1003.001 - LSASS Memory","DetectDescription":"Detected potential credential dumping from LSASS memory","Objective":"Credential Theft"}} 38cbc192813c809d34dfb3b8a7996e7b0Z PROD-FILE01Detected potential credential dumping from LSASS memorySuspicious Registry Modification    192.168.2.16Credential Theft  j0k1l2m3n4o5p6q7r8s9LowCredential AccessT1003.001 - LSASS Memoryandersonki9j0k1l2m3n4o5p6q7r81768389791929DetectionSummaryEvent
2026-01-14T11:23:12 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_261_17683897922026-01-14T11:23:13{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389792721","customerIDString":"k1l2m3n4o5p6q7r8s9t0" }, "event":{"RuleId":"1", "LocalAddress":"192.168.0.234","RemoteAddress":"192.168.3.45","HostName":"PROD-SQL01","SensorId":"l2m3n4o5p6q7r8s9t0u1","DeviceId" : "m3n4o5p6q7r8s9t0u1v2", "CommandLine" : "/bin/ls -lah /home/user", "ImageFileName" : "/bin/ls"}} 38cbc192813c809d34dfb3b8a7996e7b0Z/bin/ls -lah /home/user   m3n4o5p6q7r8s9t0u1v2PROD-SQL01/bin/ls192.168.0.234  192.168.3.451l2m3n4o5p6q7r8s9t0u1    k1l2m3n4o5p6q7r8s9t01768389792721FirewallMatchEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    *

    Matches all events in the data stream.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType=FirewallMatchEvent

    Filters events to include only those where metadata.eventType equals FirewallMatchEvent, creating the initial data set for the table.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | select([event.HostName,event.DeviceId,event.EventType,event.PolicyName,event.RuleName,event.HostName,event.CommandLine,event.ImageFileName,event.LocalAddress,event.RemoteAddress])

    Uses the select() function to create table columns with these specific fields:

    • Host identification (event.HostName, event.DeviceId).

    • Event details (event.EventType, event.PolicyName, event.RuleName).

    • Command execution information (event.CommandLine, event.ImageFileName).

    • Network addressing (event.LocalAddress, event.RemoteAddress).

  5. Event Result set.

Summary and Results

The widget is used to display a detailed table that monitors and analyzes firewall events across the network infrastructure. Each row in the table represents a distinct firewall event, with columns providing specific details about the event.

This table widget is useful to track command execution activities on different hosts in a structured tabular format, monitor network connections between systems with clear column organization, identify potential security policy violations through organized data presentation and audit system administration activities with a clear columnar view.

Sample output from the incoming example data:

event.CommandLineevent.DeviceIdevent.HostNameevent.ImageFileNameevent.LocalAddressevent.RemoteAddress
/usr/sbin/useradd -m -s /bin/bash jdoeh8i9j0k1l2m3n4o5p6q7PROD-DB01/usr/sbin/useradd192.168.1.54192.168.4.198
/bin/ls -lah /home/userm3n4o5p6q7r8s9t0u1v2PROD-SQL01/bin/ls192.168.0.234192.168.3.45
/sbin/ifconfig eth0 192.168.1.100 netmask 255.255.255.0e5f6g7h8i9j0k1l2m3n4DEV-TEST01/sbin/ifconfig192.168.3.129192.168.1.23
/usr/bin/top -u apacheo5p6q7r8s9t0u1v2w3x4NYC-SRV01/usr/bin/top192.168.2.78192.168.0.156
/bin/ps aux | grep nginxf6g7h8i9j0k1l2m3n4o5TYO-SRV01/bin/ps192.168.1.212192.168.4.34

The table output provides a clear overview of system commands being executed, including the specific binaries used and the network connections involved in each event. Each row represents a distinct firewall event with its associated details organized in columns.

Example of a Firewall Events widget