Outbound Blocked Requests

Visualize firewall blocked connections flow

This is a query example for the Outbound Blocked Requests widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result
logscale
*
| metadata.eventType=FirewallMatchEvent
| event.RuleId = 1
| sankey(source="event.LocalAddress",target="event.RemoteAddress")

Introduction

This widget is used to visualize the flow of blocked firewall requests between local and remote addresses using a Sankey diagram, providing a clear representation of network traffic patterns.

In this widget, the sankey() function is used to create a flow diagram showing the relationship between source and target IP addresses from firewall events.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@error_msg[1]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.CommandLineevent.ComputerNameevent.DetectDescriptionevent.DetectNameevent.DeviceIdevent.HostNameevent.ImageFileNameevent.LocalAddressevent.LocalIPevent.Objectiveevent.RemoteAddressevent.RuleIdevent.SensorIdevent.SeverityNameevent.Tacticevent.Techniqueevent.UserNamemetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-14T11:23:10trueauto-dashboard-queriessiem-connectortrueCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSON | No field named metadata.eventCreationTime to use when parsing timestampCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSONNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_0_22_17683897902026-01-14T11:23:10{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389786295","customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"RuleId":"1", "LocalAddress":"192.168.2.143","RemoteAddress":"192.168.0.87","HostName":"PROD-WEB01","SensorId":"b2c3d4e5f6g7h8i9j0k1","DeviceId" : "c3d4e5f6g7h8i9j0k1l2", "CommandLine" : "/usr/bin/grep -i "error" /var/log/syslog", "ImageFileName" : "/usr/bin/grep"}} 38cbc192813c809d34dfb3b8a7996e7b0Z                    
2026-01-14T11:23:10 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_258_17683897902026-01-14T11:23:11{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768389790391", "customerIDString":"d4e5f6g7h8i9j0k1l2m3" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-APP02","UserName":"adamsb","SensorId":"e5f6g7h8i9j0k1l2m3n4","LocalIP":"192.168.3.211","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}} 38cbc192813c809d34dfb3b8a7996e7b0Z PROD-APP02Detected suspicious PowerShell command execution with encoded argumentsSuspicious PowerShell Command Line    192.168.3.211Command and Control  e5f6g7h8i9j0k1l2m3n4MediumExecutionT1059.001 - PowerShelladamsbd4e5f6g7h8i9j0k1l2m31768389790391DetectionSummaryEvent
2026-01-14T11:23:11 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_259_17683897912026-01-14T11:23:11{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389791164","customerIDString":"f6g7h8i9j0k1l2m3n4o5" }, "event":{"RuleId":"3", "LocalAddress":"192.168.1.54","RemoteAddress":"192.168.4.198","HostName":"PROD-DB01","SensorId":"g7h8i9j0k1l2m3n4o5p6","DeviceId" : "h8i9j0k1l2m3n4o5p6q7", "CommandLine" : "/usr/sbin/useradd -m -s /bin/bash jdoe", "ImageFileName" : "/usr/sbin/useradd"}} 38cbc192813c809d34dfb3b8a7996e7b0Z/usr/sbin/useradd -m -s /bin/bash jdoe   h8i9j0k1l2m3n4o5p6q7PROD-DB01/usr/sbin/useradd192.168.1.54  192.168.4.1983g7h8i9j0k1l2m3n4o5p6    f6g7h8i9j0k1l2m3n4o51768389791164FirewallMatchEvent
2026-01-14T11:23:11 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_260_17683897912026-01-14T11:23:12{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768389791929", "customerIDString":"i9j0k1l2m3n4o5p6q7r8" }, "event":{"SeverityName":"Low", "DetectName":"Suspicious Registry Modification","ComputerName":"PROD-FILE01","UserName":"andersonk","SensorId":"j0k1l2m3n4o5p6q7r8s9","LocalIP":"192.168.2.16","Tactic":"Credential Access","Technique":"T1003.001 - LSASS Memory","DetectDescription":"Detected potential credential dumping from LSASS memory","Objective":"Credential Theft"}} 38cbc192813c809d34dfb3b8a7996e7b0Z PROD-FILE01Detected potential credential dumping from LSASS memorySuspicious Registry Modification    192.168.2.16Credential Theft  j0k1l2m3n4o5p6q7r8s9LowCredential AccessT1003.001 - LSASS Memoryandersonki9j0k1l2m3n4o5p6q7r81768389791929DetectionSummaryEvent
2026-01-14T11:23:12 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_261_17683897922026-01-14T11:23:13{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389792721","customerIDString":"k1l2m3n4o5p6q7r8s9t0" }, "event":{"RuleId":"1", "LocalAddress":"192.168.0.234","RemoteAddress":"192.168.3.45","HostName":"PROD-SQL01","SensorId":"l2m3n4o5p6q7r8s9t0u1","DeviceId" : "m3n4o5p6q7r8s9t0u1v2", "CommandLine" : "/bin/ls -lah /home/user", "ImageFileName" : "/bin/ls"}} 38cbc192813c809d34dfb3b8a7996e7b0Z/bin/ls -lah /home/user   m3n4o5p6q7r8s9t0u1v2PROD-SQL01/bin/ls192.168.0.234  192.168.3.451l2m3n4o5p6q7r8s9t0u1    k1l2m3n4o5p6q7r8s9t01768389792721FirewallMatchEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    *

    Matches all events in the data stream.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType=FirewallMatchEvent

    Filters events to include only those where metadata.eventType equals FirewallMatchEvent.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event.RuleId = 1

    Further filters the results to include only events where event.RuleId equals 1.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | sankey(source="event.LocalAddress",target="event.RemoteAddress")

    Creates a Sankey diagram visualization where the source nodes are defined by event.LocalAddress and the target nodes are defined by event.RemoteAddress.

    The width of the flows represents the frequency of connections between each source-target pair.

  6. Event Result set.

Summary and Results

The widget is used to visualize network traffic patterns in firewall blocked requests.

This widget is useful to identify common patterns in blocked network connections, detect unusual communication attempts between internal and external addresses, and analyze the distribution of blocked traffic across different network segments.

Sample output from the incoming example data:

sourcetargetweight
192.168.0.234192.168.3.454
192.168.1.212192.168.4.345
192.168.2.143192.168.0.873
192.168.3.129192.168.1.234
192.168.4.167192.168.2.2344

Note that the weight value in the output represents the number of connections between each source-target pair, determining the thickness of the flow in the Sankey diagram.

Example of an Outbound Blocked Requests widget