Blocked Requests - Outbound

Monitor outbound network requests blocked by firewall

This is a query example for the Blocked Requests - Outbound widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
*
| metadata.eventType=FirewallMatchEvent event.RuleId=1
| count()

Introduction

This widget is used to track and count outbound network requests that have been blocked by the firewall based on specific rule criteria.

In this widget, the count() function is used to calculate the total number of blocked outbound requests identified by specific firewall rules.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@error_msg[1]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.CommandLineevent.ComputerNameevent.DetectDescriptionevent.DetectNameevent.DeviceIdevent.HostNameevent.ImageFileNameevent.LocalAddressevent.LocalIPevent.Objectiveevent.RemoteAddressevent.RuleIdevent.SensorIdevent.SeverityNameevent.Tacticevent.Techniqueevent.UserNamemetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-14T11:23:10trueauto-dashboard-queriessiem-connectortrueCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSON | No field named metadata.eventCreationTime to use when parsing timestampCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSONNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_0_22_17683897902026-01-14T11:23:10{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389786295","customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"RuleId":"1", "LocalAddress":"192.168.2.143","RemoteAddress":"192.168.0.87","HostName":"PROD-WEB01","SensorId":"b2c3d4e5f6g7h8i9j0k1","DeviceId" : "c3d4e5f6g7h8i9j0k1l2", "CommandLine" : "/usr/bin/grep -i "error" /var/log/syslog", "ImageFileName" : "/usr/bin/grep"}} 38cbc192813c809d34dfb3b8a7996e7b0Z                    
2026-01-14T11:23:10 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_258_17683897902026-01-14T11:23:11{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768389790391", "customerIDString":"d4e5f6g7h8i9j0k1l2m3" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-APP02","UserName":"adamsb","SensorId":"e5f6g7h8i9j0k1l2m3n4","LocalIP":"192.168.3.211","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}} 38cbc192813c809d34dfb3b8a7996e7b0Z PROD-APP02Detected suspicious PowerShell command execution with encoded argumentsSuspicious PowerShell Command Line    192.168.3.211Command and Control  e5f6g7h8i9j0k1l2m3n4MediumExecutionT1059.001 - PowerShelladamsbd4e5f6g7h8i9j0k1l2m31768389790391DetectionSummaryEvent
2026-01-14T11:23:11 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_259_17683897912026-01-14T11:23:11{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389791164","customerIDString":"f6g7h8i9j0k1l2m3n4o5" }, "event":{"RuleId":"3", "LocalAddress":"192.168.1.54","RemoteAddress":"192.168.4.198","HostName":"PROD-DB01","SensorId":"g7h8i9j0k1l2m3n4o5p6","DeviceId" : "h8i9j0k1l2m3n4o5p6q7", "CommandLine" : "/usr/sbin/useradd -m -s /bin/bash jdoe", "ImageFileName" : "/usr/sbin/useradd"}} 38cbc192813c809d34dfb3b8a7996e7b0Z/usr/sbin/useradd -m -s /bin/bash jdoe   h8i9j0k1l2m3n4o5p6q7PROD-DB01/usr/sbin/useradd192.168.1.54  192.168.4.1983g7h8i9j0k1l2m3n4o5p6    f6g7h8i9j0k1l2m3n4o51768389791164FirewallMatchEvent
2026-01-14T11:23:11 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_260_17683897912026-01-14T11:23:12{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768389791929", "customerIDString":"i9j0k1l2m3n4o5p6q7r8" }, "event":{"SeverityName":"Low", "DetectName":"Suspicious Registry Modification","ComputerName":"PROD-FILE01","UserName":"andersonk","SensorId":"j0k1l2m3n4o5p6q7r8s9","LocalIP":"192.168.2.16","Tactic":"Credential Access","Technique":"T1003.001 - LSASS Memory","DetectDescription":"Detected potential credential dumping from LSASS memory","Objective":"Credential Theft"}} 38cbc192813c809d34dfb3b8a7996e7b0Z PROD-FILE01Detected potential credential dumping from LSASS memorySuspicious Registry Modification    192.168.2.16Credential Theft  j0k1l2m3n4o5p6q7r8s9LowCredential AccessT1003.001 - LSASS Memoryandersonki9j0k1l2m3n4o5p6q7r81768389791929DetectionSummaryEvent
2026-01-14T11:23:12 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_261_17683897922026-01-14T11:23:13{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389792721","customerIDString":"k1l2m3n4o5p6q7r8s9t0" }, "event":{"RuleId":"1", "LocalAddress":"192.168.0.234","RemoteAddress":"192.168.3.45","HostName":"PROD-SQL01","SensorId":"l2m3n4o5p6q7r8s9t0u1","DeviceId" : "m3n4o5p6q7r8s9t0u1v2", "CommandLine" : "/bin/ls -lah /home/user", "ImageFileName" : "/bin/ls"}} 38cbc192813c809d34dfb3b8a7996e7b0Z/bin/ls -lah /home/user   m3n4o5p6q7r8s9t0u1v2PROD-SQL01/bin/ls192.168.0.234  192.168.3.451l2m3n4o5p6q7r8s9t0u1    k1l2m3n4o5p6q7r8s9t01768389792721FirewallMatchEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    *

    Selects all events from the data stream for processing.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType=FirewallMatchEvent event.RuleId=1

    Filters the events to include only those where metadata.eventType equals FirewallMatchEvent and event.RuleId equals 1, which identifies blocked outbound requests.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count()

    The count() function returns the total number of matching events in the _count field. This provides the total number of blocked outbound requests during the selected time period.

  5. Event Result set.

Summary and Results

The widget is used to quantify the number of outbound network requests that have been blocked by the firewall based on Rule ID 1.

This widget is useful to monitor potential security policy violations, identify unusual spikes in blocked traffic, and assess the effectiveness of outbound firewall rules.

Sample output from the incoming example data:

_count
20

Note that the count represents all blocked outbound requests that matched the specified firewall rule criteria during the query time range.

Example of an Blocked Requests - Outbound widget