Firewall Activity - Total events

Monitor total firewall event activity

This is a query example for the FIrewall Activity - Total events widget in the Firewall Activity dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
*
| metadata.eventType=FirewallMatchEvent
| count()

Introduction

This widget is used to track and count the total number of firewall events across the system, providing visibility into overall firewall activity.

In this widget, the count() function is used to calculate the total volume of firewall events, helping monitor the overall firewall activity level.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@error_msg[1]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.ComputerNameevent.DetectDescriptionevent.DetectNameevent.LocalIPevent.Objectiveevent.SensorIdevent.SeverityNameevent.Tacticevent.Techniqueevent.UserNamemetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-14T11:23:10trueauto-dashboard-queriessiem-connectortrueCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSON | No field named metadata.eventCreationTime to use when parsing timestampCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSONNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_0_22_17683897902026-01-14T11:23:10{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389786295","customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"RuleId":"1", "LocalAddress":"192.168.2.143","RemoteAddress":"192.168.0.87","HostName":"PROD-WEB01","SensorId":"b2c3d4e5f6g7h8i9j0k1","DeviceId" : "c3d4e5f6g7h8i9j0k1l2", "CommandLine" : "/usr/bin/grep -i "error" /var/log/syslog", "ImageFileName" : "/usr/bin/grep"}} 38cbc192813c809d34dfb3b8a7996e7b0Z             
2026-01-14T11:23:10 auto-dashboard-queriessiem-connector     QTsJCoPniAANCCdKBxWdooCq_4_258_17683897902026-01-14T11:23:11{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768389790391", "customerIDString":"d4e5f6g7h8i9j0k1l2m3" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-APP02","UserName":"adamsb","SensorId":"e5f6g7h8i9j0k1l2m3n4","LocalIP":"192.168.3.211","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}} 38cbc192813c809d34dfb3b8a7996e7b0ZPROD-APP02Detected suspicious PowerShell command execution with encoded argumentsSuspicious PowerShell Command Line192.168.3.211Command and Controle5f6g7h8i9j0k1l2m3n4MediumExecutionT1059.001 - PowerShelladamsbd4e5f6g7h8i9j0k1l2m31768389790391DetectionSummaryEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    *

    Selects all events from the data stream for processing.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType=FirewallMatchEvent

    Filters the events to include only those where metadata.eventType equals FirewallMatchEvent, capturing all firewall activity.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count()

    The count() function returns the total number of firewall events in the _count field, providing the overall volume of firewall activity during the selected time period.

  5. Event Result set.

Summary and Results

The widget is used to monitor the total volume of firewall events across the system.

This widget is useful to establish baseline activity levels, identify unusual spikes in firewall events, and track overall firewall utilization patterns.

Sample output from the incoming example data:

_count
40

The count represents the total number of firewall events recorded during the query time range, regardless of the specific rules triggered or actions taken.

Example of a Firewall Activity - Total events widget