Inbound Blocked Requests

Visualize blocked inbound network traffic flows in a Sankey diagram

This is a query example for the Inbound Blocked Requests widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
*
| metadata.eventType=FirewallMatchEvent | event.RuleId = 3
| sankey(source=event.RemoteAddress, target=event.LocalAddress)

Introduction

This widget is used to visualize the flow of blocked inbound network requests between source and destination addresses using a Sankey diagram, providing a view of network traffic patterns.

In this widget, the sankey() function is used to create a flow diagram showing the relationships between remote (source) and local (target) addresses for blocked inbound connections.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@error_msg[1]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezone
2026-01-14T11:23:10trueauto-dashboard-queriessiem-connectortrueCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSON | No field named metadata.eventCreationTime to use when parsing timestampCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSONNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_0_22_17683897902026-01-14T11:23:10{"metadata":{ "eventType":"FirewallMatchEvent","eventCreationTime":"1768389786295","customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"RuleId":"1", "LocalAddress":"192.168.2.143","RemoteAddress":"192.168.0.87","HostName":"PROD-WEB01","SensorId":"b2c3d4e5f6g7h8i9j0k1","DeviceId" : "c3d4e5f6g7h8i9j0k1l2", "CommandLine" : "/usr/bin/grep -i "error" /var/log/syslog", "ImageFileName" : "/usr/bin/grep"}} 38cbc192813c809d34dfb3b8a7996e7b0Z

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    *

    Selects all events from the data stream for processing.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType=FirewallMatchEvent | event.RuleId = 3

    Filters events to include only FirewallMatchEvent events with event.RuleId equal to 3, which represents blocked inbound connections.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | sankey(source=event.RemoteAddress, target=event.LocalAddress)

    Creates a Sankey diagram visualization showing the flow of blocked connections from event.RemoteAddress (source) to event.LocalAddress (target). The width of each flow represents the volume of blocked requests.

  5. Event Result set.

Summary and Results

The widget is used to visualize network traffic patterns of blocked inbound requests in a Sankey diagram.

This widget is useful to identify the most frequently blocked source-destination pairs, detect unusual connection patterns, and understand the distribution of blocked traffic across the network.

Sample output from the incoming example data:

sourcetargetweight
192.168.0.156192.168.2.784
192.168.1.245192.168.3.765
192.168.2.201192.168.4.923
192.168.3.198192.168.0.455
192.168.4.198192.168.1.543

The results are displayed as a Sankey diagram where the left side shows source addresses, the right side shows destination addresses, and the connecting flows indicate blocked connection attempts. The width of each flow represents the number of blocked requests between each address pair.

Example of an Inbound Blocked Requests widget