Skip to main content

Integrations

Saved Search

You can view the data in the Log Activity tab to see the ingested PCE events in QRadar. To change the time range in the saved search, change 7 days to the appropriate value. For example, to search for the last 2 days, change 7 days ago to 2 days ago.

Use the following procedure to run a saved search in QRadar:

  1. Go to the Log Activity tab in QRadar.

  2. Click the Search drop-down and select New Search.

    New_Search_QRadar

  3. Click the Group drop-down and select Illumio ASP V2.

    Select_Illumio_ASP_v2_Group

  4. Select a search from the list of Available Saved Searches and click Load. To run the search in the Log Activity tab, click the Search button located in the bottom-right corner.

    Load_Saved_Search

Name

Saved Search

Audit Events reported by PCE

select COUNT(*) AS 'COUNT' from events where LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2'

AND ("Event Href" MATCHES '.*/orgs/[0-9]*/events.*' OR "Href" MATCHES '.*/orgs/[0-9]*/events.*') AND "version"=2 AND QIDNAME(qid) not in ('Unknown', 'IllumioASPCustom Message') AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) START PARSEDATETIME('7 days ago')

Firewall Tampering Events reported by PCE

select COUNT(*) AS 'COUNT' from events where QIDNAME(qid) in ('Agent firewall tampered') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) START PARSEDATETIME('7 days ago')

Flow Blocked reported by PCE

SELECT DATEFORMAT(devicetime,'yyyy-MM-dd') AS 'LOGDATE', sum("Traffic Count") as 'COUNT', QIDNAME(qid) as 'Event Name' from events where QIDNAME(qid) in ('Flow Blocked') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) GROUP BY DATEFORMAT(devicetime,'yyyy-MM-dd') START PARSEDATETIME('7 days ago')

Flow Potentially Blocked reported by PCE

SELECT DATEFORMAT(devicetime,'yyyy-MM-dd') AS 'LOGDATE', sum("Traffic Count") as 'COUNT', QIDNAME(qid) as 'Event Name' from events where QIDNAME(qid) in ('Flow Potentially Blocked') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) GROUP BY DATEFORMAT(devicetime,'yyyy-MM-dd')

START PARSEDATETIME('7 days ago')

Overall Traffic Events reported by PCE

select sum("Traffic Count") AS 'COUNT' from events where QIDNAME(qid) in ('Flow Allowed', 'Flow Potentially Blocked', 'Flow Blocked') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) START PARSEDATETIME('7 days ago')

PortScan reported by PCE

SELECT "Source IPV4 or IPV6", "Destination IPV4 or IPV6",LONG(UNIQUECOUNT(destinationport)) AS 'PORTCOUNT', LONG(starttime/600000) AS LOGDATE from events where QIDNAME(qid) in ('Flow Allowed','Flow Potentially Blocked','Flow Blocked') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND "direction" = 'I' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) GROUP BY "Source IPV4 or IPV6","Destination IPV4 or IPV6",LOGDATE HAVING PORTCOUNT>1 ORDER BY LOGDATE START PARSEDATETIME('7 days ago')

Top 10 Blocked Hosts reported by PCE

SELECT sum("Traffic Count") as "Count","Source IPV4 or IPV6" as "Source IP", "Destination IPV4 or IPV6" as "Destination IP", DATEFORMAT(starttime,'yyyy-MM-dd') AS "Timestamp", destinationport as "Destination Port",IF "direction"='O' THEN 'Outgoing' ELSE 'Incoming' AS 'direction',"Source Labels App" AS 'Source Labels App', "Source Labels Environment" AS 'Source Labels Environment' ,"Source Labels Location" AS 'Source Labels Location',"Source Labels Role" AS 'Source Labels Role',"Destination Labels App" AS 'Destination Labels App',"Destination Labels Environment" AS 'Destination Labels Environment',"Destination Labels Location" AS 'Destination Labels Location',"Destination Labels Role" AS 'Destination Labels Role',IF "direction"='I' THEN "Destination Hostname" ELSE "Source Hostname" AS "Hostname" from events where QIDNAME(qid) in ('Flow Blocked') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) GROUP BY Hostname ORDER BY "Count" DESC LIMIT 10 START PARSEDATETIME('7 days ago')

Top 10 Blocked Services reported by PCE

SELECT sum("Traffic Count") as "Count","Source IPV4 or IPV6" as "Source IP", "Destination IPV4 or IPV6" as "Destination IP", DATEFORMAT(starttime,'yyyy-MM-dd') AS "Timestamp", destinationport as "Destination Port",IF "direction"='O' THEN 'Outgoing' ELSE 'Incoming' AS 'direction',"Source Labels App" AS 'Source Labels App', "Source Labels Environment" AS 'Source Labels Environment' ,"Source Labels Location" AS 'Source Labels Location',"Source Labels Role" AS 'Source Labels Role',"Destination Labels App" AS 'Destination Labels App',"Destination Labels Environment" AS 'Destination Labels Environment',"Destination Labels Location" AS 'Destination Labels Location',"Destination Labels Role" AS 'Destination Labels Role',"Destination Hostname" AS 'Destination Host Name',"Source Hostname" AS 'Source Host Name' from events where QIDNAME(qid) in ('Flow Blocked') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) GROUP BY destinationport,protocolid ORDER BY "Count" DESC LIMIT 10 START PARSEDATETIME('7 days ago')

Top 10 Potentially Blocked Hosts reported by PCE

SELECT sum("Traffic Count") as "Count","Source IPV4 or IPV6" as "Source IP", "Destination IPV4 or IPV6" as "Destination IP", DATEFORMAT(starttime,'yyyy-MM-dd') AS "Timestamp", destinationport as "Destination Port",IF "direction"='O' THEN 'Outgoing' ELSE 'Incoming' AS 'direction',"Source Labels App" AS 'Source Labels App', "Source Labels Environment" AS 'Source Labels Environment' ,"Source Labels Location" AS 'Source Labels Location',"Source Labels Role" AS 'Source Labels Role',"Destination Labels App" AS 'Destination Labels App',"Destination Labels Environment" AS 'Destination Labels Environment',"Destination Labels Location" AS 'Destination Labels Location',"Destination Labels Role" AS 'Destination Labels Role',IF "direction"='I' THEN "Destination Hostname" ELSE "Source Hostname" AS "Hostname" from events where QIDNAME(qid) in ('Flow Potentially Blocked') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) GROUP BY Hostname ORDER BY "Count" DESC LIMIT 10 START PARSEDATETIME('7 days ago')

Top 10 Potentially Blocked Services reported by PCE

SELECT sum("Traffic Count") as "Count","Source IPV4 or IPV6" as "Source IP", "Destination IPV4 or IPV6" as "Destination IP", DATEFORMAT(starttime,'yyyy-MM-dd') AS "Timestamp", destinationport as "Destination Port",IF "direction"='O' THEN 'Outgoing' ELSE 'Incoming' AS 'direction',"Source Labels App" AS 'Source Labels App', "Source Labels Environment" AS 'Source Labels Environment' ,"Source Labels Location" AS 'Source Labels Location',"Source Labels Role" AS 'Source Labels Role',"Destination Labels App" AS 'Destination Labels App',"Destination Labels Environment" AS 'Destination Labels Environment',"Destination Labels Location" AS 'Destination Labels Location',"Destination Labels Role" AS 'Destination Labels Role',"Destination Hostname" AS 'Destination Host Name',"Source Hostname" AS 'Source Host Name' from events where QIDNAME(qid) in ('Flow Potentially Blocked') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) GROUP BY destinationport,protocolid ORDER BY "Count" DESC LIMIT 10 START PARSEDATETIME('7 days ago')

Top 1000 Investigations reported by PCE

SELECT "Source IPV4 or IPV6", "Destination IPV4 or IPV6", DATEFORMAT(devicetime,'yyyy-MM-dd H:mm') AS 'Timestamp', destinationport,

PROTOCOLNAME(protocolid) as 'Protocol', QIDNAME(qid) as 'Policy Decision', IF "direction"='O' THEN 'Outgoing' ELSE 'Incoming' AS 'Direction', "Source Labels App", "Source Labels Environment","Source Labels Location","Source Labels Role","Destination Labels App","Destination Labels Environment","Destination Labels Location", "Destination Labels Role", "Destination Hostname", "Source Hostname" from events where QIDNAME(qid) in ('Flow Allowed','Flow Potentially Blocked','Flow Blocked')

AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) ORDER BY 'Timestamp' DESC LIMIT 1000 START PARSEDATETIME('7 days ago')

Total Flows reported by PCE

SELECT DATEFORMAT(devicetime,'yyyy-MM-dd') AS 'LOGDATE', sum("Traffic Count") as 'COUNT', QIDNAME(qid) as 'Event Name' from events where QIDNAME(qid) in ('Flow Allowed','Flow Potentially Blocked','Flow Blocked') AND LOGSOURCETYPENAME(devicetype) = 'Illumio ASP V2' AND devicetime BETWEEN PARSEDATETIME('7 days ago') AND PARSEDATETIME(NOW()) GROUP BY DATEFORMAT(devicetime,'yyyy-MM-dd') START PARSEDATETIME('7 days ago')