index=* sourcetype=”juniper:firewall” src!=”192.168.*” | bin _time span=5m | stats dc(dest_port) as distinct_port by src,dest,_time |where distinct_port >1000
Count of Attackers on Juniper Devices
The following is a Splunk search query that indicates potential “attacks” by source IP. Further investigation will be needed to determine accuracy of attacks. sourcetype = “juniper:idp” attack* | stats count by src_ip Credit given to bbosearch.
