1 2 3 4 |
index=* sourcetype="juniper:firewall" src!="192.168.*" | bin _time span=5m | stats dc(dest_port) as distinct_port by src,dest,_time |where distinct_port >1000 |
Count of Attackers on Juniper Devices
The following is a Splunk search query that indicates potential “attacks” by source IP. Further investigation will be needed to determine accuracy of attacks.
1 |
sourcetype = "juniper:idp" attack* | stats count by src_ip |
Credit given to bbosearch.