-
5 years, 9 months ago
pradeep577 commented on the post, RFQ (Request For Query) – Port Scan
In reply to: rashid47010 wrote a new post I am looking for the query[timechartl] for example 50 port scan attempts with in a second against list of organization public facing IP address. View| tstats allow_old_summaries=true distinct_count(All_Traffic.dest_port) as ports from datamodel=Network_Traffic.All_Traffic where
[ inputlookup internal_ip_range]
[| inputlookup whitelist.csv WHERE RuleName=portscan
| fields – RuleName, description
| format “” “NOT (” “AND” “” “)” “)”] by All_Traffic.src_ip
| search ports…[Read more] -
5 years, 10 months ago
pradeep577 wrote a new post
This Splunk Query will show hosts that stopped sending logs for at least 48 hours. You’ll want to change the time range to be relevant to your environment, and you may need to tweak the 48 hour range to something […]
-
5 years, 12 months ago
pradeep577 wrote a new post
Do this on HF
transforms.conf:
[discard_gotoips]
REGEX =DEST_KEY = queue
FORMAT = nullQueue
props.conf:
[default]
TRANSFORMS-null = discard_gotoips
File location: /etc/system/local
-
6 years, 5 months ago
pradeep577 wrote a new post
Stats count by port usage
index=* sourcetype=opsec | stats count by s_port proto dest dest_svc action product -
6 years, 10 months ago
pradeep577 wrote a new post
GoSplunk Admin Notes: If you have a data model enabled that matches the search below, this might work for you!
| datamodel Network_Traffic All_Traffic search | search All_Traffic.src_ip=10.x.x.x | stats count by […] -
6 years, 11 months ago
pradeep577 became a registered member
-
6 years, 11 months ago
pradeep577 became a registered member
