rashid47010
@rashid47010 Active 8 years ago
I am looking for the query[timechartl]
for example 50 port scan attempts with in a second against list of organization public facing IP address. View
-
8 years, 6 months ago
rashid47010 commented on the post, List of Universal Forwarders with Version
In reply to: SplunkNinja wrote a new post The following Splunk query will return results of any host using a universal forwarder to transmit data back to a Splunk indexer. The query will return hostname, version, as well as […] ViewI am looking for some use cases regarding perimeter firewall. I have paloalto
-
8 years, 6 months ago
rashid47010 wrote a new post
I am looking for the query[timechartl]
for example 50 port scan attempts with in a second against list of organization public facing IP address. -
8 years, 7 months ago
rashid47010 posted an update
I am looking for the query[timechartl]
for example 50 port scan attempts with in a second against list of organization public facing IP address. -
8 years, 7 months ago
rashid47010 became a registered member
Provide log example.
| tstats allow_old_summaries=true distinct_count(All_Traffic.dest_port) as ports from datamodel=Network_Traffic.All_Traffic where
[ inputlookup internal_ip_range]
[| inputlookup whitelist.csv WHERE RuleName=portscan
| fields – RuleName, description
| format “” “NOT (” “AND” “” “)” “)”] by All_Traffic.src_ip
| search ports > 500
| `drop_dm_object_name(“All_Traffic”)`
for example list of organization public facing IP address is in range 123.6.0.0/16:
|index=firewall sourcetype=”juniper:firewall” dest=123.6.0.0/24
|timechart span=1s dc(dest_port) as dest_port_count by src
|where dest_port_count >50
Or another way (better way without timechart command):
for example list of organization public facing IP address is in range 123.6.0.0/16:
|index=firewall sourcetype=”juniper:firewall” src!=192.168.* AND dest=123.6.0.0/24
|bin _time span=1s
|stats dc(dest_port) as dest_port_count by src,dest,_time
|where dest_port_count >50