Comments

  1. Pradeep

    | tstats allow_old_summaries=true distinct_count(All_Traffic.dest_port) as ports from datamodel=Network_Traffic.All_Traffic where
    [ inputlookup internal_ip_range]
    [| inputlookup whitelist.csv WHERE RuleName=portscan
    | fields – RuleName, description
    | format “” “NOT (” “AND” “” “)” “)”] by All_Traffic.src_ip
    | search ports > 500
    | drop_dm_object_name("All_Traffic")

  2. MaryamSaniee

    for example list of organization public facing IP address is in range 123.6.0.0/16:
    |index=firewall sourcetype=”juniper:firewall” dest=123.6.0.0/24
    |timechart span=1s dc(dest_port) as dest_port_count by src
    |where dest_port_count >50

  3. MaryamSaniee

    Or another way (better way without timechart command):
    for example list of organization public facing IP address is in range 123.6.0.0/16:
    |index=firewall sourcetype=”juniper:firewall” src!=192.168.* AND dest=123.6.0.0/24
    |bin _time span=1s
    |stats dc(dest_port) as dest_port_count by src,dest,_time
    |where dest_port_count >50

Leave A Comment?