for example list of organization public facing IP address is in range 123.6.0.0/16:
|index=firewall sourcetype=”juniper:firewall” dest=123.6.0.0/24
|timechart span=1s dc(dest_port) as dest_port_count by src
|where dest_port_count >50
Or another way (better way without timechart command):
for example list of organization public facing IP address is in range 123.6.0.0/16:
|index=firewall sourcetype=”juniper:firewall” src!=192.168.* AND dest=123.6.0.0/24
|bin _time span=1s
|stats dc(dest_port) as dest_port_count by src,dest,_time
|where dest_port_count >50
Provide log example.
| tstats allow_old_summaries=true distinct_count(All_Traffic.dest_port) as ports from datamodel=Network_Traffic.All_Traffic where
[ inputlookup internal_ip_range]
[| inputlookup whitelist.csv WHERE RuleName=portscan
| fields – RuleName, description
| format “” “NOT (” “AND” “” “)” “)”] by All_Traffic.src_ip
| search ports > 500
| `drop_dm_object_name(“All_Traffic”)`
for example list of organization public facing IP address is in range 123.6.0.0/16:
|index=firewall sourcetype=”juniper:firewall” dest=123.6.0.0/24
|timechart span=1s dc(dest_port) as dest_port_count by src
|where dest_port_count >50
Or another way (better way without timechart command):
for example list of organization public facing IP address is in range 123.6.0.0/16:
|index=firewall sourcetype=”juniper:firewall” src!=192.168.* AND dest=123.6.0.0/24
|bin _time span=1s
|stats dc(dest_port) as dest_port_count by src,dest,_time
|where dest_port_count >50
How do i add a query in splunk HOver Menu