topic Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window? in Splunk Search

How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

512anagha — Fri, 28 Apr 2017 11:23:42 GMT

I have a set of sources that access multiple destinations(IPs)

New to Splunk
The query has to be set in such a way that an alert is triggered when any user accesses more than 5 distinct destinations within 30 sec window.

So far I am able to get distinct destinations accessed by each source by using:

index= ....... | stats values(destnIP) by sourceIP

The challenge that I am facing is :
1.For 'x' number of destnIP for every sourceIP, new column should be created which reflects the number 'x' as in the count of destnIP
2. Unable to use commands- count, eval, etc after stats

Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

Richfez — Fri, 28 Apr 2017 11:34:52 GMT

index= ....... | stats count values(destnIP) by sourceIP

Adding the count in there will give you a count in that stats. Try that.

Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

512anagha — Wed, 03 May 2017 12:55:23 GMT

Thank you for your reply.

I could get the count as the total number of destnIP accessed by the sourceIP

I am unable to the the number of distinct IPs accessed (which is displayed in the Values (destnIP) column

Thus the number of destnIPs is mot matching the count as count is displayed total (it is also counting when a single IP is accessed multiple times)

Thankyou so much for your help

Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

mdsnmss — Wed, 03 May 2017 15:41:16 GMT

index= ....... | bin _time span=30s | stats values(destnIP) as dests by sourceIP, _time | stats list(dests) dc(dests) as count by sourceIP, _time

This should show sourceIP, the 30 second window of the connections, a list of destnIPs for the sourceIP, and a count of connections in that window. To filter out everything <=5 just add a "| where count>5" on the end.

Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

mdsnmss — Wed, 03 May 2017 15:41:41 GMT

Strange, gave me access denied posting as an answer but let me post it as a comment...

Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

512anagha — Thu, 04 May 2017 05:57:24 GMT

Thankyou so much.
I could successfully get the required output

Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

mdsnmss — Thu, 04 May 2017 12:15:53 GMT

No problem! Thinking about this a bit more I should note that the 30 second bins essentially reset the count every 30 seconds. So it would catch if there were 5 connections from 12:30:00-12:30:30, but if the 5 connections occurred 12:30:15-12:30:45 it would have reset the count at 12:30:30 and would not be a running count over a 30 second span.

I'm not sure if this is suitable for you but may be something to consider. I'm still looking at how it could maintain a running count and drop the event count as it hits 30 seconds older than the newest event in the count.

Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

mdsnmss — Thu, 04 May 2017 12:16:35 GMT

 index= ....... | bin _time span=30s | stats values(destnIP) as dests by sourceIP, _time | stats list(dests) dc(dests) as count by sourceIP, _time

Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

Richfez — Fri, 12 May 2017 00:37:16 GMT

That sounds like a task for streamstats with time_window=30s.

Re: How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

Richfez — Fri, 12 May 2017 01:15:06 GMT

So, this is totally for my own network so you'll have to adjust it for your own needs (just fieldnames), but it searches a 30 second window counting what you need.

index=fw src_ip=* 
| sort - _time 
| streamstats time_window=30s dc(DST) as CountOfDistinctDests, count(DST) as CountOfDests, values(DST) as DestsList
| stats list(DestsList) AS Destinations, sum(CountOfDistinctDests) AS "Count of Distinct Destinations" 
   sum(CountOfDests) AS "Count of Destinations" BY src_ip 
| search "Count of Destinations">5
| table src_ip, Destinations, "Count of Distinct Destinations", "Count of Destinations"

So, fix up the fields (DST, src_ip, etc...) and obviously the index and stuff at the base search.