https://community.splunk.com/t5/Splunk-Search/identify-scanner-and-malicious-domain/m-p/522666#M147387 <P>We can't answer your questions without knowing what data you have indexed in Splunk.&nbsp; Obviously, if you don't have network traffic data then no query can help you.&nbsp; If you do have network traffic data then the exact query will depend on how the tool that reported that data chose to format it.&nbsp; See the Splunk Security Essentials app for examples.</P><P>I know of no way to determine which vulnerability scanner a remote site is using.</P> Fri, 02 Oct 2020 13:16:29 GMT richgalloway 2020-10-02T13:16:29Z https://community.splunk.com/t5/Splunk-Search/identify-scanner-and-malicious-domain/m-p/522646#M147383 <P>For example, My ip is 202.101.53.4, I want to identify what are the domains sent me the most number of packets (most frequently), what will be the query look like?</P><P>I want to know the domain who sent me the most number of traffics, what would be the query look like?</P><P>I want to know the vulnerability scanner the malicious domain is using for reconaissance, which filed I can get info from splunk?</P><P>&nbsp;</P> Fri, 02 Oct 2020 09:32:12 GMT https://community.splunk.com/t5/Splunk-Search/identify-scanner-and-malicious-domain/m-p/522646#M147383 cyberfan 2020-10-02T09:32:12Z https://community.splunk.com/t5/Splunk-Search/identify-scanner-and-malicious-domain/m-p/522666#M147387 <P>We can't answer your questions without knowing what data you have indexed in Splunk.&nbsp; Obviously, if you don't have network traffic data then no query can help you.&nbsp; If you do have network traffic data then the exact query will depend on how the tool that reported that data chose to format it.&nbsp; See the Splunk Security Essentials app for examples.</P><P>I know of no way to determine which vulnerability scanner a remote site is using.</P> Fri, 02 Oct 2020 13:16:29 GMT https://community.splunk.com/t5/Splunk-Search/identify-scanner-and-malicious-domain/m-p/522666#M147387 richgalloway 2020-10-02T13:16:29Z