topic How to create a real-time map of attacks by Source IP? in Splunk Search

How to create a real-time map of attacks by Source IP?

kmedina1 — Thu, 17 Sep 2015 14:52:05 GMT

I would like to create a live map similar to the one at Norse: http://map.norsecorp.com.

Below is the search that I have, but it only works for Relative time, not Real-Time. Why is that? Also, I don't want to aggregate by Count, but rather, display the latest attacks and have them disappear as new attacks come in. How could I achieve that?

sourcetype=fortios5_ips | iplocation source_ip | stats count by attack, source_ip, destination_ip, lat, lon, City, Country, Region | where Country!="United States" | geostats globallimit=5 latfield=lat longfield=lon count by Country

Re: How to create a real-time map of attacks by Source IP?

hagjos43 — Thu, 17 Sep 2015 16:57:59 GMT

Not sure why your realtime search wouldn't work. It Could be your timerange not detecting any events.

I believe the geostats command relies on the count to indicate the number of hits per geographical category (ie city/country/etc). A realtime search will show that information for the given time range so say something like this happens (let's assume your realtime search is for a 30 minute window):
1. Attack from France begins at 9:01am
2. Your dashboard panel shows an attack appear in France
3. Attack ceases at 9:09
4. France remains on your dashboard through 9:31

To get around this you can shorten your real-time search time range. Something like 5 minutes or even 60 seconds might suite your needs better. Someone else might have a better solution but that's how we do it here.

Re: How to create a real-time map of attacks by Source IP?

kmedina1 — Tue, 29 Sep 2020 07:28:44 GMT

Well, now it seems to be detecting events, I did changed the script a little bit. Even do I got 57 events in the last 30 minutes on Real-Time, I barely see them displayed in the map (only 5 are represented, map attached). Do you know why is that?

sourcetype=fortios5* | eval source_ip_address=case(sourcetype=="fortios5_ips", source_ip, sourcetype=="fortios5_webfilter", dstip, sourcetype=="fortios5_virus", dstip, sourcetype=="fortios5_app-ctrl", destination_ip) | iplocation source_ip_address | stats count by attack, source_ip_address, lat, lon, City, Country, Region | geostats globallimit=0 locallimit=0 latfield=lat longfield=lon count by City

Re: How to create a real-time map of attacks by Source IP?

ChrisG — Fri, 18 Sep 2015 22:58:11 GMT

This is not really an answer to your specific question about your search, but I am supplying this information for future readers who might look here for general information about building a map of attacks by source IP. There is a scenario-based tutorial in the Splunk Enterprise documentation, complete with sample data, that walks through how to build a dashboard that includes a drilldown map showing an attacker's IP address location, populated dynamically by clicking on an IP address in the dashboard.

Re: How to create a real-time map of attacks by Source IP?

Shabalala9 — Fri, 16 Mar 2018 20:49:25 GMT

what program are you using and what program language