Archive

300 events are seen with the same Source IP and different Destination IP in 1 hour

New Member

Translating Qradar rules to SPL and stocked with setting thresholds

300 events are seen with the same Source IP and different Destination IP in 1 hour

no idea which parameters to use ? any hints ?

0 Karma

SplunkTrust
SplunkTrust
Your search that gets the events you want, for the hour you want, with fields source_ip and dest_ip
| stats dc(dest_ip) as dest_count by source_ip
| where dest_count >=300

SplunkTrust
SplunkTrust

Parameters to use to do what? What is your goal?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

The goal is to detect WannaCry infection, and need to set above treshold.

0 Karma