Archive
Highlighted

Detection of anomaly communication in Firewall

New Member

I want to find pairs of source/destination IPs, that have very high and unnormal communication in specific period.
let say if average daily communication between IP-A and IP-B is X event, i want to find day with 25X events.

That mean all pairs have to be checked and to show pairs with the biggest different between monthly average/median
and specific day (or other time unit)

Tags (1)
0 Karma
Highlighted

Re: Detection of anomaly communication in Firewall

SplunkTrust
SplunkTrust

Sounds like the MLTK would be a good use case for this. If you want a quick and dirty way of looking at this, you could use the timewrap command

index=... 
| timechart count
| timewrap 1w

You could then find the baseline per hours/day then use an eval to find one at 25x

0 Karma