I'm not using Regex. There are over 370,00 events, and the payload of the data reads like this:
payload: {"attackerPort": 4031, "victimPort": 8080, "victimIP": "172.31.14.66", "attackerIP": "222.486.21.184", "connectionType":
"initial"}
| makeresults
| eval _raw="{\"payload\": {\"attackerPort\": 4031, \"victimPort\": 8080, \"victimIP\": \"172.31.14.66\", \"attackerIP\": \"222.486.21.184\", \"connectionType\": \"initial\"}}"
| spath
| fields - _*
`comment("the logic is blow")`
| rename payload.* as *
| table attackerPort victimPort victimIP attackerIP
| eventstats count as attackerPort_count by attackerPort
| eventstats count as victimPort_count by victimPort
| eventstats count as victimIP_count by victimIP
| eventstats count as attackerIP_count by attackerIP
| sort 10 - attackerPort_count
I think that top
is certainly good.
However, it might be nice to have other information.
I run those 12 commands seperately, or as one? And do I need the source and sourcetype?
First of all, please copy and run all of them.
Erase once
Then add a comment below to your query and run it
Use KV_MODE = json
for your sourcetype
on your Search Head
and you will get all of those fields extracted for free. Then depending on what you mean, start with this:
index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"
Then do either this:
| top 10 victimPort
Or this:
| top 10 attackerPort