Now I'm doing a port scan alert Policy.
Port scanning is a hacker's attack method。I can see its activity track in the firewall。I can see the source IP（scansip）, source port and destination IP（scandip）, destination port。Too many ports connected log on the firewall。
I passed the following method to extract the port scan behavior.
Set a time range, for example: 60s. And the interval between each event can not be greater than 7s. There are more than 40 elements in the collection. I think he is port scan, how do i search for such events?
I only need scansip, scandip, the number of elements in the collection
Yes, try using transaction command this way -
<your search> | transaction maxpause=7s maxspan=60s scan_sip scan_dip | where eventcount >=40
ok.now, How do I count the number of collections?
I want to get this result：
scan_sip scan_dip count 22.214.171.124 126.96.36.199 45
eventcount field gets added automatically as part of transaction command -
<your search> | transaction maxpause=7s maxspan=60s scan_sip scan_dip | where eventcount >40 | rename eventcount as count | table scan_sip scan_dip count