I'm looking for specific conditions where 2 or more ports (as seen by firewall) have allowed events (action=allowed) and then a third port, typically with a service such as port 22 is the final request. This far, I am working with:
index=firewall_index
| bin _time span=5m
| stats count, values(dest_zone) as dest_zone, values(dest_port) as dest_port,
values(user) as User by _time src_zone src_ip dest_ip
| where (src_zone != dest_zone)
| bin _time as Day span=1d
| eventstats values(dest_port) as all_dest_ports by Day src_ip dest_ip
| where (mvcount(dest_port) >= 5) OR (mvcount(all_dest_ports) >= 25)
which was borrowed for a port scan search.
@drico618 "such as port 22" as in only port 22 or any port?