Security & the Enterprise
Much secured. So patch!

Eval match value if port=3389 between 2 fields.

swengroeneveld
Explorer


Good morning to you all,

In the same index I have 2 fields called port1 and port2.
Port1 and Port2 can both have values between 0-65535.

I want determine if there is port 3389.

This is part of the solwarwinds recommendation list (outward facing ports) from CISA.
Pretty much I am stuck with match or between or if in the eval (not my strong suit).

Your feedback is valued so thanks in advance!

0 Karma
1 Solution

scelikok
Champion

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

scelikok
Champion

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

scelikok
Champion

I couldn't get your need. Could you please describe more? 

If this reply helps you an upvote is appreciated.
0 Karma

swengroeneveld
Explorer

Sure, the result should be something like:

port1port2 RDPport
065535TRUE
33893389TRUE
2222FALSE
443443FALSE
01023FALSE
102365535TRUE

 

Does this make it more clear?

0 Karma

scelikok
Champion

Hi @swengroeneveld,

You can use below query;

| search port1=3389 OR port2=3389
If this reply helps you an upvote is appreciated.
0 Karma

swengroeneveld
Explorer

True, but that does not take in account if

port1 = 0 AND port2=4400

OR

port1 =3388 AND port2 = 65535

0 Karma