Solved: Re: Eval match value if port=3389 between 2 fields...

swengroeneveld · ‎02-09-2021

Good morning to you all,

In the same index I have 2 fields called port1 and port2.
Port1 and Port2 can both have values between 0-65535.

I want determine if there is port 3389.

This is part of the solwarwinds recommendation list (outward facing ports) from CISA.
Pretty much I am stuck with match or between or if in the eval (not my strong suit).

Your feedback is valued so thanks in advance!

scelikok · ‎02-09-2021

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎02-09-2021

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎02-09-2021

I couldn't get your need. Could you please describe more?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

swengroeneveld · ‎02-09-2021

Sure, the result should be something like:

port1	port2	RDPport
0	65535	TRUE
3389	3389	TRUE
22	22	FALSE
443	443	FALSE
0	1023	FALSE
1023	65535	TRUE

Does this make it more clear?

scelikok · ‎02-09-2021

Hi @swengroeneveld,

You can use below query;

| search port1=3389 OR port2=3389

If this reply helps you an upvote and "Accept as Solution" is appreciated.

swengroeneveld · ‎02-09-2021

True, but that does not take in account if

port1 = 0 AND port2=4400

OR

port1 =3388 AND port2 = 65535

Eval match value if port=3389 between 2 fields.

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout