Security & the Enterprise
Much secured. So patch!

Eval match value if port=3389 between 2 fields.

swengroeneveld
Explorer


Good morning to you all,

In the same index I have 2 fields called port1 and port2.
Port1 and Port2 can both have values between 0-65535.

I want determine if there is port 3389.

This is part of the solwarwinds recommendation list (outward facing ports) from CISA.
Pretty much I am stuck with match or between or if in the eval (not my strong suit).

Your feedback is valued so thanks in advance!

0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

I couldn't get your need. Could you please describe more? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

swengroeneveld
Explorer

Sure, the result should be something like:

port1port2 RDPport
065535TRUE
33893389TRUE
2222FALSE
443443FALSE
01023FALSE
102365535TRUE

 

Does this make it more clear?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @swengroeneveld,

You can use below query;

| search port1=3389 OR port2=3389
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

swengroeneveld
Explorer

True, but that does not take in account if

port1 = 0 AND port2=4400

OR

port1 =3388 AND port2 = 65535

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...