Hi all,
i am using ES app 2.4 and trrying to run an inbuilt sear4ch "Anomalous ports detection". This search refers to a look up file. when i open that lookup file, i found it empty. Please tell me how this lookup file baseline information will be filled up.
please help.
Hi,
that's provided by this:
grep -rin listeningports . | grep output
./SA-EndpointProtection/default/savedsearches.conf:55:search = `listeningports` | table _time,dest,dest_bunit,dest_category,dest_pci_domain,dest_requires_av,dest_should_timesync,dest_should_update,transport,dest_port,transport_dest_port,tag | `filtertags("endpoint")` | `tscollect("sa_listening_ports","true","true")` | stats min(_time) as firstTime,max(_time) as lastTime by dest,dest_port,transport | inputlookup append=T listeningports_tracker | `lower(dest)` | stats min(firstTime) as firstTime,max(lastTime) as lastTime by dest,dest_port,transport | outputlookup listeningports_tracker | stats count
the listeningports macro is:
[listeningports]
definition = tag=listening tag=port | tags outputfield=tag | eval transport=lower(transport) | `get_transport_dest_port`
Do you have data that is tagged that way?