Splunk Enterprise Security

How can I filter incoming traffic from outgoing traffic

Communicator

Hi

I am working on a DDoS alert. I want to detect spikes of incoming traffic.
But I am not sure on how to differentiate incoming from outgoing.

index=fortigate sourcetype=fgt_traffic host="FGT-200"
|search (dest_port=443 OR dest_port=80)
0 Karma

Contributor

You could filter out the source IPs behind your firewall to get incoming traffic. The actual IPs to use will depend on your environment. Here is an example:

index=fortigate sourcetype=fgt_traffic host="FGT-200" (dest_port=443 OR dest_port=80) srcip!=203.0.113.0/24 srcip!=192.168.15.0/24
0 Karma