Splunk Enterprise Security

Network scanning - high number denied attempts followed by a allowed traffic on firewall


Hi Splunk Experts,

My team has below search to identify blocked scanning activity followed by another search via a join to see any src_ip that had been blocked was actually allowed on our firewall.

Here is search query -

index=firewall action=block* src_ip!= src_ip!= src_ip!=
| iplocation src_ip
| fillnull value=null Country
| stats count by src_ip dest_port Country
| eval dest_port_bar="".count." attempts on port "+dest_port
| stats list(dest_port_bar) as "Ports" dc(dest_port) as "Number of Ports scanned" sum(count) as Total by src_ip Country
| sort - "Number of Ports scanned"
| join src_ip type=left
[| search index=firewall action=allowed src_ip!= src_ip!= src_ip!=
| eval Allowed_Traffic=if(in(action, "allowed"),"Yes","No")
| table Allowed_Traffic src_ip]
| fillnull value=No Allowed_Traffic

This search is very much time consuming. Is it possible optimize the search for quicker results? Also, I have read somewhere that using join command is not wise. Please help! Thanks in Advance

Anil A

0 Karma


I do not see any difference in time between the two searches. How are you assessing was denied vs is allowed? If you have more than one firewall sending logs to the index it could be permitted by the first to see the traffic and denied by the second, the overall effect would be the traffic was denied for your enterprise firewalls but the interpretation of your data would be once denied but now permitted. Or, the inverse could be true, it was once permitted but now is denied.
If I understand the objective of your search, you would need to perform the searches across to different time periods and look for src_ip dest_port "denied" in the earliest query and in the query of the newer data look for the absence of denied for the same pattern of src_ip dest_port. Then by combining the results you could measure the status of the present against the historical record.
Unless this search is isolated to an edge (or small number of edge) firewall(s) and a timeshift between the two searches is added, I do not see how this is manageable. Of course, I might be way off base too...

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...