I have some data here with which i need to find out which is the most vulnerable ip address from the dummy firewall log.
Fragmentation attack 220.127.116.11
some tcp attack 18.104.22.168
So from the above data 22.214.171.124 is common for all the attacks on my network and i need a search query to list out the common ip's
I hope i have made myself clear.
My base search to get the results are
index="netgear" | stats values(srcip) as srcip values(destip) as destip by message
This is a great way to find compromised IP's. Your search should be like that if you want to find all attack messages for your source IP :
index="netgear" | stats values(message) as message by srcip
You can even filter out whichever has more than 2 attack vectors:
index="netgear" | stats dc(message) as condition, values(message) as message by srcip |where condition>2
An you can also add the list of destinations :
index="netgear" | stats dc(message) as condition, values(message) as message, values(destip) as destip by srcip
Let me know if this helps.
I suspect you are are presenting a snippet of your requirements, however try this and see if this takes you any near to your solution.
| makeresults | eval evnt="Fragmentation attack 126.96.36.199 188.8.131.52 184.108.40.206 bruteforce 220.127.116.11 18.104.22.168 22.214.171.124 some tcp attack 126.96.36.199 188.8.131.52 184.108.40.206" | rex field=evnt "(?<text>\d+\.\d+\.\d+\.\d)" max_match=0 | mvexpand text | stats count by text
so, here the count for 220.127.116.11 is the highest and you can just filter by the count for the ip having the maximum occurrence
Thank you for the answer, let me try to explain my entire requirement so its more clear. I get a log from the firewall. Inside the firewall log there are some destination ip's under attack by fragmentation attack, some destination ip under attack by brute force and some destination ip under attack by some other attack. so i want to find out if any destination ip is under attack by multiple methods. Like in this above senario, 18.104.22.168 is under attack by all three type of attacks. So basically i need to find the most vulnerable ip address in the network. Hope i made myself clear.