I have some data here with which i need to find out which is the most vulnerable ip address from the dummy firewall log.
Fragmentation attack 18.104.22.168
some tcp attack 22.214.171.124
So from the above data 126.96.36.199 is common for all the attacks on my network and i need a search query to list out the common ip's
I hope i have made myself clear.
My base search to get the results are
index="netgear" | stats values(srcip) as srcip values(destip) as destip by message
This is a great way to find compromised IP's. Your search should be like that if you want to find all attack messages for your source IP :
index="netgear" | stats values(message) as message by srcip
You can even filter out whichever has more than 2 attack vectors:
index="netgear" | stats dc(message) as condition, values(message) as message by srcip |where condition>2
An you can also add the list of destinations :
index="netgear" | stats dc(message) as condition, values(message) as message, values(destip) as destip by srcip
Let me know if this helps.
I suspect you are are presenting a snippet of your requirements, however try this and see if this takes you any near to your solution.
| makeresults | eval evnt="Fragmentation attack 188.8.131.52 184.108.40.206 220.127.116.11 bruteforce 18.104.22.168 22.214.171.124 126.96.36.199 some tcp attack 188.8.131.52 184.108.40.206 220.127.116.11" | rex field=evnt "(?<text>\d+\.\d+\.\d+\.\d)" max_match=0 | mvexpand text | stats count by text
so, here the count for 18.104.22.168 is the highest and you can just filter by the count for the ip having the maximum occurrence
Thank you for the answer, let me try to explain my entire requirement so its more clear. I get a log from the firewall. Inside the firewall log there are some destination ip's under attack by fragmentation attack, some destination ip under attack by brute force and some destination ip under attack by some other attack. so i want to find out if any destination ip is under attack by multiple methods. Like in this above senario, 22.214.171.124 is under attack by all three type of attacks. So basically i need to find the most vulnerable ip address in the network. Hope i made myself clear.