Splunk Search

How do I find top 10 ports used by attackers?

New Member

I'm not using Regex. There are over 370,00 events, and the payload of the data reads like this:

payload: {"attackerPort": 4031, "victimPort": 8080, "victimIP": "", "attackerIP": "222.486.21.184", "connectionType":

Tags (1)
0 Karma

Ultra Champion
| makeresults 
| eval _raw="{\"payload\": {\"attackerPort\": 4031, \"victimPort\": 8080, \"victimIP\": \"\", \"attackerIP\": \"222.486.21.184\", \"connectionType\": \"initial\"}}"
| spath
| fields - _*
`comment("the logic is blow")` 
| rename payload.* as *
| table attackerPort victimPort victimIP attackerIP
| eventstats count as attackerPort_count by attackerPort
| eventstats count as victimPort_count by victimPort
| eventstats count as victimIP_count by victimIP
| eventstats count as attackerIP_count by attackerIP
| sort 10 - attackerPort_count

I think that top is certainly good.
However, it might be nice to have other information.

0 Karma

New Member

I run those 12 commands seperately, or as one? And do I need the source and sourcetype?

0 Karma

Ultra Champion

First of all, please copy and run all of them.
Erase once
Then add a comment below to your query and run it

0 Karma

Esteemed Legend

Use KV_MODE = json for your sourcetype on your Search Head and you will get all of those fields extracted for free. Then depending on what you mean, start with this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"

Then do either this:

| top 10 victimPort

Or this:

| top 10 attackerPort
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...