Splunk Search

How to create a host scanning report to count the number of IPs an external IP has connected to within 1 minute?

ststephe
Engager

I don't know if this has been answered in another question, but I'm trying to run a report for external IPs that have scanned our network. I'm indexing our full packet capture solution. My problem is that my criterion for a scan is one external IP that has connected to more than let's say 100 internal IPs in say under 1 minute.

So basically I'm asking, how do I create a report where I want to count the number of IPs where one field in one event is another field of 100 other events where the difference in a 3rd field (timestamp) in those 100 events is less than a certain value (1 minute). Could someone give me an idea on how to solve this please?

0 Karma
1 Solution

justinatpnnl
Communicator

What about something like this?

... your search for scan data ... | bucket _time span=1m | stats dc(internal_ip) as connected_ips by _time, external_ip | search connected_ips >= 100

View solution in original post

justinatpnnl
Communicator

What about something like this?

... your search for scan data ... | bucket _time span=1m | stats dc(internal_ip) as connected_ips by _time, external_ip | search connected_ips >= 100

ststephe
Engager

I'm still a little new to splunk searches so I'm not quite sure I understand this search. you bucket all events that span 1 minute then count all internal_ip (not sure what as does or the comma) using _time as an input and declaring connected_ips as a variable somehow? then searching that value for all values greater than 100? As a programmer I'm thinking of more of a foreach loop of some kind, which I also don't really understand in splunk, then counts through each external IP and counts the number of events with a different internal IP in the span of 1 minute and returns that external IP and count of events so I can put in a pie chart.

Could you please help me with this search.

0 Karma

justinatpnnl
Communicator

No problem, I'll explain what I was thinking and see if it matches up with what you wanted to accomplish.

First: | bucket _time span=1m

This takes all of your events and essentially rounds their timestamps down to the current minute. This allows you to have a common field _time for all of your events that occurred within the same minute

Next: | stats dc(internal_ip) as connected_ips by _time, external_ip

The stats command allows you to perform operations on your data like count, average, or in this case: Distinct count. Basically I'm telling it to give you a count of the unique internal IP addresses, using as to give it a new field name called connected_ips. Using by we tell the results to grouped by _time (which is now grouped into one minute intervals) and external_ip.

The comma separating the two by fields is optional, I just like to use it for readability.

Finally: | search connected_ips >= 100

Now we tell Splunk to take the previous data and only show the results that talked to 100+ internal IPs. You should now have a result that lists the _time, external_ip, and the number of internal IPs that they connected to.

Does that match with what you were shooting for?

0 Karma

ststephe
Engager

Thank you for the help, that makes much more sense.

0 Karma

justinatpnnl
Communicator

You bet. Does that accomplish what you were trying to do?

0 Karma

ststephe
Engager

yes it does. Thank you very much

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...