I don't know if this has been answered in another question, but I'm trying to run a report for external IPs that have scanned our network. I'm indexing our full packet capture solution. My problem is that my criterion for a scan is one external IP that has connected to more than let's say 100 internal IPs in say under 1 minute.
So basically I'm asking, how do I create a report where I want to count the number of IPs where one field in one event is another field of 100 other events where the difference in a 3rd field (timestamp) in those 100 events is less than a certain value (1 minute). Could someone give me an idea on how to solve this please?
What about something like this?
... your search for scan data ... | bucket _time span=1m | stats dc(internal_ip) as connected_ips by _time, external_ip | search connected_ips >= 100
I'm still a little new to splunk searches so I'm not quite sure I understand this search. you bucket all events that span 1 minute then count all internalip (not sure what as does or the comma) using _time as an input and declaring connectedips as a variable somehow? then searching that value for all values greater than 100? As a programmer I'm thinking of more of a foreach loop of some kind, which I also don't really understand in splunk, then counts through each external IP and counts the number of events with a different internal IP in the span of 1 minute and returns that external IP and count of events so I can put in a pie chart.
Could you please help me with this search.
No problem, I'll explain what I was thinking and see if it matches up with what you wanted to accomplish.
| bucket _time span=1m
This takes all of your events and essentially rounds their timestamps down to the current minute. This allows you to have a common field
_time for all of your events that occurred within the same minute
| stats dc(internal_ip) as connected_ips by _time, external_ip
The stats command allows you to perform operations on your data like count, average, or in this case: Distinct count. Basically I'm telling it to give you a count of the unique internal IP addresses, using
as to give it a new field name called connectedips. Using
by we tell the results to grouped by _time (which is now grouped into one minute intervals) and externalip.
The comma separating the two
by fields is optional, I just like to use it for readability.
| search connected_ips >= 100
Now we tell Splunk to take the previous data and only show the results that talked to 100+ internal IPs. You should now have a result that lists the time, externalip, and the number of internal IPs that they connected to.
Does that match with what you were shooting for?
Thank you for the help, that makes much more sense.
You bet. Does that accomplish what you were trying to do?