Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a real-time map of attacks by Source IP?

kmedina1
Explorer
‎09-17-2015 07:52 AM

I would like to create a live map similar to the one at Norse: http://map.norsecorp.com.

Below is the search that I have, but it only works for Relative time, not Real-Time. Why is that? Also, I don't want to aggregate by Count, but rather, display the latest attacks and have them disappear as new attacks come in. How could I achieve that?

sourcetype=fortios5_ips | iplocation source_ip | stats count by attack, source_ip, destination_ip, lat, lon, City, Country, Region | where Country!="United States" | geostats globallimit=5 latfield=lat longfield=lon count by Country
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hagjos43
Contributor
‎09-17-2015 09:57 AM

Not sure why your realtime search wouldn't work. It Could be your timerange not detecting any events.

I believe the geostats command relies on the count to indicate the number of hits per geographical category (ie city/country/etc). A realtime search will show that information for the given time range so say something like this happens (let's assume your realtime search is for a 30 minute window):
1. Attack from France begins at 9:01am
2. Your dashboard panel shows an attack appear in France
3. Attack ceases at 9:09
4. France remains on your dashboard through 9:31

To get around this you can shorten your real-time search time range. Something like 5 minutes or even 60 seconds might suite your needs better. Someone else might have a better solution but that's how we do it here.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎09-18-2015 03:58 PM

This is not really an answer to your specific question about your search, but I am supplying this information for future readers who might look here for general information about building a map of attacks by source IP. There is a scenario-based tutorial in the Splunk Enterprise documentation, complete with sample data, that walks through how to build a dashboard that includes a drilldown map showing an attacker's IP address location, populated dynamically by clicking on an IP address in the dashboard.

Reply
Solved! Jump to solution

kmedina1
Explorer
‎09-18-2015 12:40 PM

Well, now it seems to be detecting events, I did changed the script a little bit. Even do I got 57 events in the last 30 minutes on alt textReal-Time, I barely see them displayed in the map (only 5 are represented, map attached). Do you know why is that?

sourcetype=fortios5* | eval source_ip_address=case(sourcetype=="fortios5_ips", source_ip, sourcetype=="fortios5_webfilter", dstip, sourcetype=="fortios5_virus", dstip, sourcetype=="fortios5_app-ctrl", destination_ip) | iplocation source_ip_address | stats count by attack, source_ip_address, lat, lon, City, Country, Region | geostats globallimit=0 locallimit=0 latfield=lat longfield=lon count by City

0 Karma
Reply
Solved! Jump to solution

Shabalala9
New Member
‎03-16-2018 01:49 PM

what program are you using and what program language

0 Karma
Reply
Solved! Jump to solution
Solution

hagjos43
Contributor
‎09-17-2015 09:57 AM

Not sure why your realtime search wouldn't work. It Could be your timerange not detecting any events.

I believe the geostats command relies on the count to indicate the number of hits per geographical category (ie city/country/etc). A realtime search will show that information for the given time range so say something like this happens (let's assume your realtime search is for a 30 minute window):
1. Attack from France begins at 9:01am
2. Your dashboard panel shows an attack appear in France
3. Attack ceases at 9:09
4. France remains on your dashboard through 9:31

To get around this you can shorten your real-time search time range. Something like 5 minutes or even 60 seconds might suite your needs better. Someone else might have a better solution but that's how we do it here.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...