Splunk Search

How to create a real-time map of attacks by Source IP?

kmedina1
Explorer

I would like to create a live map similar to the one at Norse: http://map.norsecorp.com.

Below is the search that I have, but it only works for Relative time, not Real-Time. Why is that? Also, I don't want to aggregate by Count, but rather, display the latest attacks and have them disappear as new attacks come in. How could I achieve that?

sourcetype=fortios5_ips | iplocation source_ip | stats count by attack, source_ip, destination_ip, lat, lon, City, Country, Region | where Country!="United States" | geostats globallimit=5 latfield=lat longfield=lon count by Country
0 Karma
1 Solution

hagjos43
Contributor

Not sure why your realtime search wouldn't work. It Could be your timerange not detecting any events.

I believe the geostats command relies on the count to indicate the number of hits per geographical category (ie city/country/etc). A realtime search will show that information for the given time range so say something like this happens (let's assume your realtime search is for a 30 minute window):
1. Attack from France begins at 9:01am
2. Your dashboard panel shows an attack appear in France
3. Attack ceases at 9:09
4. France remains on your dashboard through 9:31

To get around this you can shorten your real-time search time range. Something like 5 minutes or even 60 seconds might suite your needs better. Someone else might have a better solution but that's how we do it here.

View solution in original post

0 Karma

ChrisG
Splunk Employee
Splunk Employee

This is not really an answer to your specific question about your search, but I am supplying this information for future readers who might look here for general information about building a map of attacks by source IP. There is a scenario-based tutorial in the Splunk Enterprise documentation, complete with sample data, that walks through how to build a dashboard that includes a drilldown map showing an attacker's IP address location, populated dynamically by clicking on an IP address in the dashboard.

kmedina1
Explorer

Well, now it seems to be detecting events, I did changed the script a little bit. Even do I got 57 events in the last 30 minutes on alt textReal-Time, I barely see them displayed in the map (only 5 are represented, map attached). Do you know why is that?

sourcetype=fortios5* | eval source_ip_address=case(sourcetype=="fortios5_ips", source_ip, sourcetype=="fortios5_webfilter", dstip, sourcetype=="fortios5_virus", dstip, sourcetype=="fortios5_app-ctrl", destination_ip) | iplocation source_ip_address | stats count by attack, source_ip_address, lat, lon, City, Country, Region | geostats globallimit=0 locallimit=0 latfield=lat longfield=lon count by City

0 Karma

Shabalala9
New Member

what program are you using and what program language

0 Karma

hagjos43
Contributor

Not sure why your realtime search wouldn't work. It Could be your timerange not detecting any events.

I believe the geostats command relies on the count to indicate the number of hits per geographical category (ie city/country/etc). A realtime search will show that information for the given time range so say something like this happens (let's assume your realtime search is for a 30 minute window):
1. Attack from France begins at 9:01am
2. Your dashboard panel shows an attack appear in France
3. Attack ceases at 9:09
4. France remains on your dashboard through 9:31

To get around this you can shorten your real-time search time range. Something like 5 minutes or even 60 seconds might suite your needs better. Someone else might have a better solution but that's how we do it here.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...