Splunk Search

How to create a real-time map of attacks by Source IP?

kmedina1
Explorer

I would like to create a live map similar to the one at Norse: http://map.norsecorp.com.

Below is the search that I have, but it only works for Relative time, not Real-Time. Why is that? Also, I don't want to aggregate by Count, but rather, display the latest attacks and have them disappear as new attacks come in. How could I achieve that?

sourcetype=fortios5_ips | iplocation source_ip | stats count by attack, source_ip, destination_ip, lat, lon, City, Country, Region | where Country!="United States" | geostats globallimit=5 latfield=lat longfield=lon count by Country
0 Karma
1 Solution

hagjos43
Contributor

Not sure why your realtime search wouldn't work. It Could be your timerange not detecting any events.

I believe the geostats command relies on the count to indicate the number of hits per geographical category (ie city/country/etc). A realtime search will show that information for the given time range so say something like this happens (let's assume your realtime search is for a 30 minute window):
1. Attack from France begins at 9:01am
2. Your dashboard panel shows an attack appear in France
3. Attack ceases at 9:09
4. France remains on your dashboard through 9:31

To get around this you can shorten your real-time search time range. Something like 5 minutes or even 60 seconds might suite your needs better. Someone else might have a better solution but that's how we do it here.

View solution in original post

0 Karma

ChrisG
Splunk Employee
Splunk Employee

This is not really an answer to your specific question about your search, but I am supplying this information for future readers who might look here for general information about building a map of attacks by source IP. There is a scenario-based tutorial in the Splunk Enterprise documentation, complete with sample data, that walks through how to build a dashboard that includes a drilldown map showing an attacker's IP address location, populated dynamically by clicking on an IP address in the dashboard.

kmedina1
Explorer

Well, now it seems to be detecting events, I did changed the script a little bit. Even do I got 57 events in the last 30 minutes on alt textReal-Time, I barely see them displayed in the map (only 5 are represented, map attached). Do you know why is that?

sourcetype=fortios5* | eval source_ip_address=case(sourcetype=="fortios5_ips", source_ip, sourcetype=="fortios5_webfilter", dstip, sourcetype=="fortios5_virus", dstip, sourcetype=="fortios5_app-ctrl", destination_ip) | iplocation source_ip_address | stats count by attack, source_ip_address, lat, lon, City, Country, Region | geostats globallimit=0 locallimit=0 latfield=lat longfield=lon count by City

0 Karma

Shabalala9
New Member

what program are you using and what program language

0 Karma

hagjos43
Contributor

Not sure why your realtime search wouldn't work. It Could be your timerange not detecting any events.

I believe the geostats command relies on the count to indicate the number of hits per geographical category (ie city/country/etc). A realtime search will show that information for the given time range so say something like this happens (let's assume your realtime search is for a 30 minute window):
1. Attack from France begins at 9:01am
2. Your dashboard panel shows an attack appear in France
3. Attack ceases at 9:09
4. France remains on your dashboard through 9:31

To get around this you can shorten your real-time search time range. Something like 5 minutes or even 60 seconds might suite your needs better. Someone else might have a better solution but that's how we do it here.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...