Splunk Search

How to create a real-time map of attacks by Source IP?

kmedina1
Explorer

I would like to create a live map similar to the one at Norse: http://map.norsecorp.com.

Below is the search that I have, but it only works for Relative time, not Real-Time. Why is that? Also, I don't want to aggregate by Count, but rather, display the latest attacks and have them disappear as new attacks come in. How could I achieve that?

sourcetype=fortios5_ips | iplocation source_ip | stats count by attack, source_ip, destination_ip, lat, lon, City, Country, Region | where Country!="United States" | geostats globallimit=5 latfield=lat longfield=lon count by Country
0 Karma
1 Solution

hagjos43
Contributor

Not sure why your realtime search wouldn't work. It Could be your timerange not detecting any events.

I believe the geostats command relies on the count to indicate the number of hits per geographical category (ie city/country/etc). A realtime search will show that information for the given time range so say something like this happens (let's assume your realtime search is for a 30 minute window):
1. Attack from France begins at 9:01am
2. Your dashboard panel shows an attack appear in France
3. Attack ceases at 9:09
4. France remains on your dashboard through 9:31

To get around this you can shorten your real-time search time range. Something like 5 minutes or even 60 seconds might suite your needs better. Someone else might have a better solution but that's how we do it here.

View solution in original post

0 Karma

ChrisG
Splunk Employee
Splunk Employee

This is not really an answer to your specific question about your search, but I am supplying this information for future readers who might look here for general information about building a map of attacks by source IP. There is a scenario-based tutorial in the Splunk Enterprise documentation, complete with sample data, that walks through how to build a dashboard that includes a drilldown map showing an attacker's IP address location, populated dynamically by clicking on an IP address in the dashboard.

kmedina1
Explorer

Well, now it seems to be detecting events, I did changed the script a little bit. Even do I got 57 events in the last 30 minutes on alt textReal-Time, I barely see them displayed in the map (only 5 are represented, map attached). Do you know why is that?

sourcetype=fortios5* | eval source_ip_address=case(sourcetype=="fortios5_ips", source_ip, sourcetype=="fortios5_webfilter", dstip, sourcetype=="fortios5_virus", dstip, sourcetype=="fortios5_app-ctrl", destination_ip) | iplocation source_ip_address | stats count by attack, source_ip_address, lat, lon, City, Country, Region | geostats globallimit=0 locallimit=0 latfield=lat longfield=lon count by City

0 Karma

Shabalala9
New Member

what program are you using and what program language

0 Karma

hagjos43
Contributor

Not sure why your realtime search wouldn't work. It Could be your timerange not detecting any events.

I believe the geostats command relies on the count to indicate the number of hits per geographical category (ie city/country/etc). A realtime search will show that information for the given time range so say something like this happens (let's assume your realtime search is for a 30 minute window):
1. Attack from France begins at 9:01am
2. Your dashboard panel shows an attack appear in France
3. Attack ceases at 9:09
4. France remains on your dashboard through 9:31

To get around this you can shorten your real-time search time range. Something like 5 minutes or even 60 seconds might suite your needs better. Someone else might have a better solution but that's how we do it here.

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!