Solved: Re: How to search for Top 2-way communicators usin...

jcrochon · ‎07-23-2018

Hello all,

I have some IDS alerts "top src_ip,dest_ip" in which I want to see if the dest_ip is contacting the src_ip's. This would lead me to investigate the communications between the 2 IP's, else if the dest_ip is not communicating back, I would ignore and move on.

Top Src_IP (Internet)   ->    Top Dest_IP (Local) | HitCount
**1.2.3.4**  ->  192.168.1.2  | 254
**4.3.2.1**  ->  192.168.1.4  | 245

Lookup Table (Src_IP)
**1.2.3.4**
**4.3.2.1**

Search question: Is the Top Dest_IP's (Local) contacting back to Lookup Table Src_IP's (Internet):

Top Dest_IP (*aka new Src_IP*) -> Top Src_IP (* aka new Dest_IP*) | HitCount
192.168.1.2 -> **1.2.3.4** | 20
192.168.1.4 -> **4.3.2.1** | 30

I have been working with something like this: source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest | table src_ip ] | top dest_ip,src_ip

I'm not getting any results -- I humbly assume it's my error -- I should be seeing some communication back.

Please double-check my design and thank you for all the help.

somesoni2 · ‎07-23-2018

Give this a try

source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip

View solution in original post

jcrochon · ‎07-23-2018

Added swap of src_ip as new destination:

somesoni2 · ‎07-23-2018

Your rename command should rename the field according to the name it's available in your logs (the field name in your logs (source="/var/log/alerts.log") is src_ip and dest_ip, so the subsearch should return field either src_ip or dest_ip.

jcrochon · ‎07-23-2018

Thank you for the clarification. I need to learn more about how searching works. I was trying to use temp vars as in programming.

somesoni2 · ‎07-23-2018

Give this a try

source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip

jcrochon · ‎07-24-2018

One caveat, remove the dest_ip="192.168.*" from the secondary search due to search collisions, such as src_ip="192.168.*" && dest_ip="192.168.*"

source="/var/log/alerts.log" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip

jcrochon · ‎07-24-2018

Added better stats (single src to multiple dest):

jcrochon · ‎07-24-2018

That worked as expected. I would like to give you credit if you can make this an answer instead of a comment.

somesoni2 · ‎07-24-2018

Here you go.

How to search for Top 2-way communicators using top src_ip,dest_ip to find top dest_ip,src_ip?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms