I am performing a search on firewall logs and looking for hosts that are scanning our servers. I would like to capture only 20 servers that are being scanned by a single server and ports that are being scanned and email alerts to the response team.
searchquery | stats count AS NoConnections,values(destip) AS DestinationIP,
dc(destip) AS NoDestinations,
values(destport) AS PORTS,
dc(destport) AS NoPorts by srcip
| rename srcip AS SourceIP
| search NoDestinations > 500 AND NoPorts > 100
| eval DestinationIP=mvindex(DestinationIP,1,20)
| eval PORTS=mvindex(PORTS,1,20)
I am managed to reduce the number of mv field however don't know how to show this is a truncated list. The alert function will include all the values in the email however I like the web search only showing a limited number of value and show [and xxx more values] at the end.
The above eval looks for dcfield values greater than 20 uses mvindex to get the first 20 (Note: The index should begin at 0....0-19) and then append "..." or "TRUNCATED" or whatever. If dcfield<=19 then field=field.