Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Query about Port Scanning attack attempts

zeeshantayyab
Loves-to-Learn
‎04-28-2022 12:18 AM

Hi Team,

Please help me out in this case.

I am searching the Port Scanning attack attempts by the following query.

Spoiler
index="firewall" | stats dc(destination_port) as pcount by source_ip | where pcount > 500

It Shows me the results in forms only like sorce_ip is 145.132.11.11 and count 777.

But I want the results in the form of 

Sorce_ip      sorce_port     destination_ip      destnation_port      pcount

So what will be the query in this regard? Waiting for your kind reply.

Labels (3)
0 Karma
Reply

zeeshantayyab
Loves-to-Learn
‎04-28-2022 12:37 AM

hi @gcusello 

Thanks for helping me. please guide me more on how we can add the destination IP as well in this query.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-28-2022 02:57 AM

Hi @zeeshantayyab,

you could add also the destination_ip to the search using values:

index="firewall" 
| stats dc(destination_port) as pcount values(destination_ip) AS destination_ip values(destination_port) AS destination_port by source_ip 
| where pcount > 500

but in this way you have a few readable dashboard, my hint is to create a simple main search

index="firewall" 
| stats dc(destination_port) as pcount by source_ip 
| where pcount > 500

then you can configure a drilldown in another panel of the same dashboard or in another dashboard where there's the details of your connections:

index="firewall" source_ip=$source_ip$
| stats values(destination_port) AS destination_port by destination_ip

if you need help in drilldown configuration you can see in the Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603/) how to do this.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-28-2022 12:23 AM

Hi @zeeshantayyab,

I think that it isn't so readable, but you could a values option to your search, something like this:

index="firewall" 
| stats dc(destination_port) as pcount values(destination_port) AS destination_port by source_ip 
| where pcount > 500

probably the best approach is to have a main panel with your search and, with a click, a drilldown in another panel or another dashboard with the details of al destination port and other information.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...