Hi Team,
Please help me out in this case.
I am searching the Port Scanning attack attempts by the following query.
It Shows me the results in forms only like sorce_ip is 145.132.11.11 and p count 777.
But I want the results in the form of
Sorce_ip sorce_port destination_ip destnation_port pcount
So what will be the query in this regard? Waiting for your kind reply.
hi @gcusello
Thanks for helping me. please guide me more on how we can add the destination IP as well in this query.
Hi @zeeshantayyab,
you could add also the destination_ip to the search using values:
index="firewall"
| stats dc(destination_port) as pcount values(destination_ip) AS destination_ip values(destination_port) AS destination_port by source_ip
| where pcount > 500
but in this way you have a few readable dashboard, my hint is to create a simple main search
index="firewall"
| stats dc(destination_port) as pcount by source_ip
| where pcount > 500
then you can configure a drilldown in another panel of the same dashboard or in another dashboard where there's the details of your connections:
index="firewall" source_ip=$source_ip$
| stats values(destination_port) AS destination_port by destination_ip
if you need help in drilldown configuration you can see in the Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603/) how to do this.
Ciao.
Giuseppe
Hi @zeeshantayyab,
I think that it isn't so readable, but you could a values option to your search, something like this:
index="firewall"
| stats dc(destination_port) as pcount values(destination_port) AS destination_port by source_ip
| where pcount > 500
probably the best approach is to have a main panel with your search and, with a click, a drilldown in another panel or another dashboard with the details of al destination port and other information.
Ciao.
Giuseppe