Splunk Search

Using nested tstats to detect foreign ip and then search in traffic for connections between foreign ip and local

el666nino
Loves-to-Learn Everything

hello , i want to detect foreign ip at first step, then search in traffic for connections between foreign ip and other local ips.

 

| tstats `security_content_summariesonly` values(All_Traffic.src_ip) AS src values(All_Traffic.dest_ip) AS dest values(All_Traffic.dest_ip_Country) AS dest_country values(All_Traffic.src_ip_Country) AS src_country from datamodel=Network_Traffic  by _time
| eval attacker=if(src_country="","$src$","$dest$")
| search 
    [ 
    | tstats count from datamodel=Network_Traffic WHERE (All_Traffic.src_ip=attacker OR All_Traffic.dest_ip=attacker)  by _time
    ]

 

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...