I'll start with the goal of what I am trying to accomplish first. I'd like to be able to detect any source sending data out in the middle of the night (example 11 PM to 6 AM) by means of FTP ( Ports 20,21,69) with a specific amount of data ( x mbs or y bytes ) using our Stream data. I'm not really sure how to build a correlation search to accomplish that but in that, I have a search I've built for a dashboard to attempt to track this which I'll copy below but more so looking to be able to use Enterprise Security to accomplish it.
index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port
| sort -"Total MB" limit=15
Any help or ideas would be greatly appreciated!
... View more