×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dsdeepak
Explorer
Member since: ‎06-16-2020
‎10-01-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎06-16-2020
View All

Splunk query for port scan

by in Splunk Search
‎10-01-2020 10:41 AM
‎10-01-2020 10:41 AM
Hi All, I am looking for splunk query to detect vertical and horizontal port scan in the Infra. Any help in this regard will be appreciable. Here is query in layman language. Vertical Port Scan: 1. External IP performing scan on single system for multiple ports Horizontal Port Scan: 1.  External IP is scanning multiple systems for querying single port.       ... View more

Re: How to correlate events from two devices in sp...

by in Splunk Search
‎06-22-2020 04:50 AM
‎06-22-2020 04:50 AM
Thank you everyone for your answers and it was very helpful.  I have modified query  as per my requirement. However i have couple of queries. 1. what if difference between value and list fields.  2. Is it possible that i can contain these chain of events between two hosts only. 3. By using below query i am getting output as table. however is it possible that i can relate host column values with eventcodes columns values like which events in eventcodes column is bind with host value in host column. you can see table in attachment.  index=windows host=* (EventCode=4648 OR EventCode=4672 OR (EventCode=4624 AND Logon_Type=3)) Account_Name!=*$ | fields _time EventCode host Account_Name Logon_Type | streamstats time_window=120s values(EventCode) AS eventcodes dc(EventCode) AS eventcode_counts values(host) as hosts values(_raw) as raw values(Account_Name) as users values(Logon_Type) as logontype | where eventcode_counts=3 | table _time hosts eventcodes eventcode_counts users logontype ... View more

Re: How to correlate events from two devices in sp...

by in Splunk Search
‎06-21-2020 12:03 AM
1 Karma
‎06-21-2020 12:03 AM
1 Karma
Thank you..  ... View more

How to correlate events from two devices in splunk...

by in Splunk Search
‎06-16-2020 06:25 AM
‎06-16-2020 06:25 AM
Scenario: I have simulated an attack from PC1 to PC2 which has generated logs on both machines as below. Now want to create an alert where both events ID are captured in splunk in time frame of 30 sec. PC1 Log source: Windows Log Event id = 4648 PC1 Log source: Windows  Log Event id = 4624   Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-01-2020 02:15 PM
Karma from
View All
Karma given to
View All