How to achieve IP scanners scanning many IPs on a single port usecase?


I'm trying to work on the IP scanners scanning many IPs on a single port usecase on splunk 
index=firewall sourcetype="firewall_cloud" dest_port="   "
| stats count by src_ip,dest_port
| where count >3

I'm not sure which dest_port we need to use over here or we need to take the src_port  if needed pls edit the search 

Labels (4)
Tags (1)
0 Karma


Hi @AL3Z,

Please try below, it will show you any scanner host that scans many destination IP addresses for only one port.

index=firewall sourcetype="firewall_cloud" dest_port="*"
| stats dc(dest_ip) as dest_count by src_ip dest_port
| where dest_count >3
If this reply helps you an upvote is appreciated.
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...