How do you list source IPs that hit only two URLs ...

aamer86 · ‎02-05-2019

We have WEB logs, and we need to isolate the source IPs that only (only) hit two URLs.

The fields are:

src for source IP
uri_path for hit URL

woodcock · ‎02-05-2019

Try this:

| tstats count FROM datamodel=Web WHERE index=* AND (Web.url="first/url" OR Web.url="second/url") BY Web.src

ccloutier_splun · ‎02-05-2019

Then this should do it:

<base search>
| stats values(uri_path) as uri_path by src
| where mvcount(uri_path) = 2 AND isnotnull(mvfind(uri_path, "^account\/logon$")) AND isnotnull(mvfind(uri_path, "^member\/savedcard"))
| stats count by src

You can substitute stats with tstats if uri_path is an indexed field. YMMV.

aamer86 · ‎02-05-2019

Thanks but this is really slow search using transaction

can we have something to be used with tstats and Data Model

ccloutier_splun · ‎02-05-2019

I've updated my answer to reflect that. Should be faster/more flexible.

ccloutier_splun · ‎02-05-2019

So, something like:

<base search here>
| stats distinct_count(uri_path) as distinct_uri_count by src
| where distinct_uri_count = 2

?

aamer86 · ‎02-05-2019

Thanks but I need to get the list of IPs that hit two URLs
account/XYz and account/ABC

ccloutier_splun · ‎02-05-2019

You can add values(src) to the stats command then?

Or am I misunderstanding completely? Do you mean these URIs only? Specific ones?

aamer86 · ‎02-05-2019

sorry I think I should have explained it better

so we need to get all the IPs that ONLY hit two urls

account/logon
member/savedcard

As this has been detected as an attack pattern

So i need the IPs that hit only these two URLs

How do you list source IPs that hit only two URLs in WEB source types?

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]