I am performing a search on firewall logs and looking for hosts that are scanning our servers. I would like to capture only 20 servers that are being scanned by a single server and ports that are being scanned and email alerts to the response team.
search_query | stats count AS No_Connections,values(dest_ip) AS Destination_IP,
dc(dest_ip) AS No_Destinations,
values(dest_port) AS PORTS,
dc(dest_port) AS No_Ports by src_ip
| rename src_ip AS Source_IP
| search No_Destinations > 500 AND No_Ports > 100
| eval Destination_IP=mvindex(Destination_IP,1,20)
| eval PORTS=mvindex(PORTS,1,20)
I am managed to reduce the number of mv field however don't know how to show this is a truncated list. The alert function will include all the values in the email however I like the web search only showing a limited number of value and show [and xxx more values] at the end.
Can it be done in an alert and in a report?
... View more