I am performing a search on firewall logs and looking for hosts that are scanning our servers. I would like to capture only 20 servers that are being scanned by a single server and ports that are being scanned and email alerts to the response team.
search_query | stats count AS No_Connections,values(dest_ip) AS Destination_IP,
dc(dest_ip) AS No_Destinations,
values(dest_port) AS PORTS,
dc(dest_port) AS No_Ports by src_ip
| rename src_ip AS Source_IP
| search No_Destinations > 500 AND No_Ports > 100
| eval Destination_IP=mvindex(Destination_IP,1,20)
| eval PORTS=mvindex(PORTS,1,20)
I am managed to reduce the number of mv field however don't know how to show this is a truncated list. The alert function will include all the values in the email however I like the web search only showing a limited number of value and show [and xxx more values] at the end.
Can it be done in an alert and in a report?
Use the following eval:
| eval field=if(dc_field>19,mvappend(mvindex(field,0,19),"..."),field)
The above eval looks for dc_field values greater than 20 uses mvindex to get the first 20 (Note: The index should begin at 0....0-19) and then append "..." or "TRUNCATED" or whatever. If dc_field<=19 then field=field.
Use the following eval:
| eval field=if(dc_field>19,mvappend(mvindex(field,0,19),"..."),field)
The above eval looks for dc_field values greater than 20 uses mvindex to get the first 20 (Note: The index should begin at 0....0-19) and then append "..." or "TRUNCATED" or whatever. If dc_field<=19 then field=field.
Thank you. Exactly what I need.