Splunk Search

How to create a host scanning report to count the number of IPs an external IP has connected to within 1 minute?

ststephe
Engager

I don't know if this has been answered in another question, but I'm trying to run a report for external IPs that have scanned our network. I'm indexing our full packet capture solution. My problem is that my criterion for a scan is one external IP that has connected to more than let's say 100 internal IPs in say under 1 minute.

So basically I'm asking, how do I create a report where I want to count the number of IPs where one field in one event is another field of 100 other events where the difference in a 3rd field (timestamp) in those 100 events is less than a certain value (1 minute). Could someone give me an idea on how to solve this please?

0 Karma
1 Solution

justinatpnnl
Communicator

What about something like this?

... your search for scan data ... | bucket _time span=1m | stats dc(internal_ip) as connected_ips by _time, external_ip | search connected_ips >= 100

View solution in original post

justinatpnnl
Communicator

What about something like this?

... your search for scan data ... | bucket _time span=1m | stats dc(internal_ip) as connected_ips by _time, external_ip | search connected_ips >= 100

ststephe
Engager

I'm still a little new to splunk searches so I'm not quite sure I understand this search. you bucket all events that span 1 minute then count all internal_ip (not sure what as does or the comma) using _time as an input and declaring connected_ips as a variable somehow? then searching that value for all values greater than 100? As a programmer I'm thinking of more of a foreach loop of some kind, which I also don't really understand in splunk, then counts through each external IP and counts the number of events with a different internal IP in the span of 1 minute and returns that external IP and count of events so I can put in a pie chart.

Could you please help me with this search.

0 Karma

justinatpnnl
Communicator

No problem, I'll explain what I was thinking and see if it matches up with what you wanted to accomplish.

First: | bucket _time span=1m

This takes all of your events and essentially rounds their timestamps down to the current minute. This allows you to have a common field _time for all of your events that occurred within the same minute

Next: | stats dc(internal_ip) as connected_ips by _time, external_ip

The stats command allows you to perform operations on your data like count, average, or in this case: Distinct count. Basically I'm telling it to give you a count of the unique internal IP addresses, using as to give it a new field name called connected_ips. Using by we tell the results to grouped by _time (which is now grouped into one minute intervals) and external_ip.

The comma separating the two by fields is optional, I just like to use it for readability.

Finally: | search connected_ips >= 100

Now we tell Splunk to take the previous data and only show the results that talked to 100+ internal IPs. You should now have a result that lists the _time, external_ip, and the number of internal IPs that they connected to.

Does that match with what you were shooting for?

0 Karma

ststephe
Engager

Thank you for the help, that makes much more sense.

0 Karma

justinatpnnl
Communicator

You bet. Does that accomplish what you were trying to do?

0 Karma

ststephe
Engager

yes it does. Thank you very much

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...