I don't know if this has been answered in another question, but I'm trying to run a report for external IPs that have scanned our network. I'm indexing our full packet capture solution. My problem is that my criterion for a scan is one external IP that has connected to more than let's say 100 internal IPs in say under 1 minute.
So basically I'm asking, how do I create a report where I want to count the number of IPs where one field in one event is another field of 100 other events where the difference in a 3rd field (timestamp) in those 100 events is less than a certain value (1 minute). Could someone give me an idea on how to solve this please?
What about something like this?
... your search for scan data ... | bucket _time span=1m | stats dc(internal_ip) as connected_ips by _time, external_ip | search connected_ips >= 100
What about something like this?
... your search for scan data ... | bucket _time span=1m | stats dc(internal_ip) as connected_ips by _time, external_ip | search connected_ips >= 100
I'm still a little new to splunk searches so I'm not quite sure I understand this search. you bucket all events that span 1 minute then count all internal_ip (not sure what as does or the comma) using _time as an input and declaring connected_ips as a variable somehow? then searching that value for all values greater than 100? As a programmer I'm thinking of more of a foreach loop of some kind, which I also don't really understand in splunk, then counts through each external IP and counts the number of events with a different internal IP in the span of 1 minute and returns that external IP and count of events so I can put in a pie chart.
Could you please help me with this search.
No problem, I'll explain what I was thinking and see if it matches up with what you wanted to accomplish.
First: | bucket _time span=1m
This takes all of your events and essentially rounds their timestamps down to the current minute. This allows you to have a common field _time
for all of your events that occurred within the same minute
Next: | stats dc(internal_ip) as connected_ips by _time, external_ip
The stats command allows you to perform operations on your data like count, average, or in this case: Distinct count. Basically I'm telling it to give you a count of the unique internal IP addresses, using as
to give it a new field name called connected_ips. Using by
we tell the results to grouped by _time (which is now grouped into one minute intervals) and external_ip.
The comma separating the two by
fields is optional, I just like to use it for readability.
Finally: | search connected_ips >= 100
Now we tell Splunk to take the previous data and only show the results that talked to 100+ internal IPs. You should now have a result that lists the _time, external_ip, and the number of internal IPs that they connected to.
Does that match with what you were shooting for?
Thank you for the help, that makes much more sense.
You bet. Does that accomplish what you were trying to do?
yes it does. Thank you very much