This is the query which is for port sweep------- 1source->dest_ips>800->1dest_port
| tstats summariesonly
dc(All_Traffic.dest) AS count from datamodel=Network_Traffic by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port
| lookup application_protocol_lookup dest_port AS All_Traffic.dest_port transport AS All_Traffic.transport OUTPUT app
| drop_dm_object_name("All_Traffic")
| search app=* | search src!="192.168.176.81" | where count>800
What if i want to reframe my query to more than 4 dest_ports -----1source-> dest_ips>800->dest_port>4
can you please help me with this
Try something like:
| tstats summariesonly dc(All_Traffic.dest) AS count, dc(All_Traffic.dest_port) AS dest_port_count, values(All_Traffic.dest_port) AS dest_port from datamodel=Network_Traffic by All_Traffic.src,All_Traffic.transport
| lookup application_protocol_lookup dest_port AS All_Traffic.dest_port transport AS All_Traffic.transport OUTPUT app
| drop_dm_object_name("All_Traffic")
| search app=* dest_port_count>=4 count>800
| search src!="192.168.176.81"
When you want to count the dest_ports, you can't also include that field in your BY
clause and included all dest_ports BY src/transport per result. I'm not convinced this is exactly the query you want, but it should point you in the right direction.