Port Scan Dashboard

tonythomas42 · ‎02-23-2020

I want a dashboard to be created for port scan(to detect 2000 port scan attempts from one single IP towards single destination within 5 min)
I tried creating one dashboard but the values in the dashboard keep on changing every time the dashboard refreshes. I want a dashboard that will display all the port scan attempts for last 24 hrs satisfying the condition (2000 port scan attempts in 5 min) and the values in the dashboard should stay till 24 hrs.

sumanssah · ‎02-29-2020

try using below-mentioned search for "port scan to single IP multiple ports"

| tstats `summariesonly`   dc(All_Traffic.dest_port) as dc_dest_port  values(All_Traffic.dest_zone) as dest_zone min(All_Traffic.dest_port) as min_port max(All_Traffic.dest_port as max_port values(All_Traffic.action) as action  from datamodel=Network_Traffic.All_Traffic where NOT (All_Traffic.dest_port=443 OR  All_Traffic.dest_port=80 )  by All_Traffic.src_ip All_Traffic.dest_ip _time span=5m
| `drop_dm_object_name(All_Traffic)`  
| where dc_dest_port>2000  
| eval ip_range=min_port."-".max_port

to4kawa · ‎02-29-2020

Which do you want to do?
Create something: good luck. you only know your logs.
Find Apps: splunk security essentials

Port Scan Dashboard

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio