Security & the Enterprise
Much secured. So patch!

Eval match value if port=3389 between 2 fields.

swengroeneveld
Explorer


Good morning to you all,

In the same index I have 2 fields called port1 and port2.
Port1 and Port2 can both have values between 0-65535.

I want determine if there is port 3389.

This is part of the solwarwinds recommendation list (outward facing ports) from CISA.
Pretty much I am stuck with match or between or if in the eval (not my strong suit).

Your feedback is valued so thanks in advance!

0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

I couldn't get your need. Could you please describe more? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

swengroeneveld
Explorer

Sure, the result should be something like:

port1port2 RDPport
065535TRUE
33893389TRUE
2222FALSE
443443FALSE
01023FALSE
102365535TRUE

 

Does this make it more clear?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @swengroeneveld,

You can use below query;

| search port1=3389 OR port2=3389
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

swengroeneveld
Explorer

True, but that does not take in account if

port1 = 0 AND port2=4400

OR

port1 =3388 AND port2 = 65535

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...