Re: How do I find top 10 ports used by attackers?

jpsnlyle · ‎12-14-2019

I'm not using Regex. There are over 370,00 events, and the payload of the data reads like this:

payload: {"attackerPort": 4031, "victimPort": 8080, "victimIP": "172.31.14.66", "attackerIP": "222.486.21.184", "connectionType":
"initial"}

to4kawa · ‎12-15-2019

| makeresults 
| eval _raw="{\"payload\": {\"attackerPort\": 4031, \"victimPort\": 8080, \"victimIP\": \"172.31.14.66\", \"attackerIP\": \"222.486.21.184\", \"connectionType\": \"initial\"}}"
| spath
| fields - _*
`comment("the logic is blow")` 
| rename payload.* as *
| table attackerPort victimPort victimIP attackerIP
| eventstats count as attackerPort_count by attackerPort
| eventstats count as victimPort_count by victimPort
| eventstats count as victimIP_count by victimIP
| eventstats count as attackerIP_count by attackerIP
| sort 10 - attackerPort_count

I think that top is certainly good.
However, it might be nice to have other information.

jpsnlyle · ‎12-15-2019

I run those 12 commands seperately, or as one? And do I need the source and sourcetype?

to4kawa · ‎12-15-2019

First of all, please copy and run all of them.
Erase once
Then add a comment below to your query and run it

woodcock · ‎12-14-2019

Use KV_MODE = json for your sourcetype on your Search Head and you will get all of those fields extracted for free. Then depending on what you mean, start with this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"

Then do either this:

| top 10 victimPort

Or this:

| top 10 attackerPort

How do I find top 10 ports used by attackers?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases