Solved: Re: How to develop a search to find auditing activ...

digital_alchemy · ‎01-10-2017

Scenario:

We have auditing activity that began on a specific day. I would like to search the firewall logs for activity from src_ip addresses that do not exist in the logs prior to that date for at least a couple of months.

Any suggestions on how to specify that I only want the results of new IP addresses seen for the first time during a specific timeframe?

somesoni2 · ‎01-10-2017

One long running slow version, could be like this (assuming specific date is Jan 2nd 2017)

your base search spanning 2 months of time range | stats min(_time) as firstReceived by src_ip | where firstReceived >=strptime("2017-01-02","%Y-%m-%d")

View solution in original post

somesoni2 · ‎01-10-2017

One long running slow version, could be like this (assuming specific date is Jan 2nd 2017)

your base search spanning 2 months of time range | stats min(_time) as firstReceived by src_ip | where firstReceived >=strptime("2017-01-02","%Y-%m-%d")

digital_alchemy · ‎01-10-2017

Thanks, that works perfectly... and such a simple solution.

How to develop a search to find auditing activity that began on a specific date?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?