This is the query which is for port sweep------- 1source->dest_ips>800->1dest_port
| tstats summariesonly dc(All_Traffic.dest) AS count from datamodel=Network_Traffic by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port
| lookup application_protocol_lookup dest_port AS All_Traffic.dest_port transport AS All_Traffic.transport OUTPUT app
| drop_dm_object_name("All_Traffic") | search app=* | search src!="192.168.176.81" | where count>800
What if i want to reframe my query to more than 4 dest_ports -----1source-> dest_ips>800->dest_port>4
can you please help me with this
... View more