How can I correlate firewall traffic from two diff...

matthewg · ‎03-31-2017

I want to get a list of traffic that has accessed the same site at two different times. All I know are the times: say 10:00 AM and 11:30 AM.
How can I get a list of events where an internal IP connected to the same external IP at or near both times. I don't know either of the IP's I simply want to find a list of connections that were active at both times.

earliest="(date and time)" latest="(date and time)" AND earliest="(date and time)" latest="(date and time)"

pradeepkumarg · ‎03-31-2017

Increase your time range to cover both the time frames and search for something like below

Assuming your field names are internal_ip external_ip

index=your_index earliest=your_earliest_time latest=your_latest_time | stats count, values(_time) by internal_ip,external_ip | search count > 1

This will result in the events where the combination of internal_ip and external_ip occurred more than once along with the time of access

matthewg · ‎01-23-2019

But what if I have hundreds or thousands of combinations of internal and external ips that connected multiple times in between those times but I want to filter to the ones close to those two time intervals?

How can I correlate firewall traffic from two different timestamps

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!