I'm trying to create a search that'll visualize when a network scan is being run against a particular target. To do this I'm extracting a start and stop time based on a target and unique job (since job #'s can be reused). I want there to be a solid representation of this scan window so I'm trying to mark a single event by linking the start/stop times to the unique target + job.
Sample start event:
[Mon Mar 20 21:15:45 2017][21243.5571392][JOB_NAME=f2cd71ab-fd0c-5d94-ae5f-b3974cd790ed-2383424/Chunk 101.][JOB_UUID=baff3d9a-4b13-cec6-d8b8-02b8307599c4b95da7ea96b5cb5d] user admin : testing 10.69.47.124 (10.69.47.124) [5571406]
Sample stop event:
[Mon Mar 20 21:20:58 2017][21243.5571406][JOB_NAME=f2cd71ab-fd0c-5d94-ae5f-b3974cd790ed-2383424/Chunk 101.][JOB_UUID=baff3d9a-4b13-cec6-d8b8-02b8307599c4b95da7ea96b5cb5d] Finished testing 10.69.47.124. Time : 313.03 secs
I'm able to achieve an approximation of the results I'm after using this search paired with an area chart, stack mode: not stacked, and connecting null values:
index=test sourcetype=testd testing
| rex field=_raw "user admin : testing (?\S+).*?\((?\S+)\).+?"
| eval target=coalesce(target_host,target_ip)
| rex field=_raw "Finished testing (?\S+).*? Time : (?\S+?)\s+"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| stats c as "Scan Window" by _time, target
| xyseries _time,target,"Scan Window"
This works for short time ranges but if I broaden the time range to include additional times this host may have been scanned, the resulting chart displays the initial start time and the final stop time (essentially merging and displaying multiple scan windows into one).
I've been able to create a table showcasing the data I'm trying to visualize with a chart but I'm not sure what the next step would be:
index=test sourcetype=testd testing
| rex field=_raw "user admin : testing (?\S+).*?\((?\S+)\).+?"
| rex "^[^/\n]*/\w+\s+(?P\d+)"
| eval target=coalesce(target_host,target_ip)
| rex field=_raw "Finished testing (?\S+).*? Time : (?\S+?)\s+"
| rex mode=sed field=JOB_NAME "s/\/.*//g"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| bin _time
| stats earliest(_time) as start, latest(_time) as stop by target,JOB_NAME,chunk
| convert ctime(start) ctime(stop)
... View more