forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathidentify_ports_on_network.yml
More file actions
39 lines (39 loc) · 1.33 KB
/
identify_ports_on_network.yml
File metadata and controls
39 lines (39 loc) · 1.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
baseline:
splunk:
schedule:
cron_schedule: ''
earliest_time: -30d@d
latest_time: -10m@m
search: '| tstats `security_content_summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts
from datamodel=Network_Traffic by All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")`
| sort - count'
creation_date: '2017-06-24'
data_metadata:
data_models:
- Network_Traffic
data_source:
- Network Communication
providing_technologies:
- Splunk Stream
- Bro
description: The search counts the number of times a connection was observed to each
destination port, and the number of unique source IPs connecting to them.
eli5: For each port being accessed on the network, this search gives the total number
of connections observed, and the number of unique IP addresses making those connections.
how_to_implement: To successfully implement this search, you must be ingesting network
traffic, and populating the Network_Traffic data model.
id: 9f3bae5a-9fe3-49df-8c84-5edc51d84b7f
known_false_positives: ''
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2017-09-13'
name: Count of Unique IPs Connecting to Ports
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
spec_version: 2
type: splunk
version: '1.0'