Transaction Command and Flow help regarding source IPs.
Using firewall logs, I would like to track and/or create flows of source IP's each time they reach out to a new destination IP (as well the relevant times). Essentially a means of tracking movement of a source IP (doesn't seem like a novel idea).
Assuming the correct logs are selected and fields are already extracted upon ingest, does anyone have any recommendations? I've toyed with the transaction on src_ip by states syntax for some time but just can't get it down. Any advice or even guidance towards a new direction would be greatly appreciated. Thank you. Please don't refer me to the documentation either as I've read it front to back quite a few times.
-
Please try the following two queries to see if they can help:
_sourceCategory=** | parse "time=\"\"" as Time | parse "dst=:" as DestinationIP | parse "src=*:" as src_IP | count by DestinationIP,src_IP, _messageTime | formatDate (_messageTime) | order by _messageTime asc,DestinationIP asc
_sourceCategory=** | parse "dst=:" as DestinationIP | parse "src=:" as src_IP | count by destinationip,src_ip | transpose row src_ip column destinationip
Replace ** with your _sourceCategory name
Please sign in to leave a comment.
Comments
1 comment