Develop a worm tracker
I'm looking to build a worm tracker by querying firewall logs. For every source IP that has a deny on port 445, count the number of destination IPs over a 15 minute period. If the count is greater than 255 destination IPs then display the source IP and count.
-
hi a good operator for this type of correlation is our subquery operator.
something similar to this logic:
parent query
[ subquery: every source IP that has a deny on port 445
| count by source ip | compose sourceip]
| sum .. by source_ip // count the number of destination IPs over a 15 minute period
| where count > 255
| count by source_ip,count
Please sign in to leave a comment.
Comments
1 comment