Skip to main content
Splunk Lantern

Number of connections between unique source-destination pairs

You might need to know the number of times the IP addresses in your network are connecting to external IP addresses when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You need to determine what external IPs are commonly accessed by users on your network so you can create a whitelist.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Fortinet FortiGate data. You can replace this source with any other firewall data used in your organization.

  1. Run the following search: 
sourcetype=fgt_traffic src=<IP address sending the request> NOT (dest=<Internal IP address> OR dest=<DNS>)
| stats count BY src dest
| where count > 1
| sort – count

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=fgt_traffic 

Search only Fortinet FortiGate network traffic data.

src=<IP address sending the request> 

Search data coming from this IP address.

If you want to search all IP addresses in a netblock, use a wildcard search. For example, src=192.168.255.*

NOT (dest=<Internal IP address> OR dest=<DNS>)

Exclude internal and DNS destination IP addresses.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(dest=”192.0.2.0” OR dest_ip=”192.0.2.0”)

Example:
(dest=”192.0.2.0” OR dest=”example.com”)

| stats count BY src dest

Count the number of connections between each source-destination pair.

| where count > 1

Exclude results that have a connection count of less than 1.

| sort – count

Sort the results by the source-destination pair with the highest number of connections first.

Result

You can take many logical steps to protect your network with the results of this type of search, including:

  • Using the results to establish whitelists. 
  • Examining the results for outliers and investigating external IP addresses that are accessed with an unusually high frequency. 
  • Setting an alert for when the number of source-destination connections exceeds a certain threshold.