You might need to know the number of times the IP addresses in your network are connecting to external IP addresses when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
You need to determine what external IPs are commonly accessed by users on your network so you can create a whitelist.
NOTE: To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Fortinet FortiGate data. You can replace this source with any other firewall data used in your organization.
- Run the following search:
sourcetype=fgt_traffic src=<IP address sending the request> NOT (dest=<Internal IP address> OR dest=<DNS>)
| stats count BY src dest
| where count > 1
| sort – count
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
sourcetype=fgt_traffic |
Search only Fortinet FortiGate network traffic data. |
src=<IP address sending the request> |
Search data coming from this IP address. Tip: If you want to search all IP addresses in a netblock, use a wildcard search. For example, src=192.168.255.* |
NOT (dest=<Internal IP address> OR dest=<DNS>) |
Exclude internal and DNS destination IP addresses. Tip: Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. Example: Example: (dest=”192.0.2.0” OR dest=”example.com”) |
| stats count BY src dest |
Count the number of connections between each source-destination pair. |
| where count > 1 |
Exclude results that have a connection count of less than 1. |
| sort – count |
Sort the results by the source-destination pair with the highest number of connections first. |
Result
You can take many logical steps to protect your network with the results of this type of search, including:
- Using the results to establish whitelists.
- Examining the results for outliers and investigating external IP addresses that are accessed with an unusually high frequency.
- Setting an alert for when the number of source-destination connections exceeds a certain threshold.
Comments
0 comments
Please sign in to leave a comment.