Aggregate Logs based on Source IP

maof97 · September 25, 2023, 4:16pm

Hello,

I'm collecting firewall logs from a firewall (PfSense).

On every log record, among other details, I have destination ip addresses and destination ports.
Now, I need to have an aggregated list of all destination ip addresses and destination ports for a source ip.

src 10.1.1.177:50022 dst 10.2.1.1:80
src 10.1.1.1:5000 dst 10.2.1.1:443
src 10.1.1.54:5000 dst 10.2.1.1:443
src 10.1.1.85:5000 dst 10.2.1.1:443
src 10.1.1.1:50022 dst 10.2.2.1:990
src 10.1.1.112:50022 dst 10.2.2.1:990
src 10.1.1.177:50022 dst 10.2.2.1:990

From the example above I want the aggregation of destination+port combinations for 10.2.1.171:
10.2.1.1:80
10.2.2.1:990

I tried the 'correlation' in the timeline using EQL but it didn't work.
Can anybody help me?

system · October 23, 2023, 4:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Aggregate destination ip addresses and destination ports Elasticsearch	1	411	August 31, 2021
Aggregating Source IP and Destination IP pairs on Firewall logs Elasticsearch	2	2184	July 19, 2019
[Agent-Netflow] Anomaly Detect for spikes on coms between 2 IP SIEM	6	481	July 11, 2023
Cisco ASA module Source and Destination IP incorrect Beats filebeat	1	272	January 1, 2021
Network Scan SIEM detection-rules	6	607	February 9, 2023

Aggregate Logs based on Source IP

Related topics