Aggregate Logs based on Source IP

maof97 · September 25, 2023, 4:16pm

Hello,

I'm collecting firewall logs from a firewall (PfSense).

On every log record, among other details, I have destination ip addresses and destination ports.
Now, I need to have an aggregated list of all destination ip addresses and destination ports for a source ip.

src 10.1.1.177:50022 dst 10.2.1.1:80
src 10.1.1.1:5000 dst 10.2.1.1:443
src 10.1.1.54:5000 dst 10.2.1.1:443
src 10.1.1.85:5000 dst 10.2.1.1:443
src 10.1.1.1:50022 dst 10.2.2.1:990
src 10.1.1.112:50022 dst 10.2.2.1:990
src 10.1.1.177:50022 dst 10.2.2.1:990

From the example above I want the aggregation of destination+port combinations for 10.2.1.171:
10.2.1.1:80
10.2.2.1:990

I tried the 'correlation' in the timeline using EQL but it didn't work.
Can anybody help me?

system · October 23, 2023, 4:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.