=NULL| convert timeformat="%Y-%m-%d"ctime(_time) ASdate| stats count as date_count bydate,port|stats median(date_count) as median_count max(date_count) as max_count avg(date_count) as avg_count by dport|eval avg_deviation=max_count/avg_count|eval median_deviation=max_count/median_co...
=NULL| convert timeformat="%Y-%m-%d"ctime(_time) ASdate| stats count as date_count bydate,port|stats median(date_count) as median_count max(date_count) as max_count avg(date_count) as avg_count by dport|eval avg_deviation=max_count/avg_count|eval median_deviation=max_count/median_co...
=main source="tutorialdata.zip*www1/access.log" action=purchase [search index=main source="tutorialdata.zip*www1/access.log" action=purchase | top 20 productId showcount=false showperc=false] | top 5 clientip showcount=false showperc=false] | stats count by date_hour | sort num(date_...
sourcetype="secure*" AND "failed password" | stats count by ip | sort 10 -count 3.3 用户异地登录 场景描述:用户在短时间内多次异地登录,即可视为账号异常。 安全策略:1天内超过3个城市登录即可视为异地登录异常。 代码语言:javascript 代码运行次数:0 运行 AI代码解释 sourcetype="secure*" action="Accept...
sourcetype="secure*"action="Accepted"| bin _time span=1d | stats count(user) by ip| rename count(user)asUser_count | search User_count>10 3.5 异常登录时间 场景描述:定义正常的服务器登录时间,如在正常时间范围之外登录,可提示告警。 安全策略:凌晨0点到早上8点内,登录成功的账号。
sourcetype="secure*" AND "failed password" | stats count by ip | sort 10 -count 1. 3.3 用户异地登录 场景描述:用户在短时间内多次异地登录,即可视为账号异常。 安全策略:1天内超过3个城市登录即可视为异地登录异常。 复制 sourcetype="secure*" action="Accepted"| bin _time span=1d |iplocation ip...
sourcetype="secure*" AND "failed password" | stats count by ip | sort 10 -count 3.3 用户异地登录 场景描述:用户在短时间内多次异地登录,即可视为账号异常。 安全策略:1天内超过3个城市登录即可视为异地登录异常。 sourcetype="secure*" action="Accepted"| bin _time span=1d |iplocation ip | stats...
eventstats 命令:SPL 示例 spl 复制 … | bin span=1m _time |stats count AS count_i by _time, category | eventstats sum(count_i) as count_total by _time eventstats 命令:KQL 示例 下面是 join 语句的示例: Kusto 复制 let binSize = 1h; let detail = SecurityEvent | summarize detail...
… | bin span=1m _time |stats count AS count_i by _time, category | eventstats sum(count_i) as count_total by _time イベント コマンド: KQL 例 joinステートメントを使用した例を次に示します。 Kusto letbinSize =1h;letdetail = SecurityEvent |summarizedetail_count =count()byEvent...
| stats count_i by time, category| eventstats sum(count_i) AS count_total by _time_ join T2| join kind=inner (T1) on _time| project _time, category, count_i, count_total 3.9Join join 在Splunk有很大的局限性。子查询的结果限制为10,000(在部署配置文件中设置),并且可用的join类型数量有限...