Identifying source and destination IP addresses for too many open connections

Usecase

Compare current time window with previous time window and get the list of source and destination IP addresses of min count 10 for too many connections to an application server which was seen in previous time window. 


Notification Types:  Email


User Inputs

Please find the below image for setting up alerts in Skedler-Alerts 


Notification received via Email

Hi,

Alert has been triggered for alert "Repeatedly occured IP addresses" on Sat Dec 16,2017 18:05:00 IST


Alert Condition:

Rule Type: Repeated value, Keyword Filter: * - select * from .data* where timeWindow between Sat Dec 16,2017 17:50:00 IST - Sat Dec 16,2017 18:05:45 IST 


TimeWindow:

Sat Dec 16,2017 17:50:00 IST - Sat Dec 16,2017 18:05:45 IST


Elasticsearch Query:


{\"size\":10000,\"sort\":[{\"Timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"date\"}}],\"query\":{\"bool\":{\"must\":[{\"range\":{\"Timestamp\":{\"gte\":\"2017-12-16T12:20:00.000Z\",\"lte\":\"2017-12-16T12:35:00.000Z\",\"format\":\"date_time\"}}},{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}],\"should\":[],\"must_not\":[]}},\"aggs\":{\"count\":{\"value_count\":{\"field\":\"_index\"}}}}


{\"size\":10000,\"sort\":[{\"Timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"date\"}}],\"query\":{\"bool\":{\"must\":[{\"range\":{\"Timestamp\":{\"gte\":\"2017-12-16T11:20:00.000Z\",\"lte\":\"2017-12-16T12:20:00.000Z\",\"format\":\"date_time\"}}},{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}],\"should\":[],\"must_not\":[]}},\"aggs\":{\"count\":{\"value_count\":{\"field\":\"_index\"}}}}


Matching Records:


Repeated value for data generated from Sat Dec 16,2017 17:50:00 IST to Sat Dec 16,2017 18:05:00 IST not seen in previous Sat Dec 16,2017 16:05:00 IST to Sat Dec 16,2017 16:05:00 IST


Field
Value
count
srcIp
105.3.152.219
12
srcIp
129.89.1.70
50
dstIp    20.103.9.1232
dstIp
100.30.12.9819


http://localhost:3001/skedler-alerts/alertdetails?alertId=1auyTmABJG5Y3vs9VWIF&alertname=%22newly%22occured%22srcIp%22&triggered_time=2017-12-16T14:37:45.000Z


Thanks


Conclusion

 Below table shows the list of new source and destination IP addresses which passes the count  > 10 (i.e occurred at least 10) for current time window which was seen in previous time window


Field
Value
count
srcIp
105.3.152.219
12
srcIp
129.89.1.70
50
dstIp
20.103.9.12
32
dstIp
100.30.12.98
19