Highlighted
Absent Member.
Absent Member.
1253 views

How do you get a list of unique attacker ip addresses

Jump to solution

First question, asking after a night of tinkering, sorry if a bit rough around the edges.

I am trying to get a list of unique attacker IP addresses. There are a few other things I am filtering for, but the idea is that I would end up with a list of unique IPs that are going to a designated IP (say 10.11.12.13). There will be lots of events listed, but I think there should only be a couple dozen or so IPs.

I have made a local variable, called Attacker_IP the I think is working for pulling a string for each attacker IP. I just don't know how to get the last part, and end up with a list of unique IPs.

Conceptually, it is pretty straight forward. In practice, I am having some trouble. I could always export, and run a sort -u, but there has to be a way to get this done in Arcsight.

Anyone have any ideas, or links? My Google-foo has let me down.

Tags (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
New Member.

Are you doing this in ArcSight Logger or ESM?

Either way:create a report. Use a query that extracts the relevant events that you wish to look at. Select only Attacker Address in the query and group by Attacker Address.

View solution in original post

0 Likes
5 Replies
Highlighted
New Member.

Are you doing this in ArcSight Logger or ESM?

Either way:create a report. Use a query that extracts the relevant events that you wish to look at. Select only Attacker Address in the query and group by Attacker Address.

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

I guess you are referring the same in ESM.  When setting the filter, there is UNIQUE option in select statement.  Select attacker address and choose unique option will help.

0 Likes
Highlighted
Absent Member.
Absent Member.

Sorry for the late response.

I am using ESM.

I have created a report, that lists the Attacker Address. This produces a list of ALL addresses. I am still looking to make this unique, but this is way closer to my objective than I was at just a little while ago. Thank you.

0 Likes
Highlighted
Absent Member.
Absent Member.

I don't yet see how to filter the report output for UNIQUE. When I am playing around with filters, I see where to create on that would narrow the results based on event criteria, but not filter to UNIQUE. I figure this is problably a simple switch in the report, but I don't see it yet.

0 Likes
Highlighted
Absent Member.
Absent Member.

I was just playing around with the query. Under fields, I did a group by attacker address, and I think that did the trick.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.