Security Jiujitsu

Analysis
| tstats prestats=t summariesonly=t count(All_Sessions.src_ip) from
datamodel=Network_Sessions where All_Sessions.src_ip!=All_Sessions.dest_ip
All_Sessions.src_ip=* earliest=-­‐30d@d groupby All_Sessions.src_ip _Eme span=1d
| tstats prestats=t append=t summariesonly=t count(All_Sessions.dest_ip) from
datamodel=Network_Sessions where All_Sessions.src_ip!=All_Sessions.dest_ip
All_Sessions.dest_ip=* earliest=-­‐30d@d groupby All_Sessions.dest_ip _Eme
span=1d | rename All_Sessions.src_ip as ip All_Sessions.dest_ip as ip | bucket
_Eme span=1d | stats count(All_Sessions.src_ip) as iniEaEng
count(All_Sessions.dest_ip) as terminaEng by ip _Eme | eval isRecent =
if(_Eme>relaEve_Eme(now(), "-­‐1d"), "yes", "no") | eval raEo = coalesce(iniEaEng,
0) / (coalesce(iniEaEng,0)+coalesce(terminaEng,0)) | where isnotnull(raEo) |
stats sum(iniEaEng) sum(terminaEng) avg(eval(if(isRecent="no", raEo, null))) as
avg_raEo avg(eval(if(isRecent="yes", raEo, null))) as recent_raEo by ip | where
isnotnull(recent_raEo) AND isnotnull(avg_raEo) | where (avg_raEo > 0.9 AND
recent_raEo < 0.8) OR (avg_raEo < 0.1 AND recent_raEo > 0.2)
67