IP mismatch in Hunt

[ben-sec]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

64

Storage for /

445

Storage for /nsm

894

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi!
The IP addresses shown in the group metrics section of the default Hunt view do not match the IP adresses of the actual alarms in the events section of the same view. Plain vanilla installation, I have not changed anything to the views. Ideas? Thanks in advance!
Cheers, Ben

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Here's one possible reason. The default Fetch Limit for the Group Metrics section is 10 so you're only going to see the top 10 IP addresses. The default Fetch Limit for the Events table at the bottom is 100 so you're only going to see 100 events by default. The default search is likely querying thousands of logs or more. So it's quite possible that the 100 logs in the Events table just happen to be more obscure logs with different IP addresses compared to the Group Metrics section. If you click one of the IP addresses in the Group Metrics section and then click Include, then the events in the Events table should show that IP address. For more information, please see:
https://docs.securityonion.net/en/2.4/dashboards.html#group-metrics
https://docs.securityonion.net/en/2.4/dashboards.html#events
https://docs.securityonion.net/en/2.4/dashboards.html#include

If that doesn't explain what you're seeing, then please provide more information including screenshots.

[ben-sec]

Thanks so far, I was not able to reproduce the issue and will mark your feedback as a possible answer.