Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

src!= AND src!= AND src!= action="allowed"
| iplocation src 
| search Country=*
| table Country, src, action, bytes_out, packets_out 
| dedup src
| sort Country
Share This:


Leave A Comment?