Blocked Firewall Scanning Activity with indicator if Source has been allowed.

This search is still a work in progress, but thought I would go ahead and post it.  Currently use OPNsense firewall in my house.  The purpose of the search is to identify blocked scanning activity on my firewall that does a 2nd search via a join to add if any src_ip that had been blocked was actually allowed through my firewall.  You will need to adjust the 2 base searches to match your environment. If you find a better way, please share to improve this search.

Change index=* to match your index name.

Share This:

Leave A Comment?