Networking Archives -

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"
| iplocation src 
| search Country=*
| table Country, src, action, bytes_out, packets_out 
| dedup src
| sort Country

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"

| iplocation src

| search Country=*

| table Country, src, action, bytes_out, packets_out

| dedup src

| sort Country

Continue Reading →

Blocked Firewall Scanning Activity with indicator if Source has been allowed.

This search is still a work in progress, but thought I would go ahead and post it. Currently use OPNsense firewall in my house. The purpose of the search is to identify blocked scanning activity on my firewall that does a 2nd search via a join to add if any src_ip that had been blocked […]

Continue Reading →

Sourcetype: Networking

Search All Traffic by src / action – Creates Table

Blocked Firewall Scanning Activity with indicator if Source has been allowed.