Search All Traffic by src / action – Creates Table

Networking
pocketaces
2 Comments
You already voted!

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"
| iplocation src 
| search Country=*
| table Country, src, action, bytes_out, packets_out 
| dedup src
| sort Country

Share This:

Tagged: Firewall GeoLocation Network

Comments

Splunker April 14, 2020 at 1:05 am

Your second src! criteria should be 172.16.0.0/12

Reply
1. _pocketaces April 23, 2020 at 6:58 pm
  
  thanks for the catch
  
  Reply

Leave A Comment? Click here to cancel reply.

Newest | Active

bewafaha

Active 2 days, 1 hour ago
sadloveshayari

Active 2 days, 23 hours ago
hivatatt

Active 1 week ago
yogesh shingate

Active 1 week ago
haplesslexicon2

Active 1 week, 1 day ago