Compare Successful Internal Vs External Connections

This query will display a bar chart of all successful Internal vs External SSH connections. Useful for identifying any spikes in connectivity coming from within your network remit or outside of it. Simply change the CIDR matches to match your required LANs.

"sshd" AND "Accepted password" 
 | rex "[a-zA-z]{3}\s\d+\s\d+:\d+:\d+\s[a-zA-Z0-9-.]*\s[a-zA-z]{3}\s\d+\s\d+:\d+:\d+\s(?<hostname>.*)\ssshd\[\d+\]:\sAccepted\spassword\sfor\s(?<username>.*)\sfrom\s(?<sourceip>.*)\sport\s(?<sourceport>.*)\sssh2"
 | eval network=case(cidrmatch("192.168.0.0/24", sourceip),"Internal",
                     cidrmatch("10.10.0.0/16",sourceip),"Internal",
                     cidrmatch("192.168.20.0/24",sourceip),"Internal",
                     1=1,"External")
| timechart count(username) by network