I am trying to create an alert based on sourcetype=iis | iplocation True_Client_IP | geostats count by Country that if one of my true client IPs show up in a Country where its not supposed to be it will generate an alert with the IPs listed.
I think I would some how need to input a list of locations that would trigger such an alert. Any help on how to create such an alert would be appreciated.
If you just need an alert then geostats isn't necessary. The iplocation command returns country names which you can then use in a normal stats command.
sourcetype=iis
| iplocation True_Client_IP
| stats count by Country
| where NOT Country=="United States"