Does anyone know if there is an efficient way to incorporate ip_intel into a search/query. I want to set up an alert using a particular ip_intel feed for a specific index to notify me when there is traffic from high-risk IP addresses.
Currently trying the below but I get no results (saw the below as another answer but cannot get it to work)
index=reverse_proxy [|inputlookup ip_intel | return ip] | where ip=src
note: "src" is the the field name in which the IP is parsed for my index
Description: Specify the number of rows.
Default: 1, which is the first row of results passed into the command.