Can someone help out with a search for the below context:
1) Need to get all the public IPs having blocked traffic (with blocked log count >100 )
2) IPs identified in step 1 should also have an allowed connection(count>1) through the firewall.
Please let me know the search? This search need to be used for Palo Alto Firewall logs. Thanks in advance.
Do you mean something with that kind of logic:
| stats count(eval(action=="failure")) as failure, count(eval(action=="success")) as success by src
| search failure > 100 success > 1
Do you mind sharing some sample data to work with ?