- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New rule in detecting multiple requests for a known Malicious destination from a single source could use help with the way the rule is written
index=app_proxy sourcetype=bcoat_proxysg_app OR sourcetype=bcoat_proxyclient_app categories="Malicous Sources" OR "Botnets" | stats count by username,host,referrer | count> 1 | table _time username,host,referrer filter_results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Additionally, after the stats
there are no _time
and filter_results
columns, so listing them in table
doesn't seem to make sense to me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Sure - this looks like a search that returns information. However, it probably won't get the categories you are looking for. The below splits out the categories into the cim field "category". If this works for what you are looking for, then it makes sense.
index=app_proxy sourcetype=bcoat_proxysg_app OR sourcetype=bcoat_proxyclient_app category="Malicous Sources" OR category="Botnets" | stats count by username,host,referrer | where count> 1 | table _time username,host,referrer filter_results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

There's likely a syntax error in | count > 1 |
due to lack of a search command such as search
or where
- both will achieve what you wanted and throw out events with count=1
.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
does the rule make sense to you as is?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Do elaborate on what you actually need help with.
