Hello, I'm trying to do a search for requests made to a list of malicious domains defined in a csv file, but excluding a list of source IPS. So far this is what I have, but I get no results: sourcetype=bro OR sourcetype=Proxy [inputlookup Malware_Domains.csv| fields Malware_Domains] NOT [inputlookup Exclude_IP.csv| fields Exclude_IP] My desired results will be all the IPs not in the exclude list, that are going to domains in the malware domains list, however currently I get 0/0 where as if I do my search with a Malwaredomain1 OR malware domain2 src_ip=!x.x.x.x AND src_ip=!x.x.x.x.... I get multiple results. I'm simply just trying to clean up this search and learn how to import CSVs ... View more

Hello, I'm trying to create a search that will allow me to search a subnet for requests made from a single source IP to more than X amount of destination IPS. for example, if 10.10.10.10 sends traffic over port 445 to all the devices in the range 10.10.10.11- 10.10.10.50 therefore 40 different Destinations and 10.10.10.20 sent traffic over port 445 to 10.10.10.70 and 10.10.10.66 therefore 2 different destinations. I wouldn't want to see the traffic sent from 10.10.10.20 as the total number of destination IPs is too low. Is it possible to do something like: src_ip=10.10.10.0/24 dest_port=445 dest_ip_count>=10 src_ip=10.10.10.0/24 -- Range of IPs I want to search for traffic on dest_port=445 -- Port the traffic is being sent on dest_ip_count>=10 Theoretical parameter that filters out source IPs not sending traffic to 10+ different devices Thanks ... View more