Hi Team, Please help me out in this case. I am searching the Port Scanning attack attempts by the following query. index="firewall" | stats dc(destination_port) as pcount by source_ip | where pcount > 500 It Shows me the results in forms only like sorce_ip is 22.214.171.124 and p count 777. But I want the results in the form of Sorce_ip sorce_port destination_ip destnation_port pcount So what will be the query in this regard? Waiting for your kind reply.
... View more