Hi Splunkers,
I'm trying to set an alert condition to block traffic for IP addresses from 13.108.0.0 to13.111.255.255 and from 66.231.70.0 to 66.231.85.255, but I'm really stuck is there anybody can help please?
My query below:
| tstats count values(All_Traffic.app) AS app values(All_Traffic.dvc) AS devicename values(All_Traffic.src_zone) AS src_zone values(All_Traffic.dest_zone) AS dest_zone from datamodel=Network_Traffic where All_Traffic.action=blocked All_Traffic.src_ip IN (*) All_Traffic.dest IN (13.108.0.0 13.111.255.255 OR 66.231.80.0 66.231.95.255) All_Traffic.dest_port IN (*) by _time,All_Traffic.action,All_Traffic.src_ip, All_Traffic.dest ,All_Traffic.dest_port ,All_Traffic.transport,All_Traffic.rule,sourcetype | rename All_Traffic.* AS * | sort - _time limit=0 | fields - count | rename rule as policy,src_ip AS src | eval action=case(action="teardown","drop",1=1,action)
... View more