HI yuanliu, Thanks for the update me, usually I want to lookup the what are the external IP addresses blocked by firewall, so I usually run this query: index=* sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype="imperva:waf" action=blocked (src!=x.x.x.x AND src!=x.x.x.x/18) | stats count by src, dest, sourcetype, action | table src, dest, sourcetype, action so, I wanna upgrade this query or another query to see, why is this IP blocked by firewall, its could be bruteforce, any other threat, web related attack and so on, from above query I can see the field called description, but its not useful, so wanna any ideas or queries.
... View more