___ # Tags #suricata #homelab #splunk-queries # Helpful Docs - NA # Notes ##### External Attacks By Country ```txt index IN (so-suricata) sourcetype IN (suricata:alert) `src_ip_is_not_local` `dest_ip_is_wan` | iplocation src_ip | geostats count by Country ``` ##### Internal IPs to Dest IP:Port With All Attack Signature Info ```txt index IN (so-suricata) alert.signature IN (*) `src_ip_is_local` | fields src_ip, dest_ip, dest_port, alert.signature, alert.signature_id, alert.gid, alert.category | eval host_info = 'src_ip' + " --> " + 'dest_ip' + ":" + 'dest_port' | eval alert_and_signature_info = 'alert.signature' + " - " + 'alert.signature_id' + " - " + 'alert.gid' + " - " + 'alert.category' | table host_info, alert_and_signature_info ``` ##### Top 10 Src IPs by Amount of IDS Alerts ```txt index IN (so-suricata) alert.signature IN (*) | top src_ip, alert.signature | head 10 ```