I am trying to create an alert for Outbound and Inbound FTP outside USA. I have two separate searches but I need to make it one search for alert purpose.
**Outbound FTP outside USA:**
sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20 dst!=10.0.0.0/8 dst!=192.168.0.0/16 |iplocation dst | search Country!="United States"| stats Count by Country src dst port action
**Inbound FTP outside USA:**
sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20 src!=10.0.0.0/8 src!=192.168.0.0/16 | iplocation dst| search Country!="United States" | stats Count byCountry src dst port action
How can I combine these two searches and add a Direction field where Direction will be either Inbound or Outbound.
↧