[Sophos Firewall / Data Lake] Identify Attempts to Access Firewall by Country

SELECT
   device_model,
   --device_serial_id,
   --app_name AS ProtoPort,
   --in_interface,--
   --src_mac,--
   src_ip,
   dst_ip,
   src_country,
   log_type AS Source_Log,
   log_subtype AS Decision,
   src_port,
   dst_port
   --protocol--
FROM xgfw_data

--Use % if unsure--
WHERE src_country LIKE '$$Source Country Name$$'
AND src_country != 'Reserved'
AND src_ip != '11.11.10.%'

Matthew Ritchie

Matthew Ritchie over 2 years ago

Variables to Use
Source Country Name - String - $$Source Country Name$$
ExcludeMyNets - IP Address - $$ExcludeMyNets$$

ExcludeMyNets goes in the AND src_ip != '$$ExcludeMyNets$$'
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

[Sophos Firewall / Data Lake] Identify Attempts to Access Firewall by Country