Hi
Try this
sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20
| eval Direction=case((dst!="10.0.0.0/8" AND dst!="192.168.0.0/16"),"OUTBOUND",(src!="10.0.0.0/8" AND src!="192.168.0.0/16"),"INBOUND")| iplocation dst | where Country!="United States" | stats Count by Country src dst port action Direction
Give this a try
sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20
| eval Direction=case(dst!="10.0.0.0/8" AND dst!="192.168.0.0/16","OUTBOUND",src!="10.0.0.0/8" AND src!="192.168.0.0/16","INBOUND",1=1,"Other") | where Direction!="Other" | iplocation dst | rename Country as Country_dst | iplocation src | where Country!="United States" OR Country_dst!="United States" | stats Count byCountry src dst port action Direction
sourcetype=Firewall action=allowed (port=21 OR port=22 OR port=20)
(dst!=10.0.0.0/8 dst!=192.168.0.0/16 ) OR (src!=10.0.0.0/8 src!=192.168.0.0/16)
| iplocation dst
| search Country!="United States"
| stats Count by Country src dst port action
This is a start - but the real problem is: how do you determine the direction? Without that information, the whole search doesn't really make sense to me.