index="myIndex" eventtype=ftnt_fgt_event subtype=system host="" eventtype=ftnt_fgt_auth_privileged status=failed src_user="" srcip=* dstip=* |stats count by src_user dstip |iplocation dstip|
The columns show but there's no data.
iplocation can only interpret location info for public ip addresses. Are you sure dstip value is public ip?
iplocation can only interpret location info for public ip addresses. Are you sure dstip value is public ip?
I see you have a little Fortigate symbol as your emoji. Have you ever worked with the Fortigate App for Splunk? This is what I"m using.
If so do you know how to write a query that checks for failed logins to the FW from outside a particular state?
For example all of our FW are in X state, so if we see login attempts from another state, there might be a problem.
I think you mean srcip doesn't fall into a certain state.
index="myIndex" eventtype=ftnt_fgt_event subtype=system eventtype=ftnt_fgt_auth_privileged status=failed |iplocation srcip |where Region!="California"
This example shows all failed logins out of california
No these where internal IPs. I did not know that.