Sure.
I'm still refining the port definitions (would love to be able to use "in") but here is the working query.
It looks for outbound traffic to IRC ports, excludes RFC1918 space and looks for multiple packets to avoid 'light' port scanning (we're seeing a lot of false-positives with some VoIP apps).
| tstats `summariesonly` max(_time) as _time,values(All_Traffic.action) as action,values(All_Traffic.src_port) as src_port,count from datamodel=Network_Traffic where * (All_Traffic.dest_port="6660" OR All_Traffic.dest_port="6661" OR All_Traffic.dest_port="6662" OR All_Traffic.dest_port="6663" OR All_Traffic.dest_port="6664" OR All_Traffic.dest_port="6665" OR All_Traffic.dest_port="6666" OR All_Traffic.dest_port="6667" OR All_Traffic.dest_port="6668" OR All_Traffic.dest_port="6669" OR All_Traffic.dest_port="7000") (All_Traffic.action="allowed" OR All_Traffic.action="blocked") by All_Traffic.src,All_Traffic.dest,All_Traffic.transport,All_Traffic.dest_port |`drop_dm_object_name("All_Traffic")` | search NOT dest="10.0.0.0/8" NOT dest="172.16.0.0/12" NOT dest="192.168.0.0/16"|sort action |where count>10 | fields _time,action,src,dest,transport,dest_port,count
... View more