Hi Andy,
Below is the search query (it's a simple search)
The peculiar thing is, I have another alert based on the below query with difference is it fires when multiple occurrences in a 60 minute period (count > 10) and it works (with variable calls in the incident review dashboard showing the srcip properly)
sourcetype=fortinet type=utm subtype=ips "severity=high" OR "severity=critical"
| eval attack=coalesce(attack,attackname)
| lookup clientlocation srcip AS srcip OUTPUT location AS src_location contact AS src_contact
| lookup clientlocation srcip AS dstip OUTPUT location AS dst_location contact AS dst_contact
| eval src_location=if(src_location="OK", "External", src_location)
| eval src_contact=if(src_contact="OK", "None", src_contact)
| eval dst_location=if(dst_location="OK", "External", dst_location)
| eval dst_contact=if(dst_contact="OK", "None", dst_contact)
| fillnull value="-"
| table _time attack attackid vendor_action severity sessionid user srcip src_location src_contact srcport dstip dst_location dst_contact dstport service hostname sentbyte rcdbyte duration type subtype level policyid _raw
| addinfo
... View more