_index=security_logs _sourceCategory=fw_security "type=\"traffic\"" AND ("action=\"accept\"" OR "action=\"deny\"" OR "action=\"close\"")
  | keyvalue regex "=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" keys "srcip", "dstip"
  | keyvalue regex "=\"(\w+)\"" keys "action"
  | where action in ("accept", "deny", "close")
  | if ((srcip matches "10.*") OR (srcip matches "172.16.*") OR (srcip matches "192.168.*"), 1, 0 ) as outbound
  | if (action="close", 1, 0) as closed
  | if (outbound == "0", 1, 0) as inbound
  | if (action="deny", 1, 0) as denied
  | timeslice 5m
  | sum(inbound) as inbound, sum(outbound) as outbound, sum(denied) as denied, sum(closed) as closed by _timeslice
  | sort by _timeslice asc