_index=security_logs _sourceCategory=fw_security ("type=\"utm\"" AND "subtype=\"ips\"") | extract "attack=\"(?.*?)\" " | count as count attack | sort by count | limit 10