_index=suricata_logs AND "\"event_type\":\"alert\"" AND "\"action\":\"blocked\"" | parse "*" as jsonobject nodrop | json field=jsonobject "src_ip","dest_ip","dest_port","proto" as source, destination, port, protocol | where protocol = "UDP" | concat (" ", port, "/", protocol) as proto | replace (proto, " 110/TCP", "POP3") as proto | replace (proto, " 111/TCP", "UNIX-RPC") as proto | replace (proto, " 111/UDP", "UNIX-RPC") as proto | replace (proto, " 119/TCP", "NNTP") as proto | replace (proto, " 119/UDP", "NNTP") as proto | replace (proto, " 123/TCP", "NTP") as proto | replace (proto, " 123/UDP", "NTP") as proto | replace (proto, " 137/UDP", "NETBIOS-NS") as proto | replace (proto, " 143/TCP", "IMAP") as proto | replace (proto, " 1433/TCP", "MS-SQL") as proto | replace (proto, " 17/UDP", "QOTD") as proto | replace (proto, " 19/UDP", "CHARGEN") as proto | replace (proto, " 1900/UDP", "UPNP") as proto | replace (proto, " 22/TCP", "SSH") as proto | replace (proto, " 23/TCP", "TELNET") as proto | replace (proto, " 25/TCP", "SMTP") as proto | replace (proto, " 3128/TCP", "SQUID") as proto | replace (proto, " 3306/TCP", "MySQL") as proto | replace (proto, " 33424/TCP", "TRACEROUTE") as proto | replace (proto, " 33424/UDP", "TRACEROUTE") as proto | replace (proto, " 443/TCP", "HTTPS") as proto | replace (proto, " 445/TCP", "MS-RPC") as proto | replace (proto, " 465/TCP", "SMTPS") as proto | replace (proto, " 5060/UDP", "SIP") as proto | replace (proto, " 520/UDP", "ROUTER") as proto | replace (proto, " 523/TCP", "IBM-DB2") as proto | replace (proto, " 523/UDP", "IBM-DB2") as proto | replace (proto, " 53/TCP", "DNS") as proto | replace (proto, " 53/UDP", "DNS") as proto | replace (proto, " 563/TCP", "NNTPS") as proto | replace (proto, " 563/UDP", "NNTPS") as proto | replace (proto, " 587/TCP", "SUBMISSION") as proto | replace (proto, " 80/TCP", "HTTP") as proto | replace (proto, " 8080/TCP", "HTTP-8080") as proto | replace (proto, " 993/TCP", "POP3S") as proto | replace (proto, " 995/TCP", "IMAPS") as proto | replace (proto, " ", "") as proto | count as hits proto //source, destination, proto | order by hits | limit 10