Description: Track source IP with >=100 blocked events for the past hour.
Caveats: Requires custom patch to Splunk_TA_aws and Splunk_SA_CIM
SPL:
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" BY Web.src, Web.url_domain, _time span=1s
| rename "Web.*" as "*"
| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S %z")
| stats earliest(Time) AS first_occur, sum(count) AS event_count BY src, url_domain
| where event_count>=100
```sample 20 events from each IP```
| join type=inner max=20 src
[| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" NOT Web.uri_path IN ("/", "/favicon.ico") BY Web.src, Web.uri_path
| rename "Web.*" as "*"
| table uri_path, src]
| mvcombine uri_path
| rename uri_path AS sample_20_paths, url_domain AS Domain, src AS source_ip
| iplocation source_ip
| sort -event_count
| table first_occur, Domain, source_ip, Country, sample_20_paths, event_count