From 5592e6f21bc2aea3f8f4857ee0dfd5eab1fe3406 Mon Sep 17 00:00:00 2001
From: junk <junk@noreply.localhost>
Date: Sun, 12 Jan 2025 15:53:49 -0500
Subject: [PATCH] Add idea_in_future.md

---
 idea_in_future.md | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 idea_in_future.md

diff --git a/idea_in_future.md b/idea_in_future.md
new file mode 100644
index 0000000..1abd5a9
--- /dev/null
+++ b/idea_in_future.md
@@ -0,0 +1,8 @@
+```
+index=* sourcetype=zeek*
+| iplocation prefix=Source_ allfields=true id.orig_h
+| eval "Source_Location"=case(Source_City=="Whitehall", "Lumen",Source_City== "Quantico", "MCCOG")
+| iplocation prefix=Destination_ allfields=true  id.resp_h
+| eval "Destination_Location"=case(Destination_City=="Whitehall", "Lumen",Destination_City== "Quantico", "MCCOG")
+| table sourcetype, _time, id.orig_h, "Source_City","Source_Region","Source_Country", "Source_Location",id.resp_h,"Destination_City","Destination_Region","Destination_Country", "Destination_Location"
+```
\ No newline at end of file