We have the need to know when we are seeing activity from certain countries. Currently I have not been able to figure out a way to develop said query/alert.
sotherls, This is definitely possible as the source and destination country are in the database views. Here is an example query to do what you want. However I have some DB performance issues so I can't get this to run unless I am looking at the last 5 minutes of flow data or so. If you have a DBA they may be able to optimize this, otherwise the feature request may be to optimize the DB so that these queries are possible. If you want to specifically include or exclude countries look at the CountryCode table and pick the identifier in question and add it to the WHERE clause below.
SELECT N.City, CHANGETIMEZONE(TimeStamp, '-05:00') AS Time_In_EST, SUM(TotalBytes)/1048576 AS SUM_Bytes_MB, SourceIP, DestinationIP, Port, F.SourceCountryCode
FROM Orion.Netflow.FlowsByIP F
JOIN Orion.NodesCustomProperties N on F.NodeID = N.NodeID
JOIN Orion.Netflow.Countries as CO ON F.SourceCountryCode = CO.CountryCode
WHERE SourceCountryCode = '-P' AND (F.TimeStamp>=(GetDate())-1)
GROUP BY N.City, DestinationIP
ORDER BY N.City, DestinationIP, TotalBytes DESC
