1 of 1 people found this helpful
Under Event Groups, look at Network Audit Alerts. There's source/destination port fields. I'd expect the search to return specific event classes (like TCPTrafficAudit or IPTrafficAudit), and then you could build a rule to look for those events with the right characteristics for alerts.
Most firewalls: TCPTrafficAudit.DestinationPort = 21 (you might want to look for 20, but 21 is telltale)
Proxy servers and application-layer aware firewalls where we know this traffic is FTP: FileTransferTrafficAudit
There's actually a filter included out of the box (IT Operations => FTP Traffic) that you can do a historical search on by clicking Gear > send to nDepth (you might have to expand the time range). It tries to look for all Network Audit Alerts (which would include both of the above) where either the word FTP is included or it's to/from one of those ports, so it should catch most everything.