topic Re: Help with Antispam alert in Alerting

Help with Antispam alert

ccuadra — Fri, 12 Jan 2018 16:45:20 GMT

Good day team,

I am trying to create an alert for anti-spam, it is supposed to send an email to me if someone sends more than 10 emails in 5 minutes. However, I cannot make it work for some reason. Could you please help me with this?

This is the search I am using:

host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count by from name subject |where count >= 10

These are the alert settings:

Settings

Alert name: SPAM
Alert Type: Real-time

Trigger condition

Trigger alert when: Per-Result

Trigger actions

When triggered: Send email

Best regards.

Re: Help with Antispam alert

micahkemp — Fri, 12 Jan 2018 18:05:23 GMT

Can you paste samples of the logs that this search would make use of?

Re: Help with Antispam alert

ccuadra — Fri, 12 Jan 2018 20:56:21 GMT

2018:01:12-13:13:38 smtp_gateway smtpd[3024]: SCANNER[3024]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx.xxx.xxx.xxx" from="name@domain.com" to="name@mydomain.com" subject="AN EMAIL" queueid="1ea4lm-0000mm-Gp" size="6000"

Re: Help with Antispam alert

micahkemp — Fri, 12 Jan 2018 21:06:38 GMT

I think maybe the issue is you also grouped by subject, which means it would only fire if the same subject was sent multiple times. Try this:

host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count, values(name) AS name BY from subject | where count >= 10

Re: Help with Antispam alert

ccuadra — Fri, 12 Jan 2018 21:06:39 GMT

This will be one example:

Re: Help with Antispam alert

ccuadra — Fri, 12 Jan 2018 21:24:48 GMT

I tested your search, however, is not showing the results as I need to see it. Usually the spams send the same subject to many users, "Account information" for instance, so I need it to send me an email if someone sends more than 10 emails with the same subject (which I could verify if is a spam).

Re: Help with Antispam alert

ccuadra — Fri, 12 Jan 2018 21:26:36 GMT

Is worth mentioning that for test purposes, I changed the rule to report >= 5 emails, I sent 5 emails to different email addresses with the same subject, but the alert did not trigger, not sure what is happening.

Re: Help with Antispam alert

micahkemp — Fri, 12 Jan 2018 21:37:04 GMT

Edited my answer to reflect grouping by from and subject.

Re: Help with Antispam alert

ccuadra — Fri, 12 Jan 2018 21:43:16 GMT

Ok, I changed my search as you suggested and sent 5 emails (the rule was changed to >=4) but the alert was not triggered according to splunk. However, if I open the alert search, it founds my test.

Re: Help with Antispam alert

micahkemp — Fri, 12 Jan 2018 21:57:31 GMT

So the search works outside of the alert, but the alert isn't firing from the scheduled run?

Re: Help with Antispam alert

ccuadra — Fri, 12 Jan 2018 21:59:41 GMT

This is the alert configuration:

Re: Help with Antispam alert

micahkemp — Fri, 12 Jan 2018 22:03:38 GMT

That search runs once per hour. If you want it to run every 5 minutes change your cron expression to:

*/5 * * * *

As you have it now it runs only when minute=1 (which will only happen once per hour).

Re: Help with Antispam alert

ccuadra — Fri, 12 Jan 2018 22:16:18 GMT

That was my problem, now its working like a charm!!! You are a genius.