Alerting

Alert on count of email sender is seen 5 times within 1 hour

AyeDefo
Engager

I'm trying to create a search to output a list of unique senders where that sender has generated a DLP log 5 times or more within a 24 hour period.
Ideally this should not count the same email more than once if the single email triggers multiple policy hits in the policy field.

What I have so far:

index=dlp eventtype=symantec_dlp_alert
| bucket span=24h  _time
| stats count by _time sender
| where count > 5
| sort -count

But the output does not seem right. Any guidance would be much appreciated.

0 Karma
1 Solution

woodcock
Esteemed Legend

I don't have these logs in front of me but you should have some kind of unique identifier for the email ( subject, mid, etc.) so let's assume your data has mid and do it like this:

 index=dlp eventtype=symantec_dlp_alert
 | bucket span=24h _time
 | stats dc(mid) BY _time sender
 | search count > 5
 | sort 0 - count

View solution in original post

woodcock
Esteemed Legend

I don't have these logs in front of me but you should have some kind of unique identifier for the email ( subject, mid, etc.) so let's assume your data has mid and do it like this:

 index=dlp eventtype=symantec_dlp_alert
 | bucket span=24h _time
 | stats dc(mid) BY _time sender
 | search count > 5
 | sort 0 - count

gfreitas
Builder

Try to replace the stats count by _time sender for stats dc(sender) as count by _time
The dc command is distinct count of values for that field

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...