Alerting

Alert on count of email sender is seen 5 times within 1 hour

AyeDefo
Engager

I'm trying to create a search to output a list of unique senders where that sender has generated a DLP log 5 times or more within a 24 hour period.
Ideally this should not count the same email more than once if the single email triggers multiple policy hits in the policy field.

What I have so far:

index=dlp eventtype=symantec_dlp_alert
| bucket span=24h  _time
| stats count by _time sender
| where count > 5
| sort -count

But the output does not seem right. Any guidance would be much appreciated.

0 Karma
1 Solution

woodcock
Esteemed Legend

I don't have these logs in front of me but you should have some kind of unique identifier for the email ( subject, mid, etc.) so let's assume your data has mid and do it like this:

 index=dlp eventtype=symantec_dlp_alert
 | bucket span=24h _time
 | stats dc(mid) BY _time sender
 | search count > 5
 | sort 0 - count

View solution in original post

woodcock
Esteemed Legend

I don't have these logs in front of me but you should have some kind of unique identifier for the email ( subject, mid, etc.) so let's assume your data has mid and do it like this:

 index=dlp eventtype=symantec_dlp_alert
 | bucket span=24h _time
 | stats dc(mid) BY _time sender
 | search count > 5
 | sort 0 - count

gfreitas
Builder

Try to replace the stats count by _time sender for stats dc(sender) as count by _time
The dc command is distinct count of values for that field

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...