I'm trying to create a search to output a list of unique senders where that sender has generated a DLP log 5 times or more within a 24 hour period.
Ideally this should not count the same email more than once if the single email triggers multiple policy hits in the policy field.
What I have so far:
| bucket span=24h _time
| stats count by _time sender
| where count > 5
| sort -count
But the output does not seem right. Any guidance would be much appreciated.