Good day team,
I am trying to create an alert for anti-spam, it is supposed to send an email to me if someone sends more than 10 emails in 5 minutes. However, I cannot make it work for some reason. Could you please help me with this?
This is the search I am using:
host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count by from name subject |where count >= 10
These are the alert settings:
Settings
Alert name: SPAM
Alert Type: Real-time
Trigger condition
Trigger alert when: Per-Result
Trigger actions
When triggered: Send email
Best regards.
I think maybe the issue is you also grouped by subject, which means it would only fire if the same subject was sent multiple times. Try this:
host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count, values(name) AS name BY from subject | where count >= 10
I think maybe the issue is you also grouped by subject, which means it would only fire if the same subject was sent multiple times. Try this:
host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count, values(name) AS name BY from subject | where count >= 10
I tested your search, however, is not showing the results as I need to see it. Usually the spams send the same subject to many users, "Account information" for instance, so I need it to send me an email if someone sends more than 10 emails with the same subject (which I could verify if is a spam).
Edited my answer to reflect grouping by from and subject.
This is the alert configuration:
That search runs once per hour. If you want it to run every 5 minutes change your cron expression to:
*/5 * * * *
As you have it now it runs only when minute=1 (which will only happen once per hour).
That was my problem, now its working like a charm!!! You are a genius.
Ok, I changed my search as you suggested and sent 5 emails (the rule was changed to >=4) but the alert was not triggered according to splunk. However, if I open the alert search, it founds my test.
So the search works outside of the alert, but the alert isn't firing from the scheduled run?
This will be one example:
2018:01:12-13:13:38 smtp_gateway smtpd[3024]: SCANNER[3024]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx.xxx.xxx.xxx" from="name@domain.com" to="name@mydomain.com" subject="AN EMAIL" queueid="1ea4lm-0000mm-Gp" size="6000"
Can you paste samples of the logs that this search would make use of?
2018:01:12-13:13:38 smtp_gateway smtpd[3024]: SCANNER[3024]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx.xxx.xxx.xxx" from="name@domain.com" to="name@mydomain.com" subject="AN EMAIL" queueid="1ea4lm-0000mm-Gp" size="6000"
Is worth mentioning that for test purposes, I changed the rule to report >= 5 emails, I sent 5 emails to different email addresses with the same subject, but the alert did not trigger, not sure what is happening.