Alerting

Help with Antispam alert

ccuadra
New Member

Good day team,

I am trying to create an alert for anti-spam, it is supposed to send an email to me if someone sends more than 10 emails in 5 minutes. However, I cannot make it work for some reason. Could you please help me with this?

This is the search I am using:

host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count by from name subject |where count >= 10

These are the alert settings:

Settings

Alert name: SPAM
Alert Type: Real-time

Trigger condition

Trigger alert when: Per-Result

Trigger actions

When triggered: Send email

Best regards.

Tags (1)
0 Karma
1 Solution

micahkemp
Champion

I think maybe the issue is you also grouped by subject, which means it would only fire if the same subject was sent multiple times. Try this:

host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count, values(name) AS name BY from subject | where count >= 10

View solution in original post

0 Karma

micahkemp
Champion

I think maybe the issue is you also grouped by subject, which means it would only fire if the same subject was sent multiple times. Try this:

host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count, values(name) AS name BY from subject | where count >= 10
0 Karma

ccuadra
New Member

I tested your search, however, is not showing the results as I need to see it. Usually the spams send the same subject to many users, "Account information" for instance, so I need it to send me an email if someone sends more than 10 emails with the same subject (which I could verify if is a spam).

0 Karma

micahkemp
Champion

Edited my answer to reflect grouping by from and subject.

0 Karma

ccuadra
New Member

This is the alert configuration:

Alert

0 Karma

micahkemp
Champion

That search runs once per hour. If you want it to run every 5 minutes change your cron expression to:

*/5 * * * *

As you have it now it runs only when minute=1 (which will only happen once per hour).

0 Karma

ccuadra
New Member

That was my problem, now its working like a charm!!! You are a genius.

0 Karma

ccuadra
New Member

Ok, I changed my search as you suggested and sent 5 emails (the rule was changed to >=4) but the alert was not triggered according to splunk. However, if I open the alert search, it founds my test.

0 Karma

micahkemp
Champion

So the search works outside of the alert, but the alert isn't firing from the scheduled run?

0 Karma

ccuadra
New Member

This will be one example:

2018:01:12-13:13:38 smtp_gateway smtpd[3024]: SCANNER[3024]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx.xxx.xxx.xxx" from="name@domain.com" to="name@mydomain.com" subject="AN EMAIL" queueid="1ea4lm-0000mm-Gp" size="6000"

0 Karma

micahkemp
Champion

Can you paste samples of the logs that this search would make use of?

0 Karma

ccuadra
New Member

2018:01:12-13:13:38 smtp_gateway smtpd[3024]: SCANNER[3024]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx.xxx.xxx.xxx" from="name@domain.com" to="name@mydomain.com" subject="AN EMAIL" queueid="1ea4lm-0000mm-Gp" size="6000"

0 Karma

ccuadra
New Member

Is worth mentioning that for test purposes, I changed the rule to report >= 5 emails, I sent 5 emails to different email addresses with the same subject, but the alert did not trigger, not sure what is happening.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...