Solved: Help with Antispam alert

ccuadra · ‎01-12-2018

Good day team,

I am trying to create an alert for anti-spam, it is supposed to send an email to me if someone sends more than 10 emails in 5 minutes. However, I cannot make it work for some reason. Could you please help me with this?

This is the search I am using:

host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count by from name subject |where count >= 10

These are the alert settings:

Settings

Alert name: SPAM
Alert Type: Real-time

Trigger condition

Trigger alert when: Per-Result

Trigger actions

When triggered: Send email

Best regards.

micahkemp · ‎01-12-2018

I think maybe the issue is you also grouped by subject, which means it would only fire if the same subject was sent multiple times. Try this:

host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count, values(name) AS name BY from subject | where count >= 10

View solution in original post

micahkemp · ‎01-12-2018

I think maybe the issue is you also grouped by subject, which means it would only fire if the same subject was sent multiple times. Try this:

host="10.10.10.10" "email passed" NOT from="" NOT admin@mydomail.com | stats count, values(name) AS name BY from subject | where count >= 10

ccuadra · ‎01-12-2018

I tested your search, however, is not showing the results as I need to see it. Usually the spams send the same subject to many users, "Account information" for instance, so I need it to send me an email if someone sends more than 10 emails with the same subject (which I could verify if is a spam).

micahkemp · ‎01-12-2018

Edited my answer to reflect grouping by from and subject.

ccuadra · ‎01-12-2018

This is the alert configuration:

micahkemp · ‎01-12-2018

That search runs once per hour. If you want it to run every 5 minutes change your cron expression to:

*/5 * * * *

As you have it now it runs only when minute=1 (which will only happen once per hour).

ccuadra · ‎01-12-2018

That was my problem, now its working like a charm!!! You are a genius.

ccuadra · ‎01-12-2018

Ok, I changed my search as you suggested and sent 5 emails (the rule was changed to >=4) but the alert was not triggered according to splunk. However, if I open the alert search, it founds my test.

micahkemp · ‎01-12-2018

So the search works outside of the alert, but the alert isn't firing from the scheduled run?

ccuadra · ‎01-12-2018

This will be one example:

2018:01:12-13:13:38 smtp_gateway smtpd[3024]: SCANNER[3024]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx.xxx.xxx.xxx" from="name@domain.com" to="name@mydomain.com" subject="AN EMAIL" queueid="1ea4lm-0000mm-Gp" size="6000"

micahkemp · ‎01-12-2018

Can you paste samples of the logs that this search would make use of?

ccuadra · ‎01-12-2018

2018:01:12-13:13:38 smtp_gateway smtpd[3024]: SCANNER[3024]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx.xxx.xxx.xxx" from="name@domain.com" to="name@mydomain.com" subject="AN EMAIL" queueid="1ea4lm-0000mm-Gp" size="6000"

ccuadra · ‎01-12-2018

Is worth mentioning that for test purposes, I changed the rule to report >= 5 emails, I sent 5 emails to different email addresses with the same subject, but the alert did not trigger, not sure what is happening.

Help with Antispam alert

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All