Reporting

Detect blocked and delivered emails from same sender

abhik1501
New Member

I am trying to write a splunk query to detect blocked emails from same sender for a particular subject line and and allowed emails for same sender with different subject line or recipient group.

Example

Sender: attacker@xyz.com
Recepient : victim1@abc.com
Subject : Subject1
Action : Blocked

Sender: attacker@xyz.com
Recepient: victim1@abc.com or victim2@abc.com
Subject : Subject2
Action : Allowed

Any ideas will be appreciated

0 Karma

to4kawa
Ultra Champion

Hi, Mail log is multiline. Is there the queue as a key? so

.....
| stats values(*) as * by queue
| search Action=Block

how about it?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@abhik1501,

Assuming you have a field Action and sender, try this,

"your base search"  (Action="Blocked" OR Action="Allowed")
|stats values(Action) as Actions,values(other_fields) as  other_fields by sender | where mvcount(Actions) > 1

where other_fields are your other fields you want in result

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...