Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Detect blocked and delivered emails from same sender

abhik1501
New Member
‎11-12-2019 02:02 AM

I am trying to write a splunk query to detect blocked emails from same sender for a particular subject line and and allowed emails for same sender with different subject line or recipient group.

Example

Sender: attacker@xyz.com
Recepient : victim1@abc.com
Subject : Subject1
Action : Blocked

Sender: attacker@xyz.com
Recepient: victim1@abc.com or victim2@abc.com
Subject : Subject2
Action : Allowed

Any ideas will be appreciated

0 Karma
Reply

to4kawa
Ultra Champion
‎11-12-2019 04:53 AM

Hi, Mail log is multiline. Is there the queue as a key? so

.....
| stats values(*) as * by queue
| search Action=Block

how about it?

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎11-12-2019 03:08 AM

@abhik1501,

Assuming you have a field Action and sender, try this,

"your base search"  (Action="Blocked" OR Action="Allowed")
|stats values(Action) as Actions,values(other_fields) as  other_fields by sender | where mvcount(Actions) > 1

where other_fields are your other fields you want in result

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...