I am trying to write a splunk query to detect blocked emails from same sender for a particular subject line and and allowed emails for same sender with different subject line or recipient group.
Example
Sender: attacker@xyz.com
Recepient : victim1@abc.com
Subject : Subject1
Action : Blocked
Sender: attacker@xyz.com
Recepient: victim1@abc.com or victim2@abc.com
Subject : Subject2
Action : Allowed
Any ideas will be appreciated
Hi, Mail log is multiline. Is there the queue as a key? so
.....
| stats values(*) as * by queue
| search Action=Block
how about it?
@abhik1501,
Assuming you have a field Action
and sender
, try this,
"your base search" (Action="Blocked" OR Action="Allowed")
|stats values(Action) as Actions,values(other_fields) as other_fields by sender | where mvcount(Actions) > 1
where other_fields are your other fields you want in result