Re: Detect blocked and delivered emails from same ...

abhik1501 · ‎11-12-2019

I am trying to write a splunk query to detect blocked emails from same sender for a particular subject line and and allowed emails for same sender with different subject line or recipient group.

Example

Sender: attacker@xyz.com
Recepient : victim1@abc.com
Subject : Subject1
Action : Blocked

Sender: attacker@xyz.com
Recepient: victim1@abc.com or victim2@abc.com
Subject : Subject2
Action : Allowed

Any ideas will be appreciated

to4kawa · ‎11-12-2019

Hi, Mail log is multiline. Is there the queue as a key? so

.....
| stats values(*) as * by queue
| search Action=Block

how about it?

renjith_nair · ‎11-12-2019

@abhik1501,

Assuming you have a field Action and sender, try this,

"your base search"  (Action="Blocked" OR Action="Allowed")
|stats values(Action) as Actions,values(other_fields) as  other_fields by sender | where mvcount(Actions) > 1

where other_fields are your other fields you want in result

---
What goes around comes around. If it helps, hit it with Karma 🙂

Detect blocked and delivered emails from same sender

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation