Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Detect blocked and delivered emails from same sender

abhik1501
New Member
‎11-12-2019 02:02 AM

I am trying to write a splunk query to detect blocked emails from same sender for a particular subject line and and allowed emails for same sender with different subject line or recipient group.

Example

Sender: attacker@xyz.com
Recepient : victim1@abc.com
Subject : Subject1
Action : Blocked

Sender: attacker@xyz.com
Recepient: victim1@abc.com or victim2@abc.com
Subject : Subject2
Action : Allowed

Any ideas will be appreciated

0 Karma
Reply

to4kawa
Ultra Champion
‎11-12-2019 04:53 AM

Hi, Mail log is multiline. Is there the queue as a key? so

.....
| stats values(*) as * by queue
| search Action=Block

how about it?

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎11-12-2019 03:08 AM

@abhik1501,

Assuming you have a field Action and sender, try this,

"your base search"  (Action="Blocked" OR Action="Allowed")
|stats values(Action) as Actions,values(other_fields) as  other_fields by sender | where mvcount(Actions) > 1

where other_fields are your other fields you want in result

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...