Solved: Alert based on same domain count

balcv · ‎09-18-2019

We have email data reported in Splunk and I want to build an Alert, based on a search, that can trigger if it sees more then 250 events where the same email domain appears in the sender address.

For example, a flood of emails comes from [randomstuff]@uchc.edu among lots of other email traffic over a 30 minute period. I'm wanting the alert to trigger because it sees more than 250 events where the email domain is uchc.edu.

The alert needs to be able to identify the domain based on what is in the traffic and NOT a domain that is coded into the search.

Is this possible and is there any tips on how to create it. I apologize that I do not have any code to submit as I really do not know where to start.

balcv · ‎09-18-2019

I've figured it out. Not so hard when you put your mind to it.

index="*" 
| eval tmp=split(Sender,"@") 
| eval senderDomain=mvindex(tmp,1) 
| chart count by senderDomain 
| addtotals row=true fieldname=totalCount 
| where totalCount >= 150 
| fields - totalCount | sort -count

View solution in original post

balcv · ‎09-18-2019

I've figured it out. Not so hard when you put your mind to it.

index="*" 
| eval tmp=split(Sender,"@") 
| eval senderDomain=mvindex(tmp,1) 
| chart count by senderDomain 
| addtotals row=true fieldname=totalCount 
| where totalCount >= 150 
| fields - totalCount | sort -count

Alert based on same domain count

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Join the Conversation