Solved: Alert based on same domain count

balcv · ‎09-18-2019

We have email data reported in Splunk and I want to build an Alert, based on a search, that can trigger if it sees more then 250 events where the same email domain appears in the sender address.

For example, a flood of emails comes from [randomstuff]@uchc.edu among lots of other email traffic over a 30 minute period. I'm wanting the alert to trigger because it sees more than 250 events where the email domain is uchc.edu.

The alert needs to be able to identify the domain based on what is in the traffic and NOT a domain that is coded into the search.

Is this possible and is there any tips on how to create it. I apologize that I do not have any code to submit as I really do not know where to start.

balcv · ‎09-18-2019

I've figured it out. Not so hard when you put your mind to it.

index="*" 
| eval tmp=split(Sender,"@") 
| eval senderDomain=mvindex(tmp,1) 
| chart count by senderDomain 
| addtotals row=true fieldname=totalCount 
| where totalCount >= 150 
| fields - totalCount | sort -count

View solution in original post

balcv · ‎09-18-2019

I've figured it out. Not so hard when you put your mind to it.

index="*" 
| eval tmp=split(Sender,"@") 
| eval senderDomain=mvindex(tmp,1) 
| chart count by senderDomain 
| addtotals row=true fieldname=totalCount 
| where totalCount >= 150 
| fields - totalCount | sort -count

Alert based on same domain count

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation