Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with search that detects spam sent with unique subject?

roopoo
Loves-to-Learn Lots
‎10-13-2022 04:35 PM

Hi community,

I am trying to write a query that looks for bulk email (say >50) from a single sender to multiple recipients, that has a unique subject.

Sender Recipient Subject
bob @ scamm . com alice @ mycompany .net spam for alice
bob @ scamm . com jane @ mycompany .net spam for jane
bob @ scamm . com fred @ mycompany .net spam for fred

 

I can add this to my search:

 

 

| stats count by subject sender recipient | search count>50

 

 

but I just want to see results where the subjects are unique, but the sender is the same.

 

Ideally I'd like to have it spit out a table of the sender, subject(s) and recipient(s)

Thank you 

Labels (2)
Labels
0 Karma
Reply

roopoo
Loves-to-Learn Lots
‎10-13-2022 07:26 PM

I think I have it worked out:

<my email query>
| dedup subject
| eventstats count by sender
| where count >10
| table _time, sender, recipient, subject
| sort - sender

 

I can run this over say an hour and detect what I want. If anyone can advise if this is the most efficient / best way to do this please let me know! Thanks

0 Karma
Reply

roopoo
Loves-to-Learn Lots
‎10-13-2022 05:32 PM

Still thinking...  If I go back to basics and | dedup the subject I get partially what I am after, however I want the sender count to be greater than 50 so I filter out noise.  Am I on the right track here? Can I achieve this?

 

0 Karma
Reply

roopoo
Loves-to-Learn Lots
‎10-13-2022 04:43 PM

Some more thoughts on this - I think I need to do a search for email received within a given time, say 5 minutes. This would be the spammer doing their spamming, which I think my above query covers off.  Then I need to look within those results for the unique subjects, but the same sender. This is the part I am needing assistance with.  I hope this makes sense! Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...