Re: How to identify an unusual source sending a hi...

AL3Z · ‎06-12-2023

Hi,

I'm trying to build a search query for the Unexpected Host Sending a Large Amount of Email in which i need to Exclude the vcp public wifi anything come from 172 Host.

| tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.app=*smtp* ` `unexpected_host_sending_a_large_amount_of_email_filter` NOT All_Traffic.dest=167.228.0.0/16 by All_Traffic.src All_Traffic.dest All_Traffic.src_category _time span=1h | rename All_Traffic.* as * | bin _time span=1d as day | eventstats dc(day) as day_count by src |

How to edit the search accordingly.
Thanks.

AL3Z · ‎06-20-2023

@caiosalonso

How do we exclude src_ip!=172.30.* AND FromZone!="WIRELESS_VCP_ACTIVATION" from datamodel Network_Traffic its not working as expected.

caiosalonso · ‎06-13-2023

Hi,

Just to confirm, do you need to add a filter to exclude events from a specifc Source IP Address in this query?

AL3Z · ‎06-16-2023

yes

How to identify an unusual source sending a high volume of emails, excluding VCP public wifi from the 172 Host?

stats

subsearch

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?