Re: How to identify an unusual source sending a hi...

AL3Z · ‎06-12-2023

Hi,

I'm trying to build a search query for the Unexpected Host Sending a Large Amount of Email in which i need to Exclude the vcp public wifi anything come from 172 Host.

| tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.app=*smtp* ` `unexpected_host_sending_a_large_amount_of_email_filter` NOT All_Traffic.dest=167.228.0.0/16 by All_Traffic.src All_Traffic.dest All_Traffic.src_category _time span=1h | rename All_Traffic.* as * | bin _time span=1d as day | eventstats dc(day) as day_count by src |

How to edit the search accordingly.
Thanks.

AL3Z · ‎06-20-2023

@caiosalonso

How do we exclude src_ip!=172.30.* AND FromZone!="WIRELESS_VCP_ACTIVATION" from datamodel Network_Traffic its not working as expected.

caiosalonso · ‎06-13-2023

Hi,

Just to confirm, do you need to add a filter to exclude events from a specifc Source IP Address in this query?

AL3Z · ‎06-16-2023

yes

How to identify an unusual source sending a high volume of emails, excluding VCP public wifi from the 172 Host?

stats

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?