How to identify an unusual source sending a high v...

AL3Z · ‎06-12-2023

Hi,

I'm trying to build a search query for the Unexpected Host Sending a Large Amount of Email in which i need to Exclude the vcp public wifi anything come from 172 Host.

| tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.app=*smtp* ` `unexpected_host_sending_a_large_amount_of_email_filter` NOT All_Traffic.dest=167.228.0.0/16 by All_Traffic.src All_Traffic.dest All_Traffic.src_category _time span=1h | rename All_Traffic.* as * | bin _time span=1d as day | eventstats dc(day) as day_count by src |

How to edit the search accordingly.
Thanks.

AL3Z · ‎06-20-2023

@caiosalonso

How do we exclude src_ip!=172.30.* AND FromZone!="WIRELESS_VCP_ACTIVATION" from datamodel Network_Traffic its not working as expected.

caiosalonso · ‎06-13-2023

Hi,

Just to confirm, do you need to add a filter to exclude events from a specifc Source IP Address in this query?

AL3Z · ‎06-16-2023

yes

How to identify an unusual source sending a high volume of emails, excluding VCP public wifi from the 172 Host?

stats

subsearch

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Are you a member of the Splunk Community?