Re: How to query alerts by a specific personal dom...

brc55 · ‎08-04-2020

Hello,

I'm trying to put a query together to monitor/view emails being sent externally to a personal domain.

i.e. johnsmith@corporation.com to john@smith.com or johnsmith@personalbusiness.com

I'm not looking for external personal email addresses like johnsmith@gmail or hotmail.com, etc. Specifically domains that have some correlation to the users name that appear to be a personal domain.

index=***this is a corp. email index*** (from_domain="corp.com" AND rcpt_domain="??????")

Any help is appreciated! Thanks!

putnamblake · ‎08-04-2020

If the values you provided are fields or sources in your Splunk instance, and data for all outbound email domains is rolling into "rcpt_domain" why not exclude the known personal email domains you mentioned.

EX: index=Your_email_index from_domain=corp.com rcpt_domain NOT ("*gmail.com" OR "*hotmail.com" OR "*yahoo.com" OR "*aol.com") AND rcpt_domain=*

| rename from_domain as "Received From" , rcpt_domain as "Sent To Personal Domain"
|stats count by "Received From","Sent To Personal Domain"

brc55 · ‎08-05-2020

Thanks @putnamblake but unfortunately, that's not working. I think there may need to be some regex involved to help identify/match the from (corporate) email addresses to the personal domains.

putnamblake · ‎08-05-2020

Can you post a sample of the logs please?

How to query alerts by a specific personal domains?

lookup

regex

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation