Hello,
I'm trying to put a query together to monitor/view emails being sent externally to a personal domain.
i.e. johnsmith@corporation.com to john@smith.com or johnsmith@personalbusiness.com
I'm not looking for external personal email addresses like johnsmith@gmail or hotmail.com, etc. Specifically domains that have some correlation to the users name that appear to be a personal domain.
index=***this is a corp. email index*** (from_domain="corp.com" AND rcpt_domain="??????")
Any help is appreciated! Thanks!
If the values you provided are fields or sources in your Splunk instance, and data for all outbound email domains is rolling into "rcpt_domain" why not exclude the known personal email domains you mentioned.
EX: index=Your_email_index from_domain=corp.com rcpt_domain NOT ("*gmail.com" OR "*hotmail.com" OR "*yahoo.com" OR "*aol.com") AND rcpt_domain=*
| rename from_domain as "Received From" , rcpt_domain as "Sent To Personal Domain"
|stats count by "Received From","Sent To Personal Domain"
Thanks @putnamblake but unfortunately, that's not working. I think there may need to be some regex involved to help identify/match the from (corporate) email addresses to the personal domains.
Can you post a sample of the logs please?