Hi
I am trying to explore more ways to check if business email compromise is being happening in our organization, just before the end user recognises it.
i have a list of domains that we usually communicate with, there are around 490 domains I have listed and added to a csv file. there is an index which is updated in realtime which have logs from mimecast. I would like to list out domains which are trying to establish email communication with our organization which are not there in the csv file.
so if a non matching domain is emailing us, it should display in a dashboard. is this possible?
50000
Subsearches are limited to 50000 events - can you break the csv down into smaller files?
index= mimecast NOT [ | inputlookup Sender1.csv | return Sender ] AND NOT [ | inputlookup Sender2.csv | return Sender ] AND NOT [ | inputlookup Sender3.csv | return Sender ]
this is my search string
index=mimecast NOT [ | inputlookup Sender1.csv | return Sender ]
the number of rows in csv is now reduced to 34000
The search result is same if do search for
index=mimecast
or
index=mimecast NOT [ | inputlookup Sender1.csv | return Sender ]
it is still not filtering or removing the email addresses listed in the csv.
Try without the return
index=mimecast NOT [ | inputlookup Sender1.csv ]
no change, it is still showing all the results.
no filtering applied.
gives error
Regex: regular expression is too large
How many rows does the csv file have?
A search for data in an index that is not in a CSV file would look something like this:
index=mimecast NOT [ | inputlookup domains.csv | return 1000 domain ]
I'm assuming the index and the CSV file use the same field names. If that is not the case then a rename will be needed after the inputlookup.
Hi
i tried with the following search
index= mimecast NOT [ | inputlookup Sender1.csv | return 1000 Sender ]
Sender1 have a list of email address and the field name is Sender
the results are same if i search with or without the filter. its is not omitting or removing the email address which are there in the csv file.
Does this work better?
index= mimecast NOT [ | inputlookup Sender1.csv | return 1000 Sender | format ]