Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

creating a correlation search for data exfiltration via email using datamodel

elaozz
New Member
‎12-02-2020 04:53 PM

Hi all,

I am trying to create a correlation search query for "data exfiltration via email" using email datamodel

the rule description is:  "Sending of multiple emails from a single user(outgoing email from a company employee) with total size exceeding threshold of 100MB within 30 minutes"

my current correlation search is

tstats summariesonly=true sum(All_Email.file_size) as file_size, dc(All_Email.recipient_count) as recipient_count FROM datamodel=Email.All_Email WHERE NOT All_Email.src_category="servers" BY "All_Email.src_user" _time
| `drop_dm_object_name("All_Email")`
| rex field=email "@(?<domain>.*)"
| eval direction=if(in(domain, "xxx.com.au", "yyy.com.au", "aaa.com.au"), "outbound", "inbound")
| eval file_size=round(file_size/(100000000))
| where file_size>100

and part of the result is

Capture.PNG

as you can see the src_user values show "unknown" and I only see the inbound emails.

Please share your opinion which you think it could enhance the correlation search.

Thanks

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...