Hi all, I am trying to create a correlation search query for "data exfiltration via email" using email datamodel the rule description is:  "Sending of multiple emails from a single user(outgoing email from a company employee) with total size exceeding threshold of 100MB within 30 minutes" my current correlation search is tstats summariesonly=true sum(All_Email.file_size) as file_size, dc(All_Email.recipient_count) as recipient_count FROM datamodel=Email.All_Email WHERE NOT All_Email.src_category="servers" BY "All_Email.src_user" _time | `drop_dm_object_name("All_Email")` | rex field=email "@(?<domain>.*)" | eval direction=if(in(domain, "xxx.com.au", "yyy.com.au", "aaa.com.au"), "outbound", "inbound") | eval file_size=round(file_size/(100000000)) | where file_size>100 and part of the result is as you can see the src_user values show "unknown" and I only see the inbound emails. Please share your opinion which you think it could enhance the correlation search. Thanks ... View more