Reading your question I am kinda thinking you are more refering to emails that have multiple recipients or say they go to distro groups which to split out the recipients you would use mvexpand recipient. Using that breaks each recipient out so it is its own event. So instead of seeing the one email with 50 recipients as one item it will be the 50 items your threash hold is looking for. I am using a query like this to do manual lookups for now going to build it into a coorelated search to so it will fire a notable event. To make it a higher fidelity rule you will want add some exclusions say your company has some sort of blast broadcast email address you would include something like src_user!=blast address or if you know you have multiple you may want to include a lookup table for your exclusions.
email query|mvexpand recipient|stats count(recipient) as recipients by Sender, Subject | where recipients > 10
... View more
I was wondering about this as well but want to add an exclusion list into it due to known emails that come in from certain teams that the return path is a team inbox so it will show as sent on behalf and replies go back to the team inbox so that any replies don't get dropped say when they are not at work. Have you had any luck with what you were trying.,Trying to figure this one out myself but throw a curve ball at it as well because I know some emails come into my environment using a email sent on behalf. So would have a listed of exclusions I would like to build into the alert. Have you had any luck figuring this out.
... View more