Thanks for the answer - sorry yah agree I wasn't clear enough. What I do want is be able to set up a "real time" alert to trigger on the cases where malicious emails are sent to users containing the same attachment (e.g. "resume.zip"). As usual this campaigns last for an hour or two, when a burst of 50-100 emails are sent to different users containing an attachment in (zip|7z|pdf|src|rar) format.

Running provided query I do see that separate email attachment names a grouped together, which isn't exactly what I need.

So probably a better use case would be - during the 1 pm and 3 pm there is a burst of emails containing attachment "open.zip" sent to internal users. There are in total more than 200 emails sent to internal mailboxes. So what I am looking is to set up an alert to trigger if we get at least 50 emails per hour containing the same attachment sent to various internal user mailboxes. This could be a potential indication of ongoing spam, malspam or phishing campaign.

If you run this over 2 hours (exactly) this will do it (change the last 2 to the number of hours over which the search/alert is run):

... | regex attachmentName=".*(?:zip|7z|pdf|src|rar)$" | bucket _time span=1h | stats count BY attachmentName,_time | where count > 50 | stats count BY attachmentName | where count = 2

Thanks again, somehow for this one I get the regex incorrect message... Any ideas what might be wrong here?

I am guessing that you have a field called attachmentName but probably it is called something else so you need to fix/change the first string after regex. Also I had a typo (first 2 characters swapped) but I fixed it so try it again.

oh I do change the filed name, the issue was indeed the typo, sorry didn't spot on it as well, now it works as expected! Appreciate a lot for the suggestion!