Hello, thanks in advance for the help. I'd like to filter a multivalue field to where it will only return results that contain 3 or more values. This is in regards to email querying.
I am trying to figure out when somebody's account has been phished, because when they are phished, the attacker keeps sending out gobs of spam to gmail and hotmail addresses.
My fields are _time, sender, sender_domain, recipient, and message_subject
The recipient field will have up to 100 recipients. I want it to only show results that have greater than 2 recipients, and the recipients have at least one @gmail.com address, or @hotmail.com address. Below is the search I use, but obviously needs work.
sourcetype=MSExchange:2013:MessageTracking |dedup sender,recipient,message_subject, message_id |table _time sender sender_domain recipient recipient_domain message_subject |sort -_time |
... View more