Alerting

Using Exchange logs, how to alert when someone emails more than 50 recipients within 1 hour?

sbattista09
Contributor

I'm trying to make an alert for when someone emails more then 50 people within a one hour time span. The issue is that I have multiple values in the recipients field per event. I am dealing with Exchange logs and I would like to just do something like where count > 50. Any one run into this issue before?

sender recipients

User1 bla1;bla2;blah3;blah4
User1 blah4;blah9
user2 user1;blah5
user1 blah1

0 Karma

davidc0805
New Member

Reading your question I am kinda thinking you are more refering to emails that have multiple recipients or say they go to distro groups which to split out the recipients you would use mvexpand recipient. Using that breaks each recipient out so it is its own event. So instead of seeing the one email with 50 recipients as one item it will be the 50 items your threash hold is looking for. I am using a query like this to do manual lookups for now going to build it into a coorelated search to so it will fire a notable event. To make it a higher fidelity rule you will want add some exclusions say your company has some sort of blast broadcast email address you would include something like src_user!=blast address or if you know you have multiple you may want to include a lookup table for your exclusions.

email query|mvexpand recipient|stats count(recipient) as recipients by Sender, Subject | where recipients > 10

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Try this:

... | makemv delim=";" recipients | bin span=1h _time | stats dc(recipients) as dc by _time sender | where dc > 50
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...