I'm trying to create a search to output a list of unique senders where that sender has generated a DLP log 5 times or more within a 24 hour period.
Ideally this should not count the same email more than once if the single email triggers multiple policy hits in the policy field.
What I have so far:
index=dlp eventtype=symantec_dlp_alert
| bucket span=24h _time
| stats count by _time sender
| where count > 5
| sort -count
But the output does not seem right. Any guidance would be much appreciated.
I don't have these logs in front of me but you should have some kind of unique identifier for the email ( subject
, mid
, etc.) so let's assume your data has mid
and do it like this:
index=dlp eventtype=symantec_dlp_alert
| bucket span=24h _time
| stats dc(mid) BY _time sender
| search count > 5
| sort 0 - count
I don't have these logs in front of me but you should have some kind of unique identifier for the email ( subject
, mid
, etc.) so let's assume your data has mid
and do it like this:
index=dlp eventtype=symantec_dlp_alert
| bucket span=24h _time
| stats dc(mid) BY _time sender
| search count > 5
| sort 0 - count
Try to replace the stats count by _time sender for stats dc(sender) as count by _time
The dc command is distinct count of values for that field