-
Notifications
You must be signed in to change notification settings - Fork 5
Alerting based on Email Activity
David Hoelzer edited this page Mar 12, 2015
·
1 revision
Here is an example job that identifies users sending an unusual number of emails outbound. The more emails sent, the more interesting it becomes and the higher the alert level. You may notice a pattern if you compare this to many of the other custom events. In a sense, this is a recipe for how to create any custom alert based on absolutely any user activity correlation that you find interesting!
timeframe = 1.hours.ago
relevant_events = Event.search("qmgr from", timeframe,0,10000000)
users=Hash.new
relevant_events.each do |event|
eventString =event.inspect.to_s
user = eventString.split(' ')[19] # This is the username in the address
users[user] = (users[user].nil? ? 1 : users[user] + 1)
end
users.each do |k,v|
if v>10 then
criticality = ( v < 15 ? 1 : v < 20 ? 2 : v < 25 ? 4 : 5)
matching_events = Event.search("qmgr from #{k}", timeframe,0,10000000)
Alert.genericAlert(system_id: matching_events[0].system_id, description: "#{k} sent #{v} emails in the last hour.", short_description: "Suspicious user activity - Outbound email: #{k}", criticality: criticality, events: matching_events)
end
end